Next Generation Data Protection Laws

2009-03-22T00:22:00.004Z

Right now, even if you live in a European country (so compared with many other countries, you benefit from above-average data protection legislation), in reality you have very little control over what companies actually do with your data.

Once companies have your data, in most cases they control:

why your data is used? for what purposes?

how your data is used? what is it linked to? how is it processed? how is it presented?

whether it is backed up? when it is deleted i.e how long they keep it ?

which fields they change?

who can access it internally? which departments/roles/individuals?

who they share it with externally? which companies? which government departments?

where it is stored? where they share it? which countries it is exported to?#

what level of protection is applied?

what level of auditing is done?

The current state of affairs is clearly not good for individuals/consumers ... but I happen to think it is not good for business either...

If individuals have no control over what happens to their data then it is difficult for them to trust the companies they are dealing with. If they don't trust who they are dealing with then they probably do less business with them than they would do if trust was there.

What I am proposing in this blog is that far-sighted companies who want to build maximum levels of trust with their customers (thereby positioning the company to sell a broader range of products and services to their customers) will start to provide their customers with more control over what happens to their personal data.

In these days of customer-self service where most customers already know how to 'point and click' on a web page to create and update their own profiles, it would not take much effort to provide customers with better fine-grained controls over what happens to their data.

How about these for features that every self-respecting company should in future want to include in their 'update profile' customer web pages:

table listing trading partners including checkboxes that allow the customer to choose which partners their data may/may not be shared with

table listing countries including checkboxes that allow the customer to choose which countries their data may/may not be exported to

a drop-down list for how long the customer allows the data to be retained without asking again?

Please comment if you have any view(s) on this....

Identifying Phone Callers

2009-03-21T22:27:00.000Z

Why is it that companies think it's OK to call their customers and ask customers for their ID, but they don't have any way to prove their ID?

Isn't it just asking for trouble if companies 'train' their customers to give out their ID to unidentified callers?

Wouldn't it be so easy for companies making outbound calls to let their potential customers ask them safe confidence building questions first, like what's the first digit and the fifth digit of my account number?

Even if such minor details were occasionally disclosed to someone who wasn't actually their customer, the data would not be useful to any wrong-doer, and the benefits of all customers not giving out sensitive data to random callers would far exceed any risks.

I'm very interested to know what other people think about this idea. Please comment...

Information Security Futures

Next Generation Data Protection Laws

Identifying Phone Callers