Microsoft has also been a member of the eavesdropping gang – report

Microsoft contractors have been listening to Skype and Cortana conversations without the full knowledge and consent of the apps’ users, claims a report.

We were almost immediately proved wrong when we said Microsoft, in comparison with Apple, Google, and Amazon, “fortunately has not suffered high profile embarrassment” by its voice assistant Cortana. Motherboard, part of the media outlet Vice, reported that Microsoft contractors, some of them working from home, have been listening to some Skype calls using the app’s instant translation feature, as well as users’ interactions with the Cortana.

Motherboard has acquired audio clips, screenshots as well as internal documents to show that Microsoft, just as its peers, have been employing humans to constantly improve the software algorithm and the quality and accuracy of the translations and responses. Also similar to the other leading tech companies that run voice assistants, Microsoft is ambiguous in its consumer communication, lax in its policy implementation, and does not give the users a way to opt out.

“The fact that I can even share some of this with you shows how lax things are in terms of protecting user data,” the Microsoft contractor turned whistle-blower, who supplied the evidence and decided to remain anonymous, told Motherboard.

“Microsoft collects voice data to provide and improve voice-enabled services like search, voice commands, dictation or translation services,” Microsoft said a statement sent to Motherboard. “We strive to be transparent about our collection and use of voice data to ensure customers can make informed choices about when and how their voice data is used. Microsoft gets customers’ permission before collecting and using their voice data.”

“Skype Translator Privacy FAQ” states that “Voice conversations are only recorded when translation features are selected by a user.” It then goes on to guide users how to turn off the translation feature. There is no possibility for a customer to use the translation service without having the conversation recorded. Neither does the official document say the recorded conversations may be listened to by another human.

Due to the “gig economy” nature of the job, some contractors work from home when undertaking the tasks to correct translations or improve Cortana’s response quality. This is also made obvious by Microsoft contractors’ job listings. However, the content they deal with can be sensitive, from conversations between people in an intimate relationship, to health status and home addresses, as well as query records on Cortana. “While I don’t know exactly what one could do with this information, it seems odd to me that it isn’t being handled in a more controlled environment,” the whistle-blower contractor told Motherboard.

The report does not specify where the eavesdropping they uncovered took place, but the line in the Microsoft statement that “We … require that vendors meet the high privacy standards set out in European law” can’t help but raise some suspicion that the practice could run afoul of GDPR, the European Union’s privacy protection regulation.

At the time of writing, Microsoft has not announced a suspension the practice.

European court rules websites are equally responsible for some shared data

If you’ve got Facebook ‘like’ functionality on your website then you could be held responsible for any misuse of user data by the social media giant.

The court of Justice of the European Union made this judgment as part of an ongoing action brought by a German consumer rights group called Verbraucherzentrale NRW against German clothing etailer Fashion ID. It turns out that merely having the ‘like’ button embedded on your site results in personal data being automatically transferred to Facebook for it to use in whatever way it chooses, without the consent or even knowledge of the exploited punter.

Sifting through the legalese it looks like the court has concluded that Fashion ID is responsible for the user data it passes on to Facebook since the only reason it embedded the button in the first place is the commercial benefit it gets from people sharing its stuff on social media. This, in turn, means it must be subject to certain data protection obligations such as at least telling visitors to its site what they’re letting themselves in for.

While the case itself is relatively niche and arcane, it could represent the thin end of the wedge when it comes to data protection and consumer rights online in general. The internet is awash with contraptions, such as cookies, designed to track your every move and feed that data into the cyber hive-mind, all the better to work out how best to entice you into spending cash on stuff you didn’t even know you wanted.

Having said that it could be the case that, since Cambridge Analytica, the internet has already got the memo, as those ‘like’ buttons seem to be much less common than they were a few years ago. High profile fines for Facebook and violators of GDPR rules probably mean that website owners have become wary of just embedding any old third party rubbish onto their sites and rulings such as this should serve as a warning not slip back into bad habits.

ICO gets serious on British Airways over GDPR

The UK’s Information Commissioner Officer has swung the sharp stick of GDPR at British Airways and it looks like the damage might be a £183.39 million fine.

With GDPR inked into the rule book in May last year, the first investigations under the new guidelines will be coming to a conclusion in the near future. There have been several judgments passed in the last couple of months, but this is one of the most significant in the UK to date.

