Uber’s in the news again. So with GDPR on the horizon, how can we avoid the same fate?
It seems Uber is in the dog house once again.
I recently read an article describing Uber’s public relations as a giant game of ‘Whack-a-mole’. Indeed, their communications team must spend much of their time fighting fires.
This isn’t the first time Uber has been under pressure for a data breach, of course. But since this is (shortly) the season to be giving, I wanted to write a short post considering what positives we could take from this episode. How could we avoid such an outcome for our own organisations?
GDPR is an opportunity to shore up the dam
GDPR legislation requires such breaches to be reported it within 72 hours – so taking over a year would not go down particularly well with the ICO. If the legislation were being enforced right now, Uber would have faced a considerable fine. And without commenting on the ethics of transacting with hackers, there is clearly risk additional risk associated with this approach.
Right now, many organisations are understandably focusing on facilitating the ‘rights of the individual’, and finding themselves overwhelmed by concocting re-consenting strategies. But with time marching on towards the 25th May 2018 deadline, I suggest one of the first priorities for a business should be to identify the greatest areas of risk associated with personal data breaches.
It’s true that GDPR-compliant consent is important, but given that Direct Marketing is called out as a Legitimate Interest it’s not quite as crucial as some commentators and organisations are making out. However, it you have failed to address the security aspects (implementing the relevant technical and organisational measures to keep personal data secure), your risk is of a breach is much greater which raises the corresponding risk of being fined.
Do we know who is accessing what?
The Uber data breach was made possible because a post on code-sharing website GitHub provided hackers with either the keys or source code they needed to access the data in Amazon Web Services.
Even if an organisation isn’t using code-sharing or harnessing cloud-based services, it’s not necessarily immune from this sort of incident. On this occasionneither GitHub’s nor AWS’s security protocols were breached.
There are a few questions that if addressed, could prevent you from becoming the next Uber:
· Are you aware of all of the authentication processes for accessing your organisation’s Personal Data?
· Are those processes documented in line with the Accountability principle?
· Have you reviewed any 3rd parties that access your data to ensure that they haven’t hard-coded information into database calls? This can be as compromising as if they have written the username and password on a post-it note…
· Have you minimised the risk of a breach by putting in place all measures that you can to secure your data?
There is lots to digest and consider with such far-reaching legislation.
If you are still trying to come to terms with the amount of work required between now and May and feeling a little overwhelmed, it’s worth going back to basics and adopting a pragmatic, risk-based approach. Identify where the greatest risk of a breach exists, and the most expedient way to mitigate against it. Although it sounds obvious, such methodology is a sound way of then focussing your efforts and available resources.
Seek out our previous posts on GDPR for further reading and of course, feel free to get in touch if you have any questions.
Oh and if you enjoyed this article, please do give me a five star rating…