The following post was written by Janelle Hsia, Data Privacy and Security Consultant, American Cyber Security Management.
Why should you care about data privacy laws like the new General Data Protection Regulation (GDPR) coming out of Europe? Because it’s all about data – your data and keeping it safe.
Here’s how it works: Let’s say that you want to buy a new pair of jeans. First, you’d use a web browser like Chrome, Edge, or Firefox to conduct your internet search. Most likely you would put in search criteria like “best jeans” or “hottest fashions” or “rugged work jeans.” Did you know that as you type all this information your search engine is collecting data about you? Probably not.
That’s where GDPR comes in. With GDPR, the search engine company will need to inform you, if you are an EU citizen, that they are collecting data about you. They’ll also need to tell you what kind of data they are collecting.
Next, you’re super excited because you found the perfect website – mijeans.com. You search their site for the exact style, color, and size you want. Yay!
But wait, now the following information has been collected about you – your shopping preferences, your IP address, your browser type, and other system information. So, at this point you’ve found the right jeans, and you are ready to pay for them. What do you pay for them with? Usually a credit card.
Now a screen pops up and you enter more information. The difference with this information is that you have a choice as to what you enter. Up until this point, all the data you entered was collected without your knowledge or consent. At a minimum on this screen you have to put in your email address (so they can communicate with you) your mailing address (so they can ship you the jeans) and a credit card number (so you can pay them). Under the guise of being more beneficial to your shopping experience, they might also ask additional questions like range of income, the type of job you have, and how many people are in your household.
All of the parts of that transaction were things that you see and kind of already know about when you shop online. That’s the “front-end” process of buying the jeans. Meanwhile, the “back-end” process does all the work and there are a lot of companies processing both the data you know about, and the data that you didn’t know they collected about you.
Let’s say the website was owned by a company in Europe, because honestly, that’s where the best jeans can be found. This company in Europe has employees who help with the processing of this order. So the jeans company’s employees have access to all of this data – both the data that you provided to them as well as all the data they collected without your knowledge.
But wait, there’s more… Like with anything on the internet, we also have to look behind the curtain and see where mijeans.com is hosted. Let’s say that this website provider myjeans.com is hosted by a company in Germany. This hosting company is the company that actually stores and processes the data you provided to mijeans.com. And they have employees, vendors, contractors and maybe even sub-processors who could potentially have access to all your data.
Now, let’s go back to the actual transaction of purchasing the jeans. You entered a credit card, right? That data was probably stored with a credit card processing company which is different than all the other companies listed above. So that company and all their employees could have access to your data. Now, you’d like the jeans to arrive at your house, so we need to add a shipping company. Not to get too detailed, but these are just the companies we can easily identify. What if the credit card processing company outsources their work to India? What if those really awesome jeans that you thought you bought from a European company are actually shipped from China.
Let’s look at all the data potentially collected, and the companies that could have access to it:
- Browsing History – all your searching and purchases
- Browser Type
- Operating System Version
- Browser type and Version
- IP Address
- Email Addresses
- Jean Size and Preferences
- Mailing Address
- Credit Card # Information
These are the companies and their country of origin:
- Web browsing company – let’s assume the country where you live, USA, Mexico, Canada
- Mijeans.com – France
- Hosting Company – Germany
- Credit Card Processing Company – India
- Shipping Company – China
So with this simple, everyday online transaction, hopefully you can see the tangled web of data being passed all around the globe. With GDPR, mijeans.com would have the biggest responsibility to inform you of the data that was being collected, the type of data, what they would use that data for, and the fact that it was being distributed to additional companies.
So…Why do you care? Because what you don’t know could end up hurting you. If you don’t know who has information about you, you are completely in the dark about what they are doing with it. Do you know that they are keeping your data safe?
Here’s an example: Don’t you ever wonder how you can be searching for something one minute, and then the next time you go to another online application, there’s something related to that search…
Why do you care? It’s like someone looking through your cabinets and knowing you’re out of spaghetti PLUS knowing that you really wanted spaghetti for dinner AND then having a box of spaghetti show up at your door. How safe in your own house would that make you feel?
If you would like more information about GDPR or if you need help understanding the complexity of the compliance – visit http://www.americancsm.com/.
Stay tuned for more privacy and compliance content from Janelle Hsia in the coming weeks!