Introducing the Who, What, Where, When, How
I was talking to someone about data. Okay, no I wasn’t, who actually has a conversation about data?
“How’s your data, Jeff?”
“It’s lovely this time of year. And yours?”
“Wonderful, we’re expecting another in August.”
We were actually just chewing the fat over a coffee and complaining about life, as you do. In the general yak about work, both of us have something to do with computers, Jeff mentioned that he doesn’t have to care too much about rules and regulations. He doesn’t ignore them, he just thought he was fine as he paid for it to be somebody else’s problem. Jeff has an online store that sells products and thought he was covered in regards to compliance. So, we did eventually get around to talking about data.
How we got there was that I mentioned was the changes between UK and EU versions of the GDPR. It is an area I discuss here a lot, and something that interest me. Jeff(1) said something like this:
“We’re fine. I think we are mostly compliant, the site is stored in a safe place and we use a 3rd party for orders and credit cards”
So I said:
“Oh right, so the whole customer management and store are a reputable service? Do they process and control the data, or just act as processors?”
Now I wasn’t prying that much,(2) but I was generally curious about their setup and I will briefly describe it here:(4)
- They own a website which has a custom well-supported shop framework which is also a CMS of sorts.(5)
- The database and store for the shop are plugins from an organisation who also provide store/shop services. Crucially the products are local to the shop framework database stored with the website, as are customer details for the shop login/sales history and product delivery.(6)
- The customer account profile is local to the shop and part of the website database.
- The customer credit details are stored by the 3rd party credit provider and the website/shop has no records of any credit transactions beyond product details and confirmation of payments.
All of that is fine and a familiar setup to millions of online retailers. In fact the system they use has clear rules about what they store and how and provide tools for such things as consent and cookie compliance. However, crucially, the provider of the online marketplace/store specifically state that they are only a “data processor” and not the “data controller”, that is Jeff, and the next part of the story involves what the processor doesn’t provide and where Jeff realised he was more liable than he imagined. In fact I am going to use Jeff as an example over a couple of articles.(7)
Jeff’s staff, of which there are five, all have access to the database in the shop to do their work. I asked them if they knew the devices that were used to access the data? When they accessed the data? What security was on each device? I also asked if they used simple security such as two factor auth everywhere? Crucially I asked if they logged who had access? When they had access? What they had access to?
Jeff didn’t know. These are very basic pieces of information. In regards to security, and in the case of a potential breach, knowing who, what, where, when how are the very first things you will need to address. Now for Jeff, it was a simple plan I gave him to start with. Find out and know these basic things:
Who has access to what?
Where they have access (devices and locations)?
What security is used?
When they have access?
What they accessed?
Jeff had a starting plan. Find out and write down the answers to those five questions and implement a form of logging of access. Normally the logging would be quite simple, and easy to manage, but Jeff had a few complications that we are going to discuss in this little series.
We continued the talk and I will tell you next what we said about data flow especially when we discovered Jeff almost has ‘special category data’.
(1) No their name is not Jeff but I don’t want to name them in an anecdote about data and data protection. It’s why I am being less than circumspect about their business as well.
(2) Honestly. Alright I was, but I do consultancy and have a focus/passion/obsession with data protection and security. Sue me.(3)
(3) Don’t sue me, I have no money.
(4) This is because it helps me illustrate the first point in this series, obviously.
(5) More on that in a later article.
(6) But comms is a little bit more involved.
(7) Poor old Jeff, who isn’t really Jeff and is an amalgam of more then one conversation, friend and use case.
No responses yet