When secure doesn’t mean private
19 September 2016 | 0
Last week I filled out a boring event registration and got a little wiser about privacy. I was a little put out at having to fill in the form, so putting in anything bar the bare essentials was about as much as I was willing to do. After all, I had been approached to attend as a member of the press and my contact information was freely available in my correspondence with the organiser. A few minutes of data entry on their side could have sorted everything, yet there I was going through the fields, giving up information they already had and dodging anything without an asterisk. It was then that I was stopped in my tracks by a field I don’t remember ever having to fill out before: my mobile number.
I was hesitant, indeed a little put out. They already had the means to contact me by e-mail, landline and social media, having my mobile as a prerequisite field was… odd. Given the lines of communication the organiser already had it made little sense to look for another. What possible reason could make this an essential piece of information? In case the event were cancelled? If there was someone that absolutely had to talk to me? For direct marketing? Notices of future events? Any of the above could be likely but for all of them e-mail is the easiest way to contact me and the most likely to get a response. Thankfully the form wasn’t smart enough to notice it was being gamed, so I took my chances, threw in a few random numbers and thought no more of it.
The following day I attended a conference on security by analyst firm IDG about GDPR (General Data Protection Regulation) that put a new slant on what would normally have been a straightforward, if grating, experience.
Much of the discussion at the conference centred on security, strong encryption and building better firewalls – all necessary in making sure companies do not become victims of embarrassing data breaches. I thought back to filling in my form, submitting it and hoping for the best that the event organiser I had entrusted my information with would have adequate measures keep them safe.
However, there is a second element to the GDPR conundrum that comes hand in hand with security and that is privacy. Not privacy in the sense of keeping people’s information from being dumped on Pastebin, but privacy in that you only ask for the information you need in the first place and disposing of it as soon as it loses its relevance.
To take my registration form experience: I’ve agreed to attend the event and given up a fair amount of sensitive personal data to do so. The person at the reception desk only needs my name and the company I’m coming from. For the back office, it would be useful to know my job title to ensure I qualified to attend for free and an e-mail address to notify me of any changes to the programme, the venue or total cancellation. The other fields I was asked to fill in – gender, age range, postal address, mobile phone number – didn’t add value to me and, in fact, only create an additional security headache for the organiser when it comes to GDPR compliance.
Prior to GDPR I would have been flaithulach with my deets but now I want to know why they are needed, how long they’re going to be kept for and for what purposes – all up front. What’s more, I have to the right to see what’s kept on me and to demand it be deleted. Can I be confident that this company, or any other that I deal with, would be so fastidious as to do so?
To be honest, I have my doubts but I now have the same feeling about every company I’ve ever dealt with, from the multinationals to SMEs to start-ups. So next time you see a field with an * ask yourself why it’s needed and who benefits. Sometimes reasons are valid, sometimes questions need to be asked. And if you don’t like the answers you’re given, there’s always the Office of the Data Protection Commissioner to set everyone straight.