GDPR

GDPR Subject Access Request: authentication cannot be an afterthought

As the deadline approached last year, companies scrambled to update their data protection practices. As it happened, some companies did get fined for non-compliance. Following a long period of adjustment, however, GDPR requirements have become normalised into existing compliance programs.What many companies were ill-prepared for was the onslaught of consumers exercising their rights under the…


As the deadline approached last year, companies scrambled to update their data protection practices. As it happened, some companies did get fined for non-compliance. Following a long period of adjustment, however, GDPR requirements have become normalised into existing compliance programs.

What many companies were ill-prepared for was the onslaught of consumers exercising their rights under the new regime. Under GDPR, a consumer can file a Subject Access Request (SAR) with an organisation to determine if that organisation is processing personal data concerning him or her, and, if the information has been shared, along with the names of the parties with which it has been shared. 

In fact, these are only but a few of the searching questions that the user, as the data subject, can demand answers to. Further, once the SAR has been dispatched to the organisation, it is legally obligated to comply with the request, retrieve the information, and formally respond to the data subject – all within a month.  

  • Satya Nadella calls for global GDPR
  • Majority of companies still aren’t GDPR-compliant
  • The ramifications of GDPR

Subject Access Request

SARs hav

Read More

Be the first to write a comment.

Leave a Reply

GDPR

The 10 data privacy fails of the decade – and what we learnt from them

Today marks one of the most important days in the calendar for professionals in data  – Data Privacy Day! As we enter the 2020s, let’s take a look back over the data privacy fails that shaped the previous decade – and what we learnt from them –  so we can ensure the next 10 years are…

Today marks one of the most important days in the calendar for professionals in data  – Data Privacy Day! 

As we enter the 2020s, let’s take a look back over the data privacy fails that shaped the previous decade – and what we learnt from them –  so we can ensure the next 10 years are remembered for championing greatness in data privacy, and produce a decade of privacy wins.

1. Data privacy fails happened in the most unexpected of places…

Imagine buying an app-controlled, Bluetooth connected vibrator to spice up your love life for when your partner isn’t in town. It’s all fun and games until you discover your partner hasn’t been controlling it…it’s actually been hacked by a total stranger. 

Believe it or not, this actually happened in 2016, when it was discovered that anyone with a Bluetooth connection could hijack certain sex toys and control them because of their total lack of security protection. 

And if that’s not off-putting enough, it turned out the company was collecting and storing personal data gathered by the vibrator’s app – without their users’ consent. The app tracked the toys’ temperature and vibration intensity when paired with it – so essentially, the company ended up with large data files that detailed the exact sexual stimulation requirements of their customers. 

There is definitely such a thing as too much information…

Vibrators are not the only unusual objects that were hacked over this past decade. In 2017, cybercriminals managed to hack into a casino in North America through its internet-connected fish tank!

The aquarium in the lobby was fitted with a smart thermometer to regulate the tank’s temperate. It was through this device that the hackers were able to exploit a vulnerability and get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and pull it back across the network, out the thermostat, and up into the cloud. You could say, they went fishing…

What have we learnt?

People should be able to buy things as personal as vibrators and as innocuous as fish tanks in safety. It’s simply astonishing that a vibrator was left so insecure when the risk of assault was so obvious. And it was even worse that the company was behaving so invasively as to capture such personal data without consent. While you could argue that the casino should have known better than to put a smart fish tank inside its security perimeter, the risk of exploiting a vulnerability to gain access to other systems has been well known for years, and the fish tank manufacturer simply should not have put its clients at such risk.

As the Internet of Things continues to grow, more devices will begin to come online, and these devices will come in many shapes and sizes. It’s crucial that the manufacturers of these devices follow a Privacy by Design model, and ensure that privacy and security are baked into products right from the start of the development lifecycle – not tacked on at the end. It’s far less hassle to think about data privacy at the beginning, and work it into a product, than to fix security flaws later down the line – if that’s even possible.

