Most of us are aware that large tech companies such as Google, Facebook, Apple, Microsoft, Twitter, Netflix and Spotify have massive amounts of data about our online behaviour, so they almost know us better than we do. But who else has access to your personal information? It’s almost impossible to know, and a new EU-supported project in which DTU is involved wants to change that.
“The problem is that our data is everywhere, and it is difficult to find out which companies have access to it and have sold it on. We want to make it all more transparent," says Weizhi Meng, associate professor in cyber security at DTU Compute.
DataVaults can be seen as a digital safe where you can store your personal data and control who has access and when. You are notified when companies, authorities or others access your information, and the platform can assess the risks associated with sharing your information in various contexts.
Personal data such as your age, gender and address may seem entirely innocent, but if all those details fall into the wrong hands, it can have serious consequences.
"In a digitalized world, personal data is the most important asset. If your data has been leaked, hackers can use it to create a false identity of you. They can potentially create fake passports or credit cards in your name or send you targeted phishing emails based on what they already know. That is why it is so important to protect our personal data,” says Weizhi Meng.
Businesses are still challenged by GDPR
It’s impossible to discuss data privacy without mentioning GDPR. The EU's legislation on the protection of personal data shook the IT world when it was introduced in 2018 and is still a cause of confusion to many companies. DataVaults can help not only individuals but also companies that can use the platform to collect information in a secure and legal manner about everything from employees to customers and business partners.
"It’s a big challenge for many companies to comply with GDPR. They don't know how to implement the GDPR guidelines because it's very complicated,” says Weizhi Meng.
A survey by the Council for Digital Security has shown that almost half of all small and medium-sized companies are challenged by the legal requirements for personal data protection, and 67% believe it is difficult to assess how data can be used ethically.
"There is no doubt that it has been an uphill battle for the vast majority of companies," says Henning Mortensen, chairman of the Council for Digital Security.
Most recently, the so-called Schrems II ruling in the EU has created uncertainty. In practice, it makes it problematic for businesses to use American cloud services and platforms, such as Google Analytics, because they may transfer personal data to their parent company in the US which is against GDPR regulations.
"It’s a huge problem for all companies and also authorities, which can make GDPR regulations a major barrier for them. At best, it is unclear what to do when using international services, especially cloud services, and at worst, they cannot use them at all," says Henning Mortensen.
That’s why he welcomes an initiative like DataVaults.
"There is clearly a need for solutions that can collect data in a way that protects our personal data. It could help create a greater willingness to make one's data available for public benefit," says Henning Mortensen.