Big Data, Big Risks
Posted on 10/16/2019 at 10:21 AM
In a recent debate, candidates missed an opportunity to take a stance on the critical issue of data security and privacy.
This is not a political post. This is a post about data security standards in the United States of America and around the world. In a recent Democratic Presidential Debate, twelve candidates took the stage. The candidates were asked about the direction of large tech companies and if it would be appropriate to consider breaking up companies like Facebook. Candidates had the opportunity to speak about their thoughts on this and data security. All twelve candidates missed the opportunity. Other than a brief statement by Beto O'Rourke, none of the candidates spoke out about the core issue at hand: how data is collected and used.
"We need to set very tough, very clear, transparent rules of the road, the kind of rules that we do not have today, that allow these... platforms, where we, the people, have become the product, to abuse that public trust, and to do so at extraordinary profits... so tough rules of the road, protect your personal information, privacy, and data, and be fearless in the face of these tech giants." - Beto O'Rourke, CNN New York Times Democratic Debate, 10/16/2019
Why Data Privacy standards in the European Union Should Matter to You
“Big Data” is bigger than you can possibly imagine. With every interaction with internet-connected technology, data is generated and stored somewhere. If your mobile phone is on (and sometimes when it is powered off, according to the Washington Post) it’s tracking you.
How Big is Big Data?
According to one study by Micro Focus, as of the summer of 2019, there are around 4.4 billion internet users. Let’s consider how much data can be accumulated in 60 seconds. The same study says that in a single minute:
Around 550 new social media accounts are created (which totals almost 300 million new accounts per year)
474,000 tweets are posted to Twitter (with much of this data being stored at the United States Library of Congress)
4,333,560 videos are being watched on YouTube
Breaking it down even further, 40,000 search inquiries are submitted to Google per second! Obviously, this generates a lot of data. This data is stored and often tied to the person, IP address, physical location, or any number of other identifying labels associated with it.
Now that much of our daily technology is connected via the “Internet of Things”, it is estimated that 2.5 quintillions (that’s 2.5 with 18 zeros behind it) bytes of data are generated daily by our connected devices.
All of this considers data that we don’t even realize we are giving out. Data about our location, our spending habits, our taste in entertainment, our schedule, our political leanings, and more. A quick look at Twitter’s Analytics can show you some in-depth personal demographic information about your followers that can be used to tailor your posts to your audience. Sure, this may be “great” for marketers, but what about you?
Important Data Security Questions
Naturally, with so much data being generated and stored, certain questions might come to mind. You might be asking yourself important questions like,
What is done with my data?
How long is it stored?
Do I have access to it?
Can I get it back?
Can I request it be deleted?
There is good news... if you live in the European Union. If you are a citizen or resident of the EU, your privacy is given very specific and powerful protections thanks to the General Data Protection Regulation (GDPR)(EU) 2016/679. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the EU and European Economic Area (EEA). It also adds protections concerning the export of personal data outside of the EU and EEA. Basically, GDPR gives citizens and residents of the EU control of their personal data and makes the handling and protection of this data easier to regulate. The GDPR protections became enforceable in May of 2018.
Is my Company’s Data Secure?
If you have taken steps to protect yourself, your employees, and your company from hacking, good for you! It still may not be enough.
We first brought you important information about the GDPR just over a year ago in our blog post “The Deal With GDPR” where we warned readers about what these protections mean to the EU and anyone who wants to do business with them (we’re looking at you Facebook, Twitter, YouTube, and more). We pointed out what could happen and look at what has. Your website or even your company’s secure servers do not have to get hacked for you to have a significant data breach.
Have you ever employed a temp worker or contractor? Did that person have access to client files or other sensitive data? It is amazing how fast a flash drive can be inserted into a USB drive and how much data can be stored on it. You can be as secure as the NSA and CIA and not really have taken proper steps. Consider the case with Edward Snowden. Food for thought.
Does the GDPR Protect Internet Users in the United States?
Short answer: nope.
The longer answer: kind of. The GDPR regulations are affecting how businesses interact with customers and partners in the EU. Failing to adhere to the GDPR guidelines can mean extremely steep fines and serious damage to your brand and reputation.
“Companies around the world that fall under GDPR and are found to be non-compliant can risk getting fined up to €10 million, or 2% of their worldwide annual revenue of the prior financial year, whichever is higher.” – The Deal with GDPR
In the United States, some states have adopted stricter data guidelines, but there are still no overarching federal regulations or protections to the level of the GDPR. We do, however, have something called Privacy Shield. The Privacy Shield is an agreement between the EU and the USA that says those who adhere to Privacy Shield Principles will adhere to standards like the GDPR.
Consider the data you give willingly without considering what happens next. Have you ever filled out a submission form online to apply for something, leave a comment, connect your social media accounts, or to leave a review? What did it ask you for? Your Address, phone number, email address, date of birth? Did you read the disclaimer? What are they doing with that data?
We tend to assume that because a website has an SSL certificate that our data is encrypted. This is not always the case. Most submission forms online do not encrypt your data. Unless it specifically says your data will be encrypted, assume it’s not.
What Can You Do?
Data privacy and security is one curve you want to get as far ahead of as you possibly can. It is much better, in this case, to be proactive than reactive.
While helping your entire company become GDPR compliant is outside of our scope of expertise (we recommend speaking with legal counsel that specializes in Accessibility regulations), making your website GDPR compliant is something we excel at!
Global Reach has developed a tool we call the Cookies Notification Module. This module gives your website users control over how their cookies are managed. This module is fully in line with the following GDPR regulations and for cases in which the lawful basis for the processing of personal data is based on “consent”:
Implied consent is no longer enough. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
The following screenshots demonstrate how we have implemented all the above.
Cookies Notification Pop-up
This notification is displayed at any point a user enters your website
Clicking on the Cookie Settings option allows a user to view all coolies that are used on a website, organized in all appropriate categories. Users can select a category and choose whether to accept the relevant cookies or not.
Settings Button to Revoke Consent
Once a user has made and saved their choices, a settings button will appear on the lower right corner of the website. Clicking on the settings button will allow them to return to the Cookie details screen and make any changes they want to their initial cookie selection.
In order to see all the above in action, simply click the gear icon at the bottom right corner of this page (or any other page of the Global Reach website).
What about Submission Forms?
Our Submission Forms module, which is used to create any online submission forms, provides the ability to encrypt personal data that is captured online. In addition to encrypting personal data captured via any online forms, you can also add a consent confirmation to all submission forms on your website, which will be captured and retained as proof of receiving a user’s explicit consent when they provided any personal data.
We Can Help!
Global Reach takes user privacy seriously. We go above and beyond to make sure our clients can get access to the tools they need to protect themselves and their clients, allowing them to put the control of their user’s data back into their own hands. SiteViz is a “Secure Source CMS” and as a result, has security features by design that cannot be found anywhere else. We recently talked about the SiteViz security difference in a previous blog post here.
For more information and a free Vulnerability Audit, contact Global Reach today!