What is worth noting is this is not the final decision; this is an intention to fine £183.39 million. We do not imagine the final figure will differ too much, the ICO will want to show it is serious, but BA will be giving the opportunity to have its voice heard with regard to the amount.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The EU’s GDPR, General Data Protection Regulation, offers regulators the opportunity to fine guilty parties €20 million or as much as 3% of total revenues for the year the incident occurred. In this case, BA will be fined 1.5% of its total revenues for 2018, with the fine being reduced for several reasons.

In September 2018, user traffic was directed towards a fake British Airways site, with the nefarious actors harvesting the data of more than 500,000 customers. In this instance, BA informed the authorities of the breach the defined window, co-operated during the investigation and made improvements to its security systems.

While many might have suggested the UK watchdog, or many regulators around the world for that matter, lack teeth when it comes to dealing with privacy violations, this ruling should put that preconception to rest. This is a weighty fine, which should force the BA management team to take security and privacy seriously; if there is one way to make executives listen, its hit them in the pocket.

This should also be seen as a lesson for other businesses in the UK. Not only is the ICO brave enough to hand out fines for non-compliance, it is mature enough to reduce the fine should the effected organization play nice. £183.39 million is half of what was theoretically possible and should be seen as a win for BA.

Although this is a good start, we would like to see the ICO, and other regulatory bodies, set their sight on the worst offenders when it comes to data privacy. Companies like BA should be punished when they end up on the wrong side of right, but the likes of Facebook, Google and Amazon have gotten an easy ride so far. These are the companies who have the greatest influence when it comes to personal information, and the ones which need to be shown the rod.

This is one of the first heavy fines implemented in the era of GDPR and the difference is clear. Last November, Uber was fined £385,000 for a data breach which impacted 2.7 million customers and drivers in the UK. The incident occurred prior to the introduction of GDPR, the reason the punishment looks so measly compared to the BA fine here.

The next couple of months might be a busy time in the office of the ICO as more investigations conclude. We expect some heavy fines as the watchdog bears its teeth and forces companies back onto the straight and narrow when it comes to privacy and data protection.

HMD moves Nokia phone user data storage to Finland

HMD Global, the maker of Nokia-branded smartphones, announced that it is moving the storage of user data to Google Cloud servers located in Finland, to ease concerns about data security.

The phone maker announced the move in the context of its new partnership with CGI, a consulting firm that specialises in data collection and analytics, and Google Cloud, which will provide HMD Global with its machine learning technologies. The new models, Nokia 4.2, Nokia 3.2 and the Nokia 2.2, will be the first ones to have the user data stored in the Google Cloud servers in Hamina, southern Finland. Older models that will be eligible for upgrading to Android Q will move the storage to Finland at the upgrade, expected to take place from late 2019 to early 2020. HMD Global commits to two years’ OS upgrades and three years’ security upgrades to its products.

HMD Global claims the move will support its target to be the first Android OEMs to bring OS updates to its users, and to improve its compliance with European security measures and legislation, including GDPR. “We want to remain open and transparent about how we collect and store device activation data and want to ensure people understand why and how it improves their phone experience,” said Juho Sarvikas, HMD Global’s Chief Product Officer. “This change aims to further reinforce our promise to our fans for a pure, secure and up to date Android, with an emphasis on security and privacy through our data servers in Finland.”

Sarvikas denied to the Finnish news outlet Ilta-Sanomat that the move was a direct response to privacy concerns triggered by the controversy earlier this year when Nokia-branded phones sold in Norway were sending activation data to servers in China. At that time HMD Global told Telecoms.com that user data of phones purchased outside of China is stored in AWS servers in Singapore, which, the company said, “follows very strict privacy laws.” However, according to GDPR, to take user data outside of the EU, the company would have had to obtain explicit consent from its EU-based users.

Sarvikas claimed that the latest decision to move storage to Finland has been a year in the making and is part of the company’s overall cloud service vendor swap from Amazon to Google. “Staying true to our Finnish heritage, we’ve decided to partner with CGI and Google Cloud platform for our growing data storage needs and increasing investment in our European home,” Sarvikas added in the press release.

Francisco Jeronimo, Associate VP at IDC, saw this move a positive action by HMD Global, calling it a good move “to address concerns about data privacy” on Twitter.

UK consumers are resigned to poor data security, research finds

The new EY research in UK’s digital households found over four in ten consumers believed their data would never be fully secure, despite the recent regulatory changes including GDPR.

