The word data covers a huge amount of things, but for the purpose of
mappd, we focus on personal data. This is data related to and identifies you. Read on to find out how to maintain your digital footprint.
Note. This blog is not aimed to be a complete of the GDPR however as there is overlap, some of the basics will be covered. We have to cover some of these points as they are key to understanding your rights when managing your digital footprint. p.s. see a sneak preview of the app at the end of this blog!
Where to start..
When thinking about the content for this blog post, it’s difficult to know where to start because the topic is so broad. To ensure that the information is relevant it’s going to be broken up into the following sections;
- What does personal data cover
- Why is personal data different from special category data
- Do businesses need to do anything before processing personal data
- What are the lawful basis’ for processing personal data
- Why does the GDPR matter
- How is
- What happens when my data is collected
- What kind of things capture or process my data
- How businesses handle data
- What are the risks of businesses handling your data
- How many companies have my data?
- Where in the world could my data be?
- What are the effects of my data being stolen or misused?
- How was
- How can you get a handle on your digital footprint?
Lets get started, what is personal data?
Personal data is anything that is relating to you, often used alongside ‘personally identifiable information’. It can cover a broad spectrum of data from your name, to your numberplate.
Another term often used is personally sensitive information or ‘special category data’. This specifically refers to things like;
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
Why is personal data treated different to special category data?
Various legislation, particularly the GDPR and UK DPA 2018 refer to special category data seperately. This is because additional controls, processes and security measures are required to keep this data safe. For example, a business must have an extra ‘condition’ for having to process special category data and will often put in extra security too.
Do businesses have to do anything before processing my information?
There are a number of things an
Organisations are advised and required to carry out a Privacy Impact Assessment (PIA). Any organisation who values compliance and doing things the right way will carry out one of these assessments before implementing a new processing activity. This assessment ensures that they are considering privacy and security by design and not as an afterthought.
What are the lawful basis’ for processing personal data?
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.Taken from the UK Information Commisioners Office
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Why does the GDPR matter?
Following on from the very brief crash course above, it’s really important to bear the GDPR in mind as this is the legislation that sets the foundation for transparency. Not only this but it sets into law how an organisation must behave, albeit sometimes quite vague and business sided.
Without the GDPR, things like mappd would not exist as it would be near impossible to get organisations on board and playing ball, we will go into this in more detail later.
Moving on from the GDPR, lets look at how data is used in a typical business to consumer model.
How is my data collected?
There are a large number of ways that you might hand your data over to an organisation. For simplicity, we will break them up into active and passive. Active being methods where you proactivly give your information and are engaged in the process, whereas passive, without notice. here are some of the commonly thought of ‘active’ methods;
- Signing up on a website
- Giving details for a warranty or after purchasing a product
- Working for an organisation
- Taking out a product that requires your details to varify you e.g. insurance, taking out a mortgage or taking out a finance agreement
There are other methods that are often not in the front of the mind, due to them happening passively, such as;
- Your internet browsing history
- CCTV imagry
- Location data
- Your digital preferences
What happens once my data is collected?
Once collected, almost all organisations or data collectors will store your information is a form of management system, often refered to as Customer Relationship Management system (CRM). From these systems, they will move data into various other systems for whichever purpose they stated when capturing it.
Taking the above examples of data capturing, we can give a good guess at where your data will go and what it will be used for;
- Signing up on a website – Stored within a CRM to manage email subscribers, usually segmented or used for marketing campaigns, newsletters or updates
- Giving details for a warranty or after purchasing a product – Stored within a CRM / database with details and purchase times to manage warranty validation
- Working for an organisation – Stored within a HR / Employee database, alongside medical information, disciplinary information and various other pieces of information
- Taking out a product that requires your details to varify you e.g. insurance, taking out a mortgage or taking out a finance agreement – Stored within a CRM managing you from lead to sale, sending your data to credit reference agencies for identity checks and third parties for subcontracting of services.
