Read what you sign carefully. And remind companies of their doo-doos.
As a rule of thumb, nobody really likes change. Once it happens, many of us are reluctant to adjust. Sometimes it’s because someone lacks the necessary knowledge, sometimes it’s because adjusting to the process of change requires lots of time and resources.
I like to help people get accustomed to it, especially if it’s in my own best interest, like in the case of the latest personal data protection laws.
What’s the deal with GDPR?
This stands for General Data Protection Regulation and it has to do with personal data protection, including ways in which such details are processed and shared.
This law made people aware of how important it is to protect your sensitive data and how you can exercise your rights.
This is basically the best thing that happened to the people who care about their privacy.
That one time when I went to see my doctor
Not so long ago, I had an appointment. First, I needed to provide some details for my patient’s card at the reception. Everything was just the way it was 30 years ago or so: a long line of patients in front of a tiny window and all the pitiful attempts to jump the queue, because some people “just want to ask a simple question, really, it’ll only take moment.”
And to think the pandemic made me miss all this!
My turn finally came. I was given a piece of paper to read and sign. It was a consent for processing my personal data. Well, it’s the era of GDPR, so there’s nothing surprising about it. But then I realized something was very wrong with it.
It cited a regulation from 1997!
With me being me, I remarked that they should’ve known by now that new regulations have been in effect since 2018, and the document they gave me is outdated.
I was met with a blank stare. The receptionist was both unimpressed and uninterested. “Not my problem,” she said. “No, the supervisor’s not here,” she added. Refusal to sign the paper meant not seeing the doctor, and with the long line behind my back, I gave up and played along.
Why you gotta keep your details safe
You might think that I was being a wise guy there. But consider the following: if the facility uses outdated forms, they probably didn’t bother implementing any changes required by the GDPR regulations. And these were introduced for a reason, the main one being the safety of our personal details.
You just have to be aware of what sort of details you give to others and what happens when you do.
The thing is, not everyone understands what data protection really means. We all value privacy, but we’re often not aware that our details can become easily accessible to others, quite often because we consent to that. And this might lead to some risky situations.
For the most part, it’s going to be unsolicited advertising. But we can become victims of, say, targeted political agitation, which is what Cambridge Analytica allegedly did during the 2016 US election, for example. But there are even worse threats: your data can be used for scams, taking loans and breaking into your bank accounts.
For example, identity thefts on Facebook occur quite often. A friend of mine fell victim to that. Thankfully, all she lost was her account. My other friends’ parents weren’t as lucky. A family friend contacted them, asking for 1000 PLN. Nothing seemed off, as they talked to each other quite often. Little did they know the account was stolen, and we all know how this ended. The money went to the scammer, not the actual friend.
If someone asks for money on Facebook or any other social platform, either call this person or talk to them face-to-face, if possible. This way you might detect an identity theft and save yourself a lot of trouble.
Back to my doctor’s appointment
Lots of sensitive information is processed by clinics and hospitals. Names, addresses, phone numbers, medical histories, drugs prescribed, etc. Nowadays, with receptions’ systems connected to the Internet, I’d like to be sure that those details are stored and processed in a safe way that ensures they won’t fall into wrong hands.
For example, if a criminal got their hands on these details, they could use it to extort money from that person’s parents: “Betty’s had another seizure, she’s back at the hospital and needs money immediately.”
Private businesses oftentimes worry about losing their reputation or paying really hefty fines for breaking data protection laws in any way.
Public institutions, however, such as the clinic I visited, seem to exist in some sort of a legal vacuum.
It was discovered only recently that various entities, such as Maryland’s health department and New York’s Metropolitan Transportation Authority, left 38 million records exposed due to misconfiguring Microsoft software. Fortunately, this was discovered by UpGuard, a cybersecurity company. Affected institutions and companies were notified, but it’s unknown whether any data has been leaked or not.
Data leaks in gaming
The gaming world is not safe from such hazards, either. Let me just focus on some of the most recent cases. I’m omitting EA, Nintendo and CD Projekt RED here, as these leaks only involved source codes of their games, not user data.
For starters, the Razer leak. The popular gaming hardware manufacturer suffered from a severe data exposure back in 2020. As Volodymyr Diachenko of Comparitech reported, exposed information included full names, emails, phone numbers, internal customer IDs, order numbers, order details, as well as billing and shipping addresses. Razer stated that luckily no other sensitive data, such as passwords or credit card numbers, was made public, and the whole situation was quickly fixed.
Back in 2019, a Polish electronics and gaming hardware retailer, had to pay over 2 million PLN ($525,000) for not making user data safe enough. As we can see here, companies do get punished for not adhering to or even breaking the data protection law.
Is there a way to protect yourself from such leaks in the realm of gaming? Common sense is key. Make sure that you provide only details that are necessary. Better yet, create a secondary e-mail account, separate from your “official” one, so that you can use it for gaming and entertainment purposes. This way you’ll keep, say, your bank accounts safe, and only lose more trivial data.
Make sure not to use the same password for every service. I also recommend KeePass, it’s a good tool to keep your passwords safe.
Risky situations abound
Numerous threats to our private detail security exist. We leave traces here and there, and we’re far too trusting towards technology. Even simple things can hurt us.
There are still some places — swimming pools, gyms, spas and so on — where customers can be required to deposit their IDs as a pledge in order to use a service. Mobile providers used to photocopy documents not so long ago! And ID cards contain information that could be used to take a loan, for example, at least in my country.
There are people who create fake IDs as “collector’s items,” a joke or — which happens very often — for malicious purposes. And you certainly wouldn’t appreciate gifts such as paying off someone’s loan or having your house sold out of the blue…
It’s good to spend a few minutes to take a thorough look at what we’re about to sign, what we’re agreeing to, and if it’s really necessary for us to provide this or that detail. This can lower the chances of our data getting leaked and misused.
Educating others is also important.
I did not succeed at the clinic, but I did help out in other places. For example, there was a time when I visited a spa where I was also given a GDPR form to sign.
At a first glance it was a proper document and everything seemed in order. Upon closer inspection, however, I realized it’s just a template downloaded from the Internet. Nobody bothered to read it, either, as it contained blank spaces in the “Your company name here” field or “XXXX” as the name of the company responsible for processing the data. It completely lacked the information on why these details are needed and how long are they going to be stored for, and this is required by the law.
I pointed out all these errors and omissions and kindly explained that such a document is really, really dangerous to the company. The owner thanked me for that and I even got a discount, which was nice.
But if you feel a company doesn’t really care about your data’s safety or there’s been a leak, you can let the Personal Data Protection Office know about that. The said business can face really serious consequences then, ranging from controls to really painful fines.
IT professionals work with things like web security and private data protection on a daily basis. I think it’s our duty to share our knowledge with others and help them even in menial situations, also for our own safety.
People need to understand what they’re doing and why, otherwise the forms they fill in and sign are just meaningless pieces of paper stuck in someone’s drawer.
By Adrian Gładysz, Data Protection Officer at G2A.COMBack