Who is responsible for keeping my data secure?

As part of our Generation Cyber campaign, we analysed individual responses to the question: who is responsible for keeping personal data safe online?

The results were mixed – the majority (62%) of respondents selected ‘myself’. Meanwhile, 43% selected ‘owners of websites or apps’, 20% said ‘my internet service provider’, and 18% said ‘regulators’. 40% highlighted that all of the above – as well as cyber security companies – should play a part in keeping their data secure online.

But who is ultimately responsible for keeping personal data safe? And, wherever there is a shared responsibility, what impact could this have on the investigation and remediation of any security issues?

We explored these topics and more with our head of public affairs, Kat Sommer.

Who is ultimately responsible for keeping personal data safe and secure online?

“It’s a mixture of individual and corporate responsibility. For example, I am responsible for the information I make public about myself, the pictures I post on Instagram, the rants I go on, on Twitter, the insightful comments I make about my work on LinkedIn. Ultimately, it’s possible to build up a more complete picture from these snippets than I perhaps considered when posting across these platforms. So I should be educated, or educate myself, and take informed decisions.

“However, when I put more sensitive information into an online form – such as my medical history and bank account details – I have a right to expect that whoever I entrust that data to will do their utmost to keep it safe and secure.

“There is a difference between making a choice to share data online – which is predominantly an individual one, that should consider wider implications and risks - and the need to protect that data once it is shared. This should be a corporate responsibility, which is recognised to an extent in data protection legislation. It’s a careful balance but one that is important to get right.”

How does data protection legislation differ around the world?

“The European Union, through GDPR, has been successful in setting a high standard for what data protection regimes look like in the ‘Western’ world. However, the secure transfer of data between countries is a widely discussed topic – in the summer, the European Court of Justice Schrems II decisionleft businesses uncertain about how to transfer data between Europe and the US in a compliant way.

“Data protection regulation differs around the world, and one of the main differentiators is how legislation embodies societal expectations. For example, GDPR enshrines certain principles because the population as a whole takes a view that companies should be accountable for what they do with people’s personal data. However, this is not the only view – in other jurisdictions, there can be a more implicit view that companies’ ability to use data is a form of payment for a service that’s provided, or where there is culturally less concern about privacy.”

What do you think data protection legislation will look like in the future? How do you think it will need to evolve?

“In the future, there may be greater efforts to establish some sort of mechanism by which individuals can be remunerated for their data – an idea put forward by some political parties in the UK’s 2019 general election or by which a set value is defined for personal data. In this way, individuals get to share into the return on investment that’s created and benefit from whatever money companies make off the back of their data. One area of focus could be the availability of data, and whether large organisations should share data with competitors.

“There may also be increasing tension between data protection and innovation in cases where strict rules prohibit the use of data for specific purposes or between jurisdictions, particularly as the global technology arms race heats up. This issue is one of many being debated in the run-up to the US presidential election, following the launch of an initiative by Trump that aims to restrict US personal and business information from being stored in China.It’s a perceived wisdom that AI prospers in China because restrictions on how data can be collected, aggregated and used are less onerous. I’d expect future reviews to look at hard evidence of any such impact and make changes accordingly.”

What do you think needs to be done to help individuals feel more confident and secure online?

“The security industry, businesses and governments play a key role in educating, informing and supporting individuals to make the right choices. This can include organisations removing detrimental choices wherever possible – for example, the Secure by Design principle of not allowing universal passwords is one way that businesses can keep their customers secure.

“By reducing the number of choices an individual is responsible for, it becomes far easier for them to focus on the ways that they can keep their data secure, and really get to grips with these key measures.”