Data Protection Authority
Data Protection

Where ignorance leads – the dangers of ‘do-it-yourself’ privacy compliance

Back in 1989, my mother in law got a bit of a shock when she went to open the dishwasher one morning. In fact, it was quite a big shock because her transit across the kitchen was accompanied by a large bang and the distinct smell of burning. This was in the days before you needed someone qualified to do electrical work in the home and get a certificate to prove it, and the builder’s ‘mate’ had managed to mix electricity and water in a potentially fatal combination. While for those who are handy around the house, the advent of this paperwork has been a cause for complaint, it has discouraged many a keen amateur from having a go.

While errors in data protection are unlikely to have such dire consequences, diving into new technologies without a full understanding of their complexities really should be avoided. Creating anything with the purpose of disclosing information is not something to be approached with reckless abandon – as the UK Conservative Party found out to their cost last week. While much scorn has been poured on the head of Party Chairman Brandon Lewis about the security breach which lead to the personal details of Ministers, MPs and party members being made public, it is highly unlikely that he played any part in specifying the app concerned other than saying yes to the ‘we need a conference app’ question.

It isn’t the first time that the security of an event app, or the lack of it, has led to the unintentional disclosure of attendees’ data, but it is the first time anyone has, to my knowledge, ‘fessed up. The education of data subjects with respect to their rights meant that there were far too many potential whistle blowers involved to be able to keep the whole thing under wraps and it wasn’t long before the BBC had a hold of the story and the Tories were off to make friends with the Information Commissioner’s Office.

The Australian company which developed the app, CrowdComms, have issued a statement where they claim that they will be “reviewing and amending our Data Policies”. Not a moment too soon because they really do need to change the information on their CrowdComms & the GDPR page where they talk happily about Alice and how her data is affected by the legislation, and the bit about security where they say:

“CrowdComms is conforming to all of the GDPR security requirements. We take security seriously. We have a regular review process to ensure that our data security processes and policies are up to date and conform with the latest security protocols.”

There’s nothing worse than where your actions speak far louder than your words.

Companies like CrowdComms do need to be brought to account when bad things happen, but the bigger issue at play here is the responsibility of the event organiser. They specified and purchased a product that was not fit for purpose. Perhaps they were beguiled by the fact that the app in question was awarded Best Event App 2016, and price undoubtedly played a key role in the decision. It is unlikely that there was an individual on the team with the knowledge and expertise to do any real due diligence on the security features or data protection risks. Frankly, any system which enables anyone to access someone’s personal data simply by being in possession of an email address should never have got past the pitch stage.

Organisations that use and proliferate products with poor data security and integrity are enablers that are stifling the best efforts of DPOs, compliance and governance officers working hard to give data proper respect. They can expect find little sympathy, either for the reputational difficulties they find themselves in or any subsequent penalties dished out by the regulator.