The consulting firm EY has published the security section of its annual survey of UK households about their digital lives. The good news is the majority of consumers are aware of the new privacy data protection regulations. Close to seven out of ten consumers know GDPR and “what this means for how their data is stored, managed and used”. The bad news is the confidence in the effectiveness of the legal measures is low. Only 43% of consumers “believe that the changes resulting from GDPR will significantly improve the security of their personal data”. Worse still, almost equal number of consumers (41%) have almost given up, thinking it “impossible to keep their personal data secure when using the internet or internet-enabled devices”.

When it comes to who to trust to keep personal data secure, broadband providers and utility companies came on top, winning the trust of 28% and 21% of the households surveyed. On the other end, mobile app developers and social networks fared the worst, being trusted by only 2% and 3% of all households. Mobile operators and pay-TV providers also came closer to the bottom of the table than to the top.

EY digital household trust in data security 2019

EY thinks at least three lessons can be learned from the findings:

  1. Businesses should put trust at the heart of all the customer interactions;
  2. Businesses should communicate about security with purpose, clarity, and consistency;
  3. Businesses should ensure that their innovation agenda should be built on an ethical data management system.

This report is part of the overall “Decoding the digital home” project and was made on the survey of 2,500 UK households.

Ambulance chasers are readying themselves for GDPR assault

While getting a firm ready for the introduction of GDPR was a frantic period, the last 12 months have been relatively quiet period for the rules. However that might all be about to change.

At the European Data Protection Summit in London, a few points were raised which should put the fear back into executives. It does appear the ‘sex appeal’ of data protection and privacy has been eroded, but just wait until the summer is over. It might well be dominating the headlines again.

There seem to be four developments bubbling away at the moment, each of which could have a significant impact on the data protection and privacy landscape; Brexit, the UK’s 2018 Data Protection Act and ambulance chasers.

Ditching PPI for GDPR

Although it is not necessarily the most flattering of terms, the ambulance chasers are readying themselves for an assault on the GDPR negligent.

The Financial Conduct Authority (FCA) has set a deadline of August 29 for consumers to complain about the sale of PPI products in the UK. This effectively means all the firms set-up to manage the complaints on behalf of consumers will become redundant. Most will evolve however, the legal world is simply too profitable, and GDPR seems a prime opportunity.

While it might not be the most common practice for the moment, there are certainly examples. Numerous law firms, Hayes Connor Solicitors for example, are already advertising their services for the British Airways data breach, impacting roughly 400,000 people. This is an on-going investigation, though the financial penalty for this breach could be as much as €918 million.

As more PPI lawyers find themselves at the mercy of free time, more will turn their attentions to new fields of expertise. Due to the headline-worth nature of data breaches and privacy violations, as well as the potential consequence to the individual, this is an area which is primed for the legal buzz.

Big fines have been promised

So far, there is only one example of a Data Protection Authority (DPA) swinging the heavy stick of GDPR at a major firm. France’s watchdog fined Google €50 million for numerous offenses, and while there have been other significant breaches over the last few years, most occurred at a time prior to the heavy fines of GDPR.

“Serious fines are coming in the summer, including to some of the big companies,” said Paul Breitbarth, Director of Strategic Research and Regulator Outreach at Nymity. “The DPAs [Data Protection Authorities] are taking this very seriously and so should we.”

The Irish DPA is an example of one regulator taking control of the situation, and quite rightly so. Despite the fact its economy is heavily reliant on the internet giants, the Irish watchdog is Europe’s lead GDPR authority; it should be leading the charge.

In a recent PR defence plea, Commissioner for Data Protection Helen Dixon pointed out the authority has already opened 54 investigation, 19 of which were cross border. According to Breitbarth, we should expect some pretty heavy fines which will also bring data protection and privacy back into public debate.

One of the big challenges being faced by the industry is apathy from the general public and any considered concern from executives. Enforcement of GDPR rules will not only highlight the potential risks to the general public, but also make data protection and privacy a priority for those running the firms.

Executives might want to ignore data protection and privacy, but one way to get the attention is to hit them in their wallets. Both the enforcement of GDPR and the emergence of ambulance chasers will ensure this is a topic of conversation in the board rooms.

New rules, new considerations

The 2018 Data Protection Act is something which has not really generated many headlines, but there is a monumental opportunity for headaches.

“It’s a bit of a minefield to go through,” said Ian Evans, MD of OneTrust.

