Do you remember the saying: bury your head in the sand?

Guess what. This is not a good strategy, as GDPR will not go away. Security is becoming a serious issue for business viability.

I feel that for most businesses perception of the concept of GDPR regulation is a blind spot. That is exactly why I decided to clear things up, so that you can effectively prepare for GDPR compliance coming in effect in May 2018.

I will do that by telling a story.

A few months ago, I received a call from a lady. She identified herself as a caller on behalf of a supermarket. Her call was a “routine call” to verify if any of my personal information has changed. I confirmed that it’s the same, but she kept insisting that I should tell her my personal data to check if their records are correct.

Me: I am sorry, but I am not confirming private information over the phone. It’s my policy and it’s not going to happen.

Caller: Ma’am, it is mandatory.

Me: Very interesting. OK then, tell me what records do you have about me, and I will confirm if it is correct.

Caller: Actually, we do not have much info. We do not have your ID number, your address, date of birth, surname, email, marital status, number of children. We just have your first name and a phone number (not my primary, just for the record).

Me: Great! That is about right.

Caller: No. We need to have the missing information on file.

That is just about when my security mode got out of control. I mean it was present before, but that statement was over the top.

Me: Why is that?

Caller: Well, without your date of birth for example we cannot send you offers on your special day!

Me: Don’t worry about that. The safety of my identity is more important than a supermarket offer.

Want a little help?

I could hear the frustration to her voice when she replied:

Caller: So, you do not want a bonus card? Shall I cancel it?

Me: That is not what I said. If you want me to provide you with all this info, I will require a legal paper from your company, which specifies the security measures you take to protect the privacy of my personal information and which states that in the incident of identity theft because of you, you will be held responsible. Remind me your name again please.

There was a very long pause on the phone. Obviously, the lady had no idea what I was talking about. She was not prepared for that conversation, and it was not her fault. She was just an employee of a phone company ordered to call people to confirm personal information.

Me: Listen dear, I am a security professional and you need to write down the message I will give you in order to pass it on to your supervisors. Legally, you have no right to store this personal data of your clients without their written consent and without clarifying to them what your standpoint is with that data, in case it is compromised. Moreover, there is no clear indication on how your supermarket handles this information, who has access to it and how they use it. If your administration will not revise this old and very dangerous policy, it will very soon face catastrophic implications. In other words, identity theft to thousands of people means millions of dollars in law suits against your company, government prosecution with fees because you violated regulations, etc.

After this point she wasn’t listening, so I just said: next time I will be charging for advice. Sad thing is, she probably never gave my message to the right people.

Here is the list with the issues that I have identified, and you need to consider, for the data your business handles:

• Giving access to private of real people to caller companies with no constant employees to hold accountable.
• Requesting data, which is not critical in order to offer a service
• Not being clear and informative to people how you store, handle and protect data you request from them.

I wouldn’t be surprised if they hold credit card details as well, which is an identity theft cons paradise.
So, if you are a business, which holds private data, this is where you need to start in regard to evaluating your clients’ data. I have prepared a quick start guide for you. You can download it below:

Apply what you learn immediately. Download “GDPR Basics” free quick start guide.

The point is, employing legal consultants for the new GDPR law is going to help you up to a point. You want me to prove it? Tricking people into signing a difficult to understand contract about their leaked data is going to help you against customer law suits to an extent. Regulations law suits, however, and your reputation can only be covered with a solid security strategy, which includes data evaluation.

Understanding your personal or business protection also has to do with the data you give away, so consider the value of what you are getting for what you give away. You might be doing your best internally for your protection, but if you share data with the third parties, you do not know their security levels and cannot control them, which instantly increases your threat levels.

Clarity is power! So, I am now turning it over to you. As we are close to the GDPR regulation deadline I would like to pose 2 questions.

1) Have you evaluated your data in preparation for GDPR?
2) Having the recommendations, I made in this episode let me know how do they help you? I cannot wait to hear your comments so leave them below.

Until next Monday, Stay safe!