The General Data Protection Regulation is the toughest privacy and security law in the world and imposes obligations for organisations anywhere, if they target or collect data related to people in the EU.

In May 2018 GDPR started to be applied. We discussed about this topic with our expert, Mariana Max. She provided some important points from her experience in online cyber safety. Below, her thoughts.

Discussions about the protection offered by GDPR spirited everybody long time before the regulations were instated: those  who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

For the last 5 years everybody I know approached a sensitive GDPR topic talking always about “personal data” and how it was misused. Though, nobody understand that GDPR offers protection and raised awareness about big “exploiting” companies. There was no big campaign to educate the common user about what data is, what is sensitive data and how, in fact, this data is processed.

Everybody seem to acknowledge the GDPR but when I tried to have a meaningful discussion about it I have found out that there is no real meaning to their knowledge. On “people” side little was done in regards to a certain GDPR literacy. On “companies” side, especially at management level, the knowledge level is high – they need to know the rules in order to be able to avoid them… or to avoid any issues that might be raising… Again, at “people” level, there is little to none knowledge about.

In my opinion, GDPR is a huge step to protect individuals, especially those that are not quite computer literate in order to be able to interpret the “technico-legal” mumbo-jumbo of a Terms & Services agreement from a social platform, for example.

But then, there is still a need for individuals to understand what is personal data, why it’s important and to whom it’s important. I would call this kind of information “hacker sensitive data”. These strong words should make everybody aware about their digital identity and footprint.

GDPR figured out what are the most important details about a person under “identifiers” terminology. Most common are – the name, the identification number (like social security, for example), location data. Other identifiers like the ones concerning your online presence, will contain your IP address and cookie identifiers – the ones that could determine our personal preference and choice.

Hackers are not quite interested in all the above as it means too little and it will take too long to monetize. More appealing for a hacker are those pieces of information that GDPR has no reference to. A hacker will always look to harvest data related to your personal life, often shared by yourself. That information will be later used to gain access to an account, bypassing the password by security questions. Your mother’s name or pet name, first school or the street name you grow up – are still main security questions that will recover a bank account, for example. Remember the quiz storm from 10 years ago, when almost everybody was answering lots and lots of “innocent” questions just to be qualified as “elf”, “hacker” (LOL), “high IQ” (double LOL)? Nobody knows how the collected data was used, although was in direct relation with the Facebook profile.

Some other time I will talk about the DNA harvesting by well known organisations like “Heritage” or “ancestry”. A very nice marketing machine that made millions of people to “find” their roots, emphasizing how important it is for somebody to know more about who he/she is, but not a word about creating the vast genetical/genealogical catalogue in the world. And this database was used by Police to solve some crimes that could not be sorted out otherwise.

Other information worth harvesting would be about your children and partner. Although this kind of information cannot be included into Personally Identifiable Information (as it belongs to somebody else) it’s important as it open a lot of other doors: it is a known fact that most people will use such words and names to create passwords, for example. Even your car plate might have a say to an easy access to other, more significant information about you.

The most important point of the story above is to pinpoint the fact that all the information you share on the internet will be used and it is used mostly against you, for so many things you are not able to control. Your social life should be as private as possible: don’t expose yourself and your loved ones for the sake of likes or a free product. I am not the first to say that “if a product is free, you are the product”. And this is the starting point of gathering “hacker sensitive data”