Lee & White Consultants

Dedicated to Excellence
  • Home
  • About Us
  • Services
  • Blog
  • Press
  • Publications
  • News
Skip Navigation LinksHome > Blog
Go Back

  • Overzealous

    Sunday, May 16, 2010

    Email MarketingThere was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

     

    This is a good example of what happens quite often in IT projects.

    • The business owner has a great idea to use a new technology to boost sales or to develop a new product.
    • The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
    • The project manager executes the project and drives the IT and business teams to deliver the required code.

    The whole process is monitored end to end by the data protection officer who

    • Assesses the impact on personal data protection at the time the business owner intends to initiate the project
    • Reviews and approves the business requirements and analysis documents, checking that personal data processing is
      • fair and lawful,
      • collected for the specific purpose of the project,
      • adequate, relevant and not excessive.
    • Participates in status and scope meetings, guarding the above.
    • Performs integration and user acceptance testing with a focus on personal data
    • Gives the final go that a project can go live and it is not, now and in the future,
      • a risk to trust and reputation of the organisation, or
      • a violation of applicable data protection laws.

    So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

    • The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
    • The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
    • The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
    • The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

    The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

    Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Best Practices Government Organisations IT

  • Let's send a mail

    Monday, April 26, 2010

    Email MarketingIt's almost the end of the quarter, sales numbers are nearly on target, we just need a little boost to get them higher, perhaps even above target, I need that bonus.

    "You know what? Let's launch a quick campaign and mail our prospects!"

    I'm sure this all sounds very familiar if you are in the marketing department of any medium to large company, and it is a great initiative of course. But who shall you email? Where do you get the addresses?

    We could for example mail our prospects, people who expressed some interest in one of our products; or perhaps people who entered that competition last month; perhaps people who were submitted by someone in our friend-gets-friend referral campaign; perhaps the subscribers to our newsletter; what about ex-customers we want back; let's buy a list from a broker; ...

    And this is where it gets hairy:

    • Are you mailing the right people, possibly sending a super promo mail that will anger a new customer who paid so much more for the same product a few days ago?
    • Do you have permission to email these prospects; did you ask them for their permission to send them this kind of promotions and did they opt-in?
    • Did you exclude persons who opted out from your list?
    • Is your list deduplicated? Are you not sending multiple mails to the same person through the same or different email addresses?
    • Are you not publishing your list of email addresses to every recipient?

    A mistake at this level can cost you dearly, in terms of losing face or upsetting client or supplier relations, and it could all be solved if you had followed proper procedures when you acquired the email addresses.

    All you needed to do was:

    • Ask for a prospect's email only when needed.
    • If you want to use this information for other purposes, inform the prospect and ask for his explicit permission.
    • Allow the prospect to review, change and delete his information at his simple request at any time.
    • Check if the supplier of your mailing list or broker has obtained the permission of your prospects and has informed them of the possibility of their information going to you for marketing purposes.
    • At any communication, give the prospect the opportunity to opt out of future communications of this kind or of any kind.

    A Privacy Impact Assessment at the design phase of a project can detect such opportunities and a Data Protection Audit can analyse and correct the flow of information within your organisation.

    It will save you in the long run!

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Best Practices Organisations IT Data Handling Manual

  • Tattletale gadgetry

    Friday, August 14, 2009

    Location based servicesWe have all gotten so used to our gadgets that we are willing to sacrifice basic human rights to get our hands on them. People do not always know the value of their personal data, or value it so low that they are willing to give it up for peanuts (or a chocolate bar).

    Often it is ignorance, and we are not aware that our gadgets or services are giving away important personal data. And then there are those of us who are aware of this fact, and are counting on our provider to treat our personal data properly, or at least according to their privacy statement, which of course we check thoroughly before buying or starting to use such gadget or service.

    A few examples:
    • Mobile phone Did you know that our mobile phones are 'anonymously' tracked for a range of services?
      For example: the traffic report, which informs you of the total length of traffic jams in your country, calculates such information based on tracking of mobile phones, checking how fast the phones are moving - if at all - from point A to point B.
      The mobile phone service providers promise us that the information they gather is anonymized before use.

