Thursday, August 31, 2017

Privacy done wrong - online registrations

Companies: Data Privacy is far more than a Privacy Notice.

Having a gmail email address for several years means getting lots of emails from people that either mistyped their email address or have little practice with new (!) technologies. Add to this that many companies do not check first whether the email is correct.

Can you already see the GDPR fines?

I got a perfect example. I got an email about a registration on a large company. I was never asked for a confirmation. Art 5.e is already at breach:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
I try to find a way to tell them this. The only way seems to be to log in which I can't because I do not have a password. So I request one to try to remove or change my email address. It comes and I log in. What do I see?

* the full name
* the full address
* the IRS number (!)
* the phone number
* date of birth

This is particularly dangerous because the person in question is vulnerable. Theft identity made easy. With some social engineering, I can only imagine how nasty this could become.

To add further incompetence, the email field cannot be changed. Finally, there's a pre-ticked checkbox to accept the T&Cs.

Can't wait for May 2018.

No comments:

Post a Comment