[BreachExchange] UK public no longer trusts online businesses with its data

Destry Winant destry at riskbasedsecurity.com
Fri May 19 03:30:42 EDT 2017


Research from RSA said high-profile data breaches were hurting public trust
in digital companies

The public's trust in online businesses has been destroyed following an
increasing number of high profile data breach disclosures over the past
year, leading many customers to boycott companies entirely.

That's according to research conducted by RSA, which also found that almost
a quarter of those interviewed had become numb to the idea of data loss, no
longer shocked by news of fresh data breaches. Almost 35% of respondents
said they had lost trust in the ability of companies to protect user data,
and had resigned themselves to the likelihood that their information would
be stolen eventually.

"When you read headline after headline of high profile data breaches, it is
easy to despair and lose trust in businesses' ability to look after our
data," said Rashmi Knowles, CTO EMEA at RSA. "Things are only going to get
worse once mandatory breach notification is introduced under the GDPR, as
these breaches will become even more public."

"We can see some consumers are already boycotting companies that mishandle
data, so this should be a real wakeup call - particularly when you add that
to the potential penalties that could be imposed," added Knowles.

The General Data Protection Regulations
set to come into force in May 2018, will attempt to harmonise data
protection compliance by enforcing stricter rules around the handling of
personal data. It will be the single biggest shake up to data protection
since the creation of the 1998 Data Protection Act.

As part of the new regulations, it will soon be mandatory for businesses to
disclose any breach that has led to the loss of user data with 72 hours.
However the fact businesses will soon need to be more accountable and
transparent in their processes doesn't seem to be filtering down to the

Of the 2,045 consumers surveyed, only 15% had heard of GDPR and the changes
it will bring. Once informed, 53% said that the proposed fines under GDPR
were fair, however one in five believe they do not go far enough, and that
customers should be financially compensated if their data is stolen in a

The Right to be Forgotten

That disconnect is likely to narrow under GDPR, as businesses will be
forced to become more transparent and inform customers of their rights as
data subjects. However, empowered by GDPR, those customers who distrust
online businesses could potentially actively block the use of their data
through schemes such as the 'Right to be Forgotten'.

This, according to Nailah Ukaidi, an independent information governance
practitioner speaking at a RSA panel event in London, could prove to be a
significant obstacle for businesses adapting to new customer expectations.

"With the 'Right to be Forgotten' rule, following efforts by Google, people
started to use it, and now that its much clearer in the regulations, I
think there'll be a lot more use of that," said Ukaidi.

"And with the government's proposals around allowing people to erase their
Facebook lives... people are jumping at that. This has massive implications
for customers and their expectations... and I think those are the areas
where the ICO will look at."

The Information Commissioners Office will ultimately be one of the bodies
responsible for enforcing GDPR compliance in the UK, and will be firmly on
the side of the customer.

"The ICO is there to provide enforcement from a customer's perspective, and
where they will look at enforcing fines is where there has been real damage
or distress caused to the data subject," added Ukaidi.

Chris Daly, CEO of the Chartered Institute of Marketing and also present at
the London panel, explained that the GDPR regulations should be worn like a
"badge of honour" - an opportunity for businesses to change their
relationship with the customer.

"Honesty and transparency should be at the core of the relationship between
the customer and the organisation," said Daly. "I think it's not only the
right thing to do, but also the customers are expecting that. It's a case
of organisations taking on the responsibility and becoming more
professional in their dealings with their customers."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170519/0f2512e4/attachment.html>

More information about the BreachExchange mailing list