    • Location based services You can now surf from your mobile phone to a service such as Google Maps which calculates your position - possibly using your built in GPS receiver - to inform you of the services that are available in your immediate vicinity.
      This of course, requires that your location is sent to the service provider first.
      It was recently discovered that some of the new generation smartphones covertly sends important information back to the manufacturer on a daily basis.

    • High street store loyalty card (and other credit cards) We are lured into using these cards, because they make us feel pampered by giving us a few small perks which the other customers do not get.
      Of course, every time you use the card, the store registers what you buy, how much you buy, where, when and how often you buy.
      Using this data, they can, through data mining techniques deduce a lot of information about you and your family: if you respond properly to their campaigns, if and when you deviate from your routine (holidays?), how loyal you are to certain brands, financial information, ...
      This information is then, amongst others, used - by the store itself or third parties - for targeted campaigns.

    • Mobile Payments So convenient, we do not have to use coins anymore, or card. We can simply sms a message and the amount we want to pay for is automatically charged to our mobile phone bill.

      Think a little bit further, and you'll know who will get their hands on the personal data hovering in the chain between you and the receiver of the payment.

    I know that we cannot and should not stop technological evolution, but we need to ensure that every party involved treats personal data properly and always informs and gives the owner access to their personal data - which in the end remains their most personal property.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Private Persons Personal Data Internet IT

  • Permission is the key

    Tuesday, November 18, 2008

    Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.

    Companies or organisations continuing to spam after the 1st of July 2009 can be punished with a maximum fine of 450,000€. If spam is still sent, then a complaint is possible on the spamklacht.nl site. The OPTA (Independent Post and Telecoms Authority, the Netherlands) will be supervising compliance to the law. Only upon explicit permission to receive such electronic messages (including SMS and faxes), can these be sent to the receiving party.

    And what is the situation in Belgium?

    In Belgium, permission is the general rule, with a limited number of exceptions.

    With the Belgian E-commerce law, the opt in rule for publicity electronic messages is in effect. One can only send electronic messages for publicity purposes where there is a preceding authorisation. Also, the commercial communication, including its presentation, must be immediately recognisable to the receiving party as being such upon receipt of that communication. If this is followed, then it is technically not spam.

    However, the opt-in rule is subject to a few exceptions, making it a soft opt-in approach:

    First Exception: Own customers/clients
    The rule is exempted where the commercial communication is aimed at the organisation's own customers/clients (natural or legal persons). This exception only applies in the following conditions:

    a) The organisation has directly obtained the contact data of the person concerned in the course of a sale of a good/service. [NB: The privacy law concerning the collection of such data must be respected].

    b) The electronic contact data are exclusively used for similar products and/or services which the organisation itself provides.

    c) The organisation gives the customers (when the electronic data are collected) the possibility of objecting to the use of such data in an easy manner and free of charge.

    Second Exception: Legal persons
    The opt-in rule is exempted if the following 2 conditions are met:>

    a) If the contact data is impersonal, and

    b) If the product promoted is intended for that legal person.

    Hence, by laying down these ground rules, one can surely see that there is no room for spamming.

    So get the intended recipient's permission first if you can't resist sending that commercial communication of yours! 

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Private Persons Personal Data Spam Organisations Internet IT

  • Protecting People's Data

    Friday, August 29, 2008

    Confidential Data TheftOne of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

    Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

    Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

    Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

    They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

    According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

    Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Personal Data Organisations Data Theft IT

  • When selling a computer is more than selling a machine

    Wednesday, August 27, 2008

    The frequency of one's personal data being so loosely taken care of is growing alarmingly fast these days. Then again, is it only now that such data is being mishandled, or has it been the case all along? Perhaps horror stories of mishandling of personal data have only recently emerged in the news owing to a growing awareness on the importance of privacy? If that was true, imagine the number of years gone by without our knowledge of the immensity of the abuse and mishandling of our personal data!

    So what is the current horror report on personal data floating around?
    "Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

    Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

    According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.
    Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

    However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Private Persons Personal Data Organisations IT

  • The Early Bird

    Tuesday, August 19, 2008

    We manage IT projects on a daily basis, and in every project there is the returning constant of processing personal data.

    I must say that most clients we have worked with show the goodwill to properly handle personal data, but sometimes other priorities, like financial limitations or time constraints, make it such that proper processing is seen to be a lower, if not the lowest priority.