- Your internet browsing history – stored by Internet Service Providers (ISPs) to legal reasons, i.e. to give authorities access under a warrant in the event of a legal investigation. Also within cookies to give advertising based on your activities
- CCTV imagry – Stored on CCTV servers for a given amount of time to be used in the event that evidence is required, usually in a legal case
- Location Data – Stored and aggregated against you as an individual to present targeted advertising, notifications, recommendations and for third party diagnostics
We have covered a small amount of circumstances above but you will begin to understand that, quickly a very intricate and detailed image of you as an individual is being built by organisations, by choice or by law.
As humans, we need an element of control and privacy around our sensitive data or data in general. Without this we feel vulnerable and have a lack of confidence in our digital lives and relationships.
What are the risks when companies process my information?
Naturally, any place that you share your information introduces some additional risk – however some places more than others. You can break this down to understand why there are some risks that are worth taking more than others, but first the following statement is important to bear in mind.
Every place you share your data, is another place for it to be stolen or misused. As an individual it’s important to see where you share your information and be informed of where risks exist.Harrison Mussell, Founder, Mappd.io
The main risks when sharing data with an organisation are either internal or external (usually a combination of both). Internal threatsare usually around an organsation having poor processes leading to accidental data disclosures or an external threat, referring to a hacker trying to steal data or money for their own gain
Lets take another look at those examples and highlight some of the risks;
Active types – risks
- Signing up on a website – Stored within a CRM to manage email subscribers, usually segmented or used for marketing campaigns, newsletters or updates – Risk of misuse, marketing to users who do not consent or repurposing without permission
- Giving details for a warranty or after purchasing a product – Stored within a CRM / database with details and purchase times to manage warranty validation Similar to the above
- Working for an organisation – Stored within a HR / Employee database, alongside medical information, disciplinary information and various other pieces of information – Lots of sensitive information can be captured, misuse from employees or unauthorised access could take place
- Taking out a product that requires your details to varify you e.g. insurance, taking out a mortgage or taking out a finance agreement – Stored within a CRM managing you from lead to sale, sending your data to credit reference agencies for identity checks and third parties for subcontracting of services. Testing of products sometimes requires testing, this could be done insecurely if the organisation doesn’t follow best practice.
Passive types – risks
- Your internet browsing history – stored by Internet Service Providers (ISPs) to legal reasons, i.e. to give authorities access under a warrant in the event of a legal investigation. Also within cookies to give advertising based on your activities – Misuse or hacking is the biggest risk, imagine an ISP was compromised and they had people browsing history!
- CCTV imagry – Stored on CCTV servers for a given amount of time to be used in the event that evidence is required, usually in a legal case – Being watched without permission, ability to track your movements without knowing
- Location Data – Stored and aggregated against you as an individual to present targeted advertising, notifications, recommendations and for third party diagnostics – Similar to CCTV but on a digital level, often without you fully understanding due to the extremely passive nature. Ability to paint a picture of your life, work out your home, place of work, where you visit often and more.
What happens if someone is able to get hold of my information, or hack my accounts?
We say this all the time, If you haven’t been hacked yet it’s because you haven’t been targeted yet. So what happens if you where? Lets have a think about what kind of things an attacker could do;
- Publicly humiliate you – An attacker could get access to your social media or messaging accounts and post humiliating or personal information
- Hold you to ransom – Typically we see ‘sextortion’, which is very common. An attacker may have an image of you watching a porn site alongside some other details to scare you and proceed to threaten to expose you. This is usually done for ransom, where you have to pay to keep them away.
- Steal your identity – If enough of your information is stolen, identity theives can use this information to open accounts in your name and attempt to impersonate you. Cifas markers on your credit score result in additional steps required to varify yourself. These steps are for your protection but make credit checks and financing more difficult for you.
- Steal money from you – If your details or passwords are stolen, an attacker could steal money from you, whether this is from your bank account, or if you hold cryptocurrency, they could take over your crypto wallet.
