a woman being shocked by what she sees

I predict a data shock

data protection
August 10, 20236 min read

Yes. I predict a personal data shock.

I don't know when it will happen and I don't know what will cause it.

Yet it will happen. It is inevitable.

The warning signs are there. Our collective attitude to the capture and use of personal data just isn't mature enough to protect each other.

The use of personal data is being built on loose and weak foundations. Which means it is all going to come crashing down. It will crash because people will lose trust. They will lose confidence that their information can be used properly - and so their lives, livelihoods, families, hopes, aspirations and safety will all be called into question.

Trust will be hard to give and harder still to create. Without trust, there is no exchange of data and the value of each and every data transaction is lost. Or at the very least diminished.

We will recover, of course we will. However the damage will take out businesses, jobs, tax revenues and perhaps a few political careers.

What will happen

With the high profile data breach events happening in the UK this week you might think we are already living in a world where a data shock is imminent. It's not. At least, not yet.

However the fact remains that these three data breaches all coming to light at the same time illustrate the difficulties we all face.

There is a breach of the Electoral Register in the UK which involves the records of some 40 million people. It looks as though a "bad actor" in the form of a rogue state might be behind it.

This looked quite bad until the Police Service of Northern Ireland (PSNI) trumped it by releasing information about their 10,000 employees in a Freedom of Information response. This data ended up on the internet until it was removed. I don't know how much you know about the security situation in Northen Ireland but the potential consequences for those involved are significant. "Fear and alarm" doesn't even begin to describe how they must be feeling about the heightened risk they now face.

Then we have child adoption records being published by a geneaology website in Scotland. Childrens' data is particularly sensitive so it seems to be a mystery how these records found their way out of the National Records of Scotland and into this website. The consequences for the thousands involved are serious and potentially life-changing.

It is the combination of types of incident which is the indicator here. A mixture of inattentive and compromised security, poorly designed and badly managed systems and an absence of personal awareness and responsibility. They all combine to chip away at our confidence that our personal data will be used properly and our privacy respected.

Currently this is an undercurrent of erosion. Most of us are only aware of it when it hits the news headlines - as it did this week. However the stories disappear from the headlines just as quickly, so for those of us not directly involved the lessons, meanings, implications and outcomes of the stories are lost. Yet the erosion carries on, unseen.

Until one day another combination of incidents gathers and the erosion suddenly accelerates. This time in a way we can't contain using the meagre systems, policies and procedures currently in place. And the trail of destruction which will lead to the data shock will begin.

What will cause a data shock?

I don't know. Which is one reason I'm writing this blog post. It would be useful to start a conversation about how a data shock could happen - what needs to happen to undermine confidence in the movement of personal data. Remember, it is the movement of data which creates the value it contains. If personal data isn't moving, the value is not being realised by anyone.

A crisis in the banking system might cause it. However I don't think the data shock will be caused by one type of incident. I think there will need to be a combination of several types of incident happening at the same time. As we know from our experience this week - that can happen.

It could be that a data shock will be the result of all the data currently being collected. This volume of data is growing exponentially. We have the "Internet of Things" (IoT), collecting data from all sorts of places, for example smartspeakers, televisions, door locks, refridgerators and cars. We have cloud computing where organisations collect, process and store data on computers they don't actually own. Then we have Application Programming Interfaces (APIs) which enable the easy and fast distribution and sharing of data between systems.

Your behaviour is tracked and recorded like never before. Marketing people want to personalise your customer or user experience but it all could tip quite easily into surveillance. If it hasn't already.

The root cause of the data shock will be inadequate data governance.

  • Bad regulations;

  • Weak regulators;

  • Careless data controllers;

  • Selfish data processors;

  • Low expectations of privacy from the individuals who the data is about. Or simple greed.

Put all that together with a few incidents affecting the livelihoods of a few million citizens and it starts to cascade over whatever defences have been put in place.

This combination would cause a run on supplies of trust in data processing. People will withdraw their personal data from marketing, banking and healthcare systems, to name just three as an example.

And so the data shock would begin.

Diminished trust - less data being shared - the value of personal data lost.

The symptoms

We are living through some of the symptoms now.

We have people who sell the technology on which personal data will be collected and processed waxing lyrical about all the benefits which can be gained. Yet none of them ever talk about data governance. Go and look. The governance information in the shape of a privacy policy as just one example - it will be useless.

  • Evidence of increasingly active and capable "bad actors", from rogue states through organised crime to snotty kids sitting in their bedrooms hacking for fun. The threat is ever present.

  • The absence of respect for privacy and data protection rights.

  • Glib statements and sweeping generalisations about privacy. "We take your privacy very seriously".

  • Clearly inadequate systems, training and management, all done in the name of "compliance" and backside covering, but little else.

Why you can do about it

If you are responsbile for a business or organisation, go and look at what is actually happening when you collect and use personal data. Go and read the information you publish for the individuals who use your services and buy your products. See if you can understand it.

As an individual, expect more. Ask more questions. Be more vigilant.

You may not be able to prevent a data shock, but you might be able to minimise the effect it would have on your life.

blog author image

Allan Simpson

Privacy management blogger

Back to Blog