    Sometimes we get called in to audit a company to check existing processes and applications for compliance to data processing laws. We then need to inventorise what kind of data is kept and where, how it is handled, and what the procedures and communications are. Basically, a thorough in-depth audit that involves and affects all levels of the business.

    When we are involved from the very start, we can, even already on a requirements or functional level, pinpoint where issues would arise, and through small changes in the design and implementation process, ensure that applicable laws and good practices are met.

    It is the same for all problems; if you can catch and fix it at an early stage, the cost is a factor lower than if you have to fix it at a later stage. If, of course, even at that stage you do not fix it, then the cost of being caught after go-live is enormous. This can not only have financial implications, but also cause damage to reputation and brand, as well as have criminal consequences.

    A data protection officer should be involved at every stage of a new project. He should validate business requirements, check functional analyses, approve technical designs and audit proper handling after go-live. If properly executed, the amount of time (and budget) spent on this role would be minimal, and as such only big corporations need a full FTEto perform this role. Most companies can hire external consultants to do this on a part time or time and material basis.

    Some companies make the mistake of asking their in-house legal department or company lawyer to advise on data protection issues. Unfortunately, these individuals are not specialized to give this kind of advice and are usually fully booked to solve other company related legal issues. Also, they might be too deeply involved in the business to give impartial advice.

    Specialized legal consultants have the experience and know-how through different projects to handle these kind of problems on a daily basis. They can also deliver impartial advice without risk of conflict of interest.

    So, in conclusion
    1. Hire a professional to get a professional job done.
    2. Fix problems before they arise.
    3. Do not ignore laws and best practices.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Personal Data Organisations IT

  • How your personal data is collected on a website.

    Wednesday, July 30, 2008

    The InternetWhen you surf on the Internet, and browse through a website, do you realise some of the methods by which your personal data are collected?

    Well, there are several ways:

    Personal data visibly collected on the website
    If you are aware that you are providing personal details on a website, then the website is visibly or explicitly processing personal data. To that extent, you can control the type of personal data you wish to divulge.

    Some ways in which personal data can be visibly collected include:

    Forms
    Most websites have more than one type of form, depending on the purpose of the form. Since forms are usually designed for a particular purpose, they are a good way of ensuring only relevant data is collected. At the same time, you can easily deduce and have a minimum form of control over the personal data you wish to provide - based on the fields you must fill in prior to submitting the form.

    Email forms however, may be contentious. Using an email to send the form is not a good system as it gives rise to the possibility of collecting another email address which is not disclosed by the user for some reason. For example, the sample below marks Name, Surname, Street and number, Postcode and Municipality as mandatory whilst email is amongst the optional fields.

    Online FormHence, whilst testing this form, I opted to leave out my email address. However, upon clicking SUBMIT, the message as seen below appeared and my email address would nevertheless be collected by the website despite negating to disclose it initially.

    Email
    Whether it is a mail-to function (an email link on the website) which enables you to contact the organization by clicking on the email link, or it is an email address given on the website for contact without the link, you will divulge your personal data such as your email address and name in the email you send. Postal address, phone and fax, phone calls made, faxes sent, or letters written to the organization, will also lead to personal data being divulged by you in the course of obtaining more information about the organization.

    To that extent, it does not differ from online forms on the website as the purpose is the same, and you should be informed that your personal data will/may be collected through these means as well.

    Personal data invisibly collected on the website
    This is where you are unaware of the collection - usually where a specific technology is used to perform the collection, unknown to you.

    Technology per se is advantageous, but it can unfortunately, prove to be a menace as
    well - sometimes by design, at other times by surreptitious use.

    Cookies are a common method of invisible collection and are widely used on websites. Here, it is important that you are informed of the technology used to collect your personal data. Otherwise, being unaware, you are no longer in control of your personal data and such act is a breach of privacy.

    Hopefully, this brief information on the subject will give you a hint on what to look out for before disclosing your personal data.

    For an in-depth read on the subject, please consider the Privacy Report 2006 on the compliance of Belgian non-profit organizations' and political parties' websites with regard to the processing of personal data in accordance with the Belgian Law on Privacy Protection in relation to the Processing of Personal Data, implementing European Union Directive 95/46/EC.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Private Persons Personal Data Organisations Internet IT

  • What's the big deal anyway?

