Sending data via email: data leakage pitfall number one
Now that the GDPR has already been in force for half a year, many companies have an internal evaluation moment. What has changed in the area of data protection, what should be improved, what problems do we anticipate? One of the most striking consequences of the GDPR is that the consumer has regained control over his personal data. He remains the owner of his data. Not all companies deal with this as well as others. Last summer a journalist from the Volkskrant approached ten companies with the question what was done with his personal data, and why. He seldom received complete answers, sometimes he received no answer at all.
The first GDPR fine is a fact
One of the first recipients of a big GDPR fine was (of course) a bank. The Dutch Data Protection Authority fined Insinger Gilissen Bankiers (formerly TGB) a fine of 48,000 euros because the bank repeatedly refused to show a customer his personal details. My first question is: what kind of awful things does that bank put in the client’s file? Was it an awkward customer who also came up with impossible questions before the GDPR came into force? Or did the account manager put offensive notes on the personal data? We will probably never know.
Data leakage pitfall
What did come to light when I asked my internet service provider for my personal data is that the way in which this data is sent to the customer requires a lot of improvement. I received a friendly mail with a link to the pdf with my details. Everything was complete. However, sending an email with a document full of privacy-sensitive information that is not protected in any way is, of course, data leakage number one. A mail account is in fact very unsafe. A document containing sensitive information and which is shared via the mail must always be encrypted and password protected. There is a very good solution for that, and it is not even difficult to implement. Why is this not used everywhere by default?
Storage and processing of personal data
The most obvious reason is that many companies are busy with the internal organization of the storage and processing of personal data. Because there are often several systems that store this data, it is quite a puzzle to arrange everything correctly and according to the GDPR. Many organizations are not used to sharing sensitive data with third parties (or the customer). This is the reason why they do not think about how this process can and should be safe. However, the Dutch Data Protection Authority is not a dormant watchdog, and it is indeed capable of imposing hefty fines. Now that the GDPR has been in force for half a year, it is really time for all companies and agencies to think about how they can safely share online documents. We already have the answer.