The Data Protection Act is the UK’s own version of GDPR, required due to the fact we are divorcing the European Union, but it does actually go a lot further than the European rules. This is perhaps worst-case scenario for those wanting to remain compliant, as it creates more work ensuring compliance to two different sets of rules.

New clauses have been introduced creating new grey areas when it comes to confidentiality agreements, while the approach in the immigration department has received criticism. Those who are seeking official residential status in the UK will not be able to force the government into providing insight into the data which has been collected, analysed and actioned. This is the first time a data moat has been embedded into law, and there are come people who are not happy about it.

One area which is very useful is the standardization of usecases. In four areas, the ICO will effectively produce standards to ensure companies can remain compliant. This is the first time an authority has taken such an approach, and we hope it will be replicated by other authorities. The first example, ‘Age-appropriate design’, will be released in the coming weeks.

The groans of Brexit

Brexit is a tricky topic to bring up. People either disagree with it, hate it or are bored of it, but the matter of the fact is, it is crucially important in numerous areas.

Brexit changes the status quo. The UK will no-longer be in the European Union, therefore fundamentally changing the relationship companies have with governments, customers and supply chains.

With the Brexit deadline fast approaching, and little concrete information being offered, the risk is running quite high. This will have to be a major factor in any companies approach to data protection and privacy moving forward.

The risk of a boring conversation

“Everyone is saying they are trying more for data protection, but does anyone actually believe it,” said Ian West, COO of the GDPR Institut.

GDPR was critically important when it was introduced, and it remains critically important today. However, you have to question whether the organizations involved, or the general public, are actually taking it seriously. The last 12 months has seen GDPR fall down the agenda, though it will rise again.

Enforcement is key, and it is coming. GDPR investigations are painfully slow processes due to the vast amount of information and the complexities of the business models in the data-sharing economy. However, many investigations will be finalised over the next few months. With these final decisions come the fines.

This will propel data protection and privacy back into the public debate, and ensure the general public is becoming more aware to the dangers of the digital world.

There is currently a risk of negligence, but soon enough data protection and privacy principles will form part of the buying decision-making process. The companies which are taking data protection and privacy seriously, will become more appealing to those customers, both consumer and enterprise.

Another factor to consider is recruitment. More graduates nowadays want to work for ethically sound organizations, and soon enough this definition will be expanded to include data protection and privacy principles.

GDPR is a topic which is not ‘sexy’ at the moment, but the next couple of months could ensure these conversations are firmly set back into the board room. The question is whether these will be fleeting, defensive discussions, or whether these executives will take the challenge seriously and create a culture which encourages data protection and privacy principles.

Irish data watchdog defends its GDPR actions

The Irish data protection regulator has unveiled a progress report on GDPR on the first anniversary of the rules, perhaps defending itself from a perception of inaction.

As Europe’s lead regulator for GDPR, the Data Protection Commission (DPC) is in an incredibly important position. It is supposed to lead the bloc into an era of increased privacy and data protection, though considering its economy is largely dependent on the very firms GDPR has been designed to punish, it is a tricky position.

Despite some suggesting GDPR is failing to live up to the promise of holding the technology giants accountable, the DPC has defending its positions, actions and ambitions.

“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information,” said Commissioner for Data Protection, Helen Dixon.

“As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.

“The DPC is grateful for the positive and energetic engagement with the GDPR that we have seen from all quarters, particularly from consumers and concerned persons who have raised queries about the processing of their personal data with the office.”

Looking at the numbers, 6,624 complaints have been received since the introduction of GDPR, while 5,818 valid data security breaches were notified. 54 investigations have been opened, 19 of which are cross-border investigations into multinational technology companies and their compliance with the GDPR. Last week, the DPC announced its most recent investigation into Google.

Interestingly enough, more than half of these investigations will see either Facebook, WhatsApp and Instagram as the focal point. The question which remains is whether the rules are having a material impact on data protection and privacy across the world?

According to the International Association of Privacy Professionals, more than 500,000 data protection officers have been appointed at firms across the world, while more than 200,000 instances of data breaches have been reported. However, the largest fine which has been levied at one of the internet giants is €50 million.

Back in January, French data watchdog CNIL fined Google €50 million for various different violations of GDPR. These violations included a lack of transparency, overly complicated wording and inaccessible information on how a user’s data is being collected, stored and processed. This might serve as a wake-up call for the ‘normal’ companies across the world, but it is might not be considered a deterrent for the worst offenders, the tech giants who collect billions in profit each year by monetizing data.