- make you feel vulnerable – alongisde the above and the many other negative experiences, being hacked can make you feel vulnerable.
Continue reading to find out how mappd can help reduce the risk of these things from occuring.
How are organisations targeted?
From an external point of view, organisations are typically targeted based on the effort v reward perceived by the attacker – this will either be the companies with poor security that are easy to breach or those with such a high reward that it is worth spending the effort (think large amounts of sensitive data or financial return).
How can I make more secure decisions, or have more control over my digital footprint?
On the basis of the above, it’s important that as individuals in a data orientated world, we have the right tools to be able to make an informed decision that ultimately provides us with the benefits we require for an acceptable level of risk.
If you were aware that an organisation had poor security in place and where asked to share your sensitive information, it’s likely that you would decline. If it was a service that you had to have, then you feel forced into proceeding with them. However, if you had the tools available to show you alternatives that where more secure, you would be more likely to go with the more secure alternative.
This does not exist and puts us, the consumers, in a position where we are stuck and ill – informed.
Does the GDPR not solve this problem?
The GDPR and other privacy laws are in essence a framework which needs to built upon in the real world to get real benHarrison Mussell, Founder, Mappd.io
ifits for those who it is meant to protect
At mappd we are building the tools to allow for this change, to turn a complex subject into something that is accessible to all, jargon free and the platform for a consumer focused future.
The internet and
This is why our digital footprint is so important and why we should be carrying out a regular digital hygeine routine, similar to brushing your teeth. We are taught to regularly clean and maintain our teeth for physical health reasons but also appearance – your footprint is exactly the same.
How many companies have my data within my digital footprint?
When you take into account the risks and the uknown aspects of your digital footprint, one of the first questions is where is my data or what does my footprint look like? On average, a user of mappd will find between 200 – 300 organisations who have their information. Now that is a lot of places for it to be stolen.
Considering this number, it is imperative that we all carry out a good digital hygeine routine.
What is digital hygeine? How does it affect my footprint?
We’ve talked about this in a previous blog which has more detail. Digital hygeine is essentially carry out regular actions and routine to reduce your digital footprint and clean up the bad bits. This might be companies that no longer need your information, old pieces of information that are no longer representative of your views or your digital persona or keeping your accounts secure if you’ve found out you’ve been hacked.
Digital hygeine and managing your digital footprint is the future of privacy
You may have never heard of the phrase and it’s something that we are trying to publicise as much as possible. You may also wonder why it is the future of the internet.
“Untill people take digital hygeine as serious as physical hygeine, legislation like the GDPR will not be as effective as it could. Organisations will only work to the level they are required. If we all carried out digital hygeine routines, organisations would be inclined to be receptive or face a loss in confidence and reputation..”Harrison Mussell, Founder, Mappd.io
What are the principles of digital hyg
Acheving a good level of digital hygeine can be as simple as taking a few steps on a regular basis, such as;
- Reviewing which organisations you share data with
- Actively making changes when threats appear within your digital footprint
- Switching to services and organisations who value privacy and security
- Cleaning up social media or internet posts that no longer apply to you
You are then active
- identity theft
- Social impacts due to information on the internet
How can I keep on top of my digital footprint?
This is a very good question and something that we believe has never been acheived before. Never has someone been able to visually see and identify where their data is around the world and make actions to clean this up or make themselves more secure.
This hasn’t been acheived to our knowledge , even manually, and we are making it automated.
We are working tirelessly at mappd to deliver an app that does not take valuable time out of your day. We live such busy lives and adding another hygeine routine is not ideal. mappd works in the background via automated processes to keep your digital footprint up to date and gives you the suggestions and tools you need to effectively acheive digital hygeine with minimal effort and intervention.
When is mappd going to be available?
We are due to release a launch date in the next week or so, keep your eyes peeled and sign up on the homepage for a notification on launch. We will be looking for some additional early testers so please get in touch if you’d like to be involved. See below for a sneak preview.