6 years on from GDPR deadline: Unravelling the Value and Risks of Personal Data in the Age of Privacy Enhancing Technologies

This month marks the sixth anniversary of the General Data Protection Regulation (GDPR) coming into force in the European Union (EU) on 25th April 2018.

With its strict reporting requirements, focus on pursuing best security, and headline-grabbing fines that increased the opportunity cost of not implementing security controls, data privacy has been moving higher up the agenda of organisations storing and processing personal data. This standard has become a model followed by regulators worldwide.

Threat Intelligence

Personal data, whether categorised as Personally Identifiable Information (PII) in the US or under the broader umbrella of EU data privacy regulations, stands as a prized asset coveted by various threat actors. Beyond the obvious data theft, cyber criminals wield personal information in multifaceted ways:

• Fraudulent Activities: Cyber criminals exploit personal data to infiltrate online accounts, including those tied to banks and utility providers. The use of stolen information for fraudulent transactions is a prevalent tactic.
• Impersonation: Armed with details obtained from online sources, criminals can impersonate individuals. Account takeovers and cloning are common strategies, enabling them to manipulate systems and gain unauthorised access.
• Extortion Opportunities: Organisations that hold sensitive data become targets for extortion. Ransomware groups breach, steal, and expose data, causing financial losses during incident response, regulatory fines, and reputational harm.

Sensitive data exposure is a real risk for organisations. Being able to keep tabs on what data is available online about a business and its individuals is a vital and often overlooked part of a company's cyber security programme. It is paramount that organisations stay ahead of the curve and maintain a true picture of their online exposure.

Research

Privacy Enhancing Technologies (PETS) are an active area of ongoing research in the privacy community with conferences and research groups dedicated to the topic. Technologies such as differential privacy, homomorphic encryption and zero knowledge proofs have applications which can maintain privacy whilst providing utility for data processors. These technologies do not provide a silver bullet and assurance is required for their design and implementation. However, the techniques to assess them are still in their infancy, for example NIST has only recently published draft guidelines for evaluating differential privacy guarantees. This is despite GDPR requiring consideration of the "state of the art", leaving organisations with a conflict between a desire to make the most of the data they store and ensuring that the privacy enhancing technologies they use are fit for purpose.

We have published several privacy related internal research under the banner of public interest technology including "Solitude: A Privacy Analysis Tool" which "enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device" and "Assessing the security and privacy of vaccine passports" which explored the threats against vaccine passports from a privacy perspective during the COVID-19 pandemic. And our cryptography services team have published a number of blogs over the past few years relating to zero knowledge proofs used in confidential payments and blockchain applications.

In March we also released a public report on the Google Privacy Sandbox Aggregation Service and Coordinator. The project was a comprehensive of Google's Privacy Sandbox initiative which uses technologies such as differential privacy to improve the privacy of internet users.

Market Trends & Outlook

Some data privacy highlights from recent weeks include:

• The European Data Protection Supervisor determined that the European Commission's use of M365 breached 'several key data protection rules', setting hairs racing for other organisations about their own state of compliance.
• In the US, the House of Representatives unanimously passed a bill banning data brokers from selling sensitive data about US citizens to countries that it deems 'foreign adversaries', continuing the trend of 'protecting the borders' where data is concerned.
• In the UK, the Information Commissioners Office has updated guidance on the circumstances and calculations behind issuing fines for infringements of Data Protection laws, in the hope of increasing transparency and consistency in these notoriously varying values.

Data Privacy Capability Update

2024 is shaping up to be an interesting year when it comes to Privacy, with the upcoming Data Protection and Digital Information Bill (DPDI) likely to further shake things up. The DPDI will amend the DPA Act 2018 and UK GDPR, with the blocking of cookie pop-ups, the banning of nuisance calls along with removing the mandate for organisations to have a DPO. Additionally, the AI Act, Digital Services Act (DSA), and Digital Markets Act (DMA) will likely lead to new regulation particularly impacting personal data on social media platforms and third-party cookies.

Privacy clients have identified their main concerns for the coming year as the use of AI and how cookies will be treated. In addition to these points we will be looking at the new regulation being implemented and how this affects our clients not just in the UK, but globally along with the growing market for, and use of, Privacy Enhancing Technologies (PETs) which facilitate the reduction of personal data being processed through techniques such as anonymisation along with increasing the actions individuals can take related to their own data.

Clients concerns around AI are largely around the significant advances in the uses of AI and these being perceived as a risk, but they are unclear on what the actual risk is to them, how the personal data they process can be made available to threat actors using AI and what controls they need to consider implementing to reduce this risk. Also, of concern to many clients is how to ensure that they know what their supply chain is doing when it comes to AI products and services being used on their behalf.

We will also continue focusing on the basics of privacy, noting areas such as the ICO reporting that 52% of breach notifications are because of emails being sent to the wrong addresses. Therefore, training and awareness remain key for our clients

Public link

Please use the above public link if you want to share this noodl on another website.