As mentioned previously, the DPC is in a slightly precarious position. Ireland will want to protect the interests of the technology giants due to the role the industry plays in the country. The technology sector has largely been credited with saving Ireland from economic recession a decade ago, and now employees a significant number of individuals. The industry has also fuelled a rise in entrepreneurship, creating bright prospects as the world strides towards the digital economy.

Reading between the lines, this is perhaps the rationale behind today’s announcement from the DPC. It is working to uphold the promise of GDPR.

What is worth noting is one year is not a lot of time. Investigations into complaints will take months on months, due to the number of companies involved, collections of statements and all the relevant information, and the complex nature of data processing business models. The big data machine is incredibly complicated and understanding whether there have been any violations of rules is even more so; some clauses and sections made grey areas to be exploited.

One year one, GDPR has clearly had an impact on the world, but whether this is enough of an impact to create a privacy-orientated digital society still remains to be seen.

Europe’s lead data watchdog opens Google GDPR investigation

Ireland’s data protection watchdog has kicked off a GDPR investigation into Google following a complaint from ad-free web browser Brave.

Although GDPR is approaching its first birthday, there is yet to be an example of the towering fines which were promised for non-compliance. Perhaps everyone is playing merrily by the rules, or it might be that they are very good at covering their tracks. Brave will be hoping to chalk up a victory over Google with this investigation however.

“The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google,” said Johnny Ryan, Chief Policy Officer at Brave. “We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”

The complaint itself is directed at Google’s DoubleClick/Authorized Buyers advertising system. While giving evidence to the Data Protection Commission, Ryan has suggested the way in which data is processed through the system violates Article 5(1)(a), (b) and (f) of GDPR, as well as Section 110 of the Irish Data Protection Act.

DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.

This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.

Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.

With the Irish watchdog, Europe’s lead for GDPR, investigating the system in Ireland, similar complaints have been filed the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands. Should Google be found non-compliant, it would be forced to ditch the DoubleClick/Authorized Buyers advertising system and could face a fine as much as 4% of annual turnover. Based on 2018 revenues, that figure would be $5.4 billion.

“For too long, the AdTech industry has operated without due regard for the protection of consumer data,” said Ravi Naik of ITN Solicitors, who will be representing Brave for the complaint. “We are pleased that the Data Protection Commissioner has taken action. The industry must change.”

GDPR is supposed to be a suitable deterrent for the internet economy, but without enforcement and demonstrable consequences little will change. If GDPR is to work as designed, a monstrous fine will have to be directed at someone sooner or later. Could this be the first domino to fall?

Microsoft starts ruffling privacy feathers in the US

This weekend will mark the one-year anniversary of Europe’s GDPR and Microsoft has made the bold suggestion of bringing the rules over the pond to the US.

Many US businesses would have been protected from the chaos that was the European Union’s General Data Protection Regulation (GDPR), with the rules only impacting those which operated in Europe. And while there are benefits to privacy and data protection rights for consumers, that will come as little compensation for those who had to protect themselves from the weighty fines attached to non-compliance.

Voicing what could turn out to be a very unpopular opinion, Microsoft has suggested the US should introduce its own version.

“A lot has happened on the global privacy front since GDPR went into force,” said Julie Brill, Deputy General Counsel at Microsoft. “Overall, companies that collect and process personal information for people living in the EU have adapted, putting new systems and processes in place to ensure that individuals understand what data is collected about them and can correct it if it is inaccurate and delete it or move it somewhere else if they choose.

“This has improved how companies handle their customers’ personal data. And it has inspired a global movement that has seen countries around the world adopt new privacy laws that are modelled on GDPR.

“Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States.”

The rules themselves were first introduced in an attempt to force companies to be more responsible and transparent in how customer data is handled. The update reflected the new sharing economies the world had sleepwalked into; the new status quo had come under criticism and new protections had to be put in place while also offering more control to the consumer of their personal data.

GDPR arrived with little fanfare after many businesses scurried around for the weeks prior despite having almost 18 months’ notice. And while these regulations were designed for the European market, such is the open nature of the internet, the impact was felt worldwide.

While this might sound negative, GDPR has proved to be an inspiration for numerous other countries and regions. Brazil, Japan, South Korea and India were just a few of the nations which saw the benefit of the rules, and now it appears there are calls for the same position to be adopted in the US.