The adoption of IoT technology means cybercriminals can be more imaginative with their cybersecurity attacks, and these incidents are compelling reminders that the IoT devices are vulnerable to being hacked or compromised. The problem often occurs when manufacturers focus solely on the performance and usability of IoT devices, and ignore security measures and encryption mechanisms. Simple cybersecurity protocols such as authentication through OAuth, secure storage, penetration tests, and regular audits should be standard for internet-connected devices.

It’s also important for consumers to remember that any object, no matter how innocuous, that can connect to the internet has the potential to get hacked. Be vigilant, keep your operating systems and software up-to-date, use strong passwords, and if at all possible keep internet of things devices separated from important data..

2. The data privacy fail that stopped Harry from having his surname on his schoolbook…  

No-one wants to lose their identity, but an overenthusiastic reading of the GDPR in 2019 nearly led to just that. A primary school banned the use of children’s surnames on textbooks, in order to comply with (their perception of) GDPR regulations.

The bizarre situation led to a young boy, known as Harry Szlatoszlavek, being labelled as ‘Harry2’ by his classmates. ‘Harry2’ even received a Christmas card from another boy which read: ‘To Harry2 from Jack2.’,

Read More

Continue Reading
GDPR

The evolution of data privacy

As we enter the new decade, data privacy has become a top business priority. The nonstop revelations about social media data usage, the introduction of new legislation such as the GDPR and the California Consumer Privacy Act (CCPA), and a more alert consumer base change how companies have to manage their data. Data Privacy Day…

As we enter the new decade, data privacy has become a top business priority. The nonstop revelations about social media data usage, the introduction of new legislation such as the GDPR and the California Consumer Privacy Act (CCPA), and a more alert consumer base change how companies have to manage their data. Data Privacy Day reminds us that data security is evolving. We continue to face new data privacy challenges, so it is an ideal time to understand the trends and prepare for the future.

About the author

Stephen Manley, Chief Technologist, Druva.

Begin with fighting ransomware

All businesses, regardless of size and scale, are responsible for protecting customer data. However, with the increasing volume of valuable and sensitive data that will be generated and stored, ransomware has greater incentive and opportunity to attack unprepared organisations. Attackers have already begun to focus on corporate and government attacks with malware, rather than broad consumer attacks because the payoff is easier and larger. Furthermore, the opportunity is so large that cyber-attackers’ Ransomware as a Service has made virtually anybody in the world a threat.

Despite t

Read More

Continue Reading
GDPR

Radiohead launches online ‘public library’ so you can stream their rare stuff

Radiohead has launched a “public library” online and yes, you can get a library card. The legendary English band unveiled the Radiohead Public Library on Monday, an online archive of Radiohead’s back catalogue in one place, with links to either buy or stream via Spotify and Apple Music, along with videos and out-of-print merchandise. Fans…

Radiohead has launched a “public library” online and yes, you can get a library card.

The legendary English band unveiled the Radiohead Public Library on Monday, an online archive of Radiohead’s back catalogue in one place, with links to either buy or stream via Spotify and Apple Music, along with videos and out-of-print merchandise.

Fans can head to the website to register as a library member, and create their own library card. It’s pretty neat, but it looks like you can’t customise it on the site — you have to download the PNG file to add your mugshot into the corner. If you want to print it out and laminate it to throw in your wallet, go for it. 

And that QR code? It heads to the GDPR website — s

Read More

Continue Reading
GDPR

Cookie consent tools are undermining GDPR

A new study by researchers at MIT, UCL and Aarhus University suggests that most cookie consent pop-ups served to European internet users are likely defying regional privacy laws such as GDPR.The researchers published their findings in a paper titled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” which argues that vendors…

A new study by researchers at MIT, UCL and Aarhus University suggests that most cookie consent pop-ups served to European internet users are likely defying regional privacy laws such as GDPR.

The researchers published their findings in a paper titled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” which argues that vendors of consent management platforms (CMPs) are engaging in illegal practices, saying:

active consent is required for tracking

Read More

Continue Reading