    Thursday, May 01, 2008

    "What's the big deal anyway?". A remark we hear very often when discussing personal data issues."Nothing to be concerned about, who would be interested in my personal data, and what can they do with it anyway?"

    Everyone agrees that a credit card number or bank account number is not something you should share (even Jeremy Clarkson eventually). But what can people do with my name and address, social security number or date of birth?

    Personal data can be used for identity theft - impersonating someone by using as much as you know about that person to get financial or other benefit in that person's name. For example you could go to a bank and request - and receive - a new credit card in the name of the person you are impersonating, with the bills of course being sent to the original person.

    How do criminals get their hands on your data? Everybody knows about skimming - a technique where a debit or credit card gets copied by attaching a small device onto an ATM machine. Another well known technique is to steal files from people's computers, by hacking them or by installing viruses or Trojan horses. And of course there is social hacking, asking seemingly harmless questions to a person online or in person, and using that information to build a complete profile.

    And criminals move with the times. A BBC team exposed, in a proof of concept, how easy it is to socially hack Facebook and harvest information on other users, including names, passwords and other information.

    How do criminals use this data? It seems that data thieves set up data supermarkets to sell stolen personal data to whomever might be interested. Yes, you can get a working credit card number for a few euro, or even buy complete corporate log files (containing names and passwords, server locations, numbers and confidential information) for as little as 200 euro. When closed down, they just reopen on another location.

    Stuff to think about. Perhaps you will consider this the next time before revealing some of your personal data to anyone.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Private Persons Personal Data Organisations Data Theft Internet IT

  • The fine print

    Saturday, March 01, 2008

    TelecommunicationsFinally something is happening in the Belgian Data Protection World.

    OIVO, the research and information centre of the consumer organisations in Belgium, has filed a complaint against the Belgacom group to the Privacy Commission and the Federal Ministry of Economics.

    OIVO states that the privacy notification on the invoices sent out by Belgacom clause is a violation of the Data Protection law. This notification states that 'customer data is stored in databases of the Belgacom group (Belgacom nv, Belgacom Mobile, Telindus, Skynet) and can be used by any member of that group for customer management and to send commercial information'. It also states that if a customer does not want to receive such commercial information, it should contact customer service.

    This violates the data protection law on several points
    1. Belgacom has not given the customer the option to opt-in to commercial information.
    2. Belgacom does not mention how to contact customer service (address, email, phone number) and that this would be free of charge.
    3. Belgacom does not inform exactly what will be done with the personal data.
    Belgacom is surprised at the complaint from OIVO and state that they comply with the law by providing the opt-out option. A letter was sent to every Belgacom customer to launch the new free 0800 customer service number, which was sufficient information as already 13.592 people have called and noted that they do not want to receive personal data. They also note that OIVO's approach is not elegant and that they should have contacted Belgacom directly first.

    Of course OIVO's point of view is correct, and I am not surprised by Belgacom's reaction, as it is one of the most heard excuses used by companies and organisations. Even though Belgacom is making an effort to implement the data protection law, it needs to go the extra mile and do it exactly right.

    Read the Full Story

    Posted by: Lee & White Consultants

    Category:

    Tags Personal Data Organisations IT

  2. 1
  3. 2
  4. Next page

Archive

  • 2010
    • September 2010
    • June 2010
    • May 2010
    • April 2010
    • February 2010
  • 2009
    • October 2009
    • August 2009
    • June 2009
    • April 2009
  • 2008
    • November 2008
    • October 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
  • 2007
    • December 2007
    • November 2007


Tags

Display as : cloud | list

  • Best Practices (3)
  • Data Handling Manual (3)
  • Data Theft (2)
  • FSA (1)
  • Government (6)
  • Human Rights (3)
  • Internet (11)
  • IT (14)
  • Organisations (25)
  • Personal Data (30)
  • Private Persons (19)
  • Spam (3)

RSS Feed

RSS Feed   RSS Feed
 

Copyright © 2003-2010 Lee & White Consultants®. All rights reserved.

Legal Notice  -  Privacy Policy  -  Contact