Turning a blind eye to data privacy is a dangerous game

The smallest slice of personal data can pose a serious threat to personal privacy if it ends up in the wrong hands. Even back in 2000, it was possible to uniquely identify 87% of people with just three pieces of personal data: gender, postcode and full date of birth. Fast-forward 21 years where endless amounts of personal data have been uploaded online, and the landscape for attackers has grown significantly.

An analysis of the 100 biggest breaches by Imperva Research Labs found that 76% of the data stolen was personally identifiable information (PII) and, more worryingly, the rate at which our data is being compromised continues to accelerate. Since 2017, the number of data breaches has increased more than 30% each year. During this time, the number of records breached has increased by more than 130% per year. In January 2021 alone, more than 870 million records were compromised – more than all of 2017.

Scraping it together

Although individual pieces of personal data rarely hold considerable value on their own, the real value for bad actors comes thanks to web scraping bots. This is the process of deploying bots to extract high volumes of data across multiple websites. The LinkedIn user profile scraping incident is a prime example of this, which saw bots efficiently capture public facing data of over 700 million users. Think of it like a virtual version of the Kevin Bacon Game, allowing hackers to join the dots between seemingly disparate pieces of information to gain a clear picture of the user.

Such data can become an identity thief’s golden ticket – for instance, allowing them to destroy the credit rating of the victim. Aside from the impact on individuals, the financial implications for businesses – and society as a whole – are huge. It’s estimated that fraud now costs the UK as a whole around £137bn every year. Although it has been a gradual process, most organisations are now at the stage where they understand the importance of securely managing personal data. If organisations are reluctant to take data protection security, there’s no shortage of regulatory bodies to ensure they are complaint.

It all boils down to consent

Part of the difficulty for businesses is that there are over 130 global jurisdictions with various data privacy and protection laws – and in nearly all cases every government and commercial organisation that stores PII is subject to their requirements. The financial penalties can be significant – GDPR violations can result in fines of up to €20 million or 4% of annual global turnover for example – but this is just the tip of the iceberg. Organisations also have to deal with notification requirements, audits, legal remediation, and credit monitoring for victims. Certain sectors have even more to deal with – for example, in many jurisdictions health information is in its own special category, with extra attention paid to how data is handled and managed. 

The majority of these regulations revolve around the principle of consent – the understanding that individuals give explicit consent to specific data processing activities, and crucially that this consent can be revoked at any time. As the risks surrounding personal data continue to grow, individuals are increasingly interested in finding out exactly what kind of information organisations hold about them, what they do with it, and how well it’s protected. Providing all this information can be complicated. For instance, when Microsoft launched its self-service portal for subject rights requests in the wake of GDPR, it received 25 million requests in 18 months. As Gartner’s The State of Privacy and Personal Data Protection 2020-2022 points out, had the company chosen to process these requests manually they would have been looking at a cost of $1bn in the United States alone.

Shining the torch on your data

 Managing the relationship between data utility, protection and privacy is a difficult balancing act. Until recently, many people simply trusted that organisations were securely protecting their data. However, high-profile data breaches are wearing down this trust, while at the same time essential digital transformation projects have dispersed data even further. With high volumes of data being widely duplicated and shared across applications, databases, and networks, it becomes ever-harder for organisations to secure. This is echoed by the fact that 2021 saw GDPR fines accumulate to over €1bn in fines, a rise of 521% compared to 2020, illustrating how it is becoming increasingly difficult for organisations to manage and protect data.

Regulations regarding data privacy and protection are set to become stricter. For instance, in June 2021, the European Commission published new Standard Contractual Clauses (SCCs) for transfers of personal data from the EU to third countries, meaning that existing contracts must be refined to provide for cross-border data transfers with the EU by 27^th December 2022.

Taking action

Increased levels of regulation combined with data becoming increasingly dispersed means it is critical that organisations can easily discover, identify and classify personal data across their estate. By having clear visibility over where personal data is hosted and what applications and users are doing, organisations will be better placed to extend the security controls that protect that data, and be more proactive in responding to subject access requests. This is especially vital as individuals become more aware of their rights surrounding how their personal data is managed by organisations.