As Brill points out in the blog post stating the Microsoft position, California has already made steps forward to create a more privacy-focused society. The California Consumer Privacy Act (CCPA) will go into effect on January 1 2020. Inspired by GDPR, the new law will provide California residents with the right to know what personal information is being collected on them, know whether it is being sold or monetized, say no to monetization and access all the data.

This is only one example, though there are numerous states around the US, primarily Democrat, which have similar pro-privacy attitudes to California. However, this is a law which stops short of the strictness of GDPR. Companies are not on the stopwatch to notify customers of a breach, as they are under GDPR, while the language around punishment for non-compliance is very vague.

This is perhaps the issue Microsoft will face in attempting to escalate such rules up to federal law; the only attempt which we have seen so far in the US is a diluted version of GDPR. Whereas GDPR is a sharp stick for the regulators to swing, a fine of 3% of annual turnover certainly encourages compliance, the Californian approach is more like a tickling feather; it might irritate a little bit.

At the moment, US privacy laws are nothing more than ripples in the technology pond. If GDPR-style rules were to be introduced in the US, the impact would be significant. GDPR has already shifting the privacy conversation and had notable impacts on the way businesses operate. Google, for example, has introduced an auto-delete function for users while Facebook’s entire business rhetoric has become much more privacy focused. It is having a fundamental impact on the business.

We are not too sure whether Microsoft’s call is going to have any material impact on government thinking right now, but privacy laws in the US (and everywhere for that matter) are going to need to be brought up-to-date. With artificial intelligence, personalisation, big data, facial recognition and predictive analytics technologies all gaining traction, the role of personal data and privacy is going to become much more significant.

Security is a concern, especially as it can hit bank accounts now

New research from EY suggests British businesses are more concerned than ever about security. Funny that, considering there’s now a whopping fine to worry about.

Security is one of those areas which is constantly discussed but little is done to address. Irrelevant as to how many CEOs tell you its top of the agenda or how many statements start with the phrase ‘our customers security is our number one concern’, it’s an aspect of the technology world which has been swept aside. But not according to this research from EY.

“It’s not surprising that businesses are most concerned with the threat of cyberattacks,” said Adrian Baschnonga, Global Lead Telecommunications Analyst at EY. “The introduction of 5G will help organisations unlock new growth opportunities, but this transition comes at a time when fears regarding data breaches and network security are especially pronounced.”

While you always have to take statements like this with a pinch of salt, it might be right this time. Why? Because if you want to make executives care about something aside from their annual bonuses, you have to fight fire with fire.

Under the General Data Protection Regulations (GDPR) brought into play last May, any company which is found to have inadequately protected customer or employee data are subject to fines of 3% of annual turnover or €20 million. GDPR fines are proportionate to the risk posed by a breach, allowing flexibility for regulators to tackle the problem, but it certainly seems to have caught some attention.

According to professional services firm RPC, in the 12 months prior to September 30 2018 (the period in which GDPR was introduced) the Information Commissioners Office issued fines totalling just over £5 million, a 24% increase on the previous period of 12 months. Considering the ICO only had a couple of months to swing the GDPR stick at offenders, it would be fair to assume the watchdog is fully embracing the new powers offered to it.

This also seems to have hit home with those investing in new technologies. 40% of respondents to EY’s survey are worried about 5G and cyberattacks, while 37% saw IoT as a risk. These numbers aren’t particularly high, but they are the biggest concerns.

Another factor to consider is the consumer. While many will have been blind to the risk of data breaches in by-gone years, this does not seem to be the case anymore. Recent Lloyd’s research claims 44% of UK consumers believe there is a risk to personal safety in the sharing economy, perhaps indicating they would be hard-pushed to share data. If enterprise organizations are going to benefit from the data boom, they’ll have to convince customers that their personal information will be safe.

Whether this translates to appropriate security investments remains to be seen, as there seems to be a lack of ownership over security overall. Enterprise organizations are looking to suppliers for security to be built into products, while it is perfectly reasonable for suppliers to ask enterprise organizations to do more. Security should be built into products, but if an individual buys a front door, the manufacturer cannot be blamed when it is left open or an inadequate lock is used.

More often than not the carrot is used to incentivise business, but it seems the GDPR stick is an effective tool in bringing security to the front of executive’s minds. Hopefully now there will be less pandering for PR headlines and more affirmative action.