At the moment I am working on my Master’s degree dissertation which has a long and complicated title but essentially is about how small businesses use Microsoft 365. As part of the background work I have been looking at privacy and security and how the two relate, and how business understands them, and how decisions made impact on both.
So you do not need to worry about security as you have an anti-virus program and someone has said your router has a firewall and anyway who would want to hack your information.
As for privacy, that is covered, as a couple of years back, you heard a lot about GDPR and an expert came and wrote some compliance documents for you.
Anyway now you need to get to grips with this “work anywhere” culture.
Back to my story…
I am a keen American Football fan and have been since my Dad and I watched the first NFL game televised on (the then new) Channel 4. Today I take out a yearly subscription with the NFL that allows me and my son, to watch any game via the internet, live (in most cases) and recordings later.
Wait, I am getting to the point of this blog…
So I can keep up with the day changes and the time zone shifts I wanted to add the games to my Outlook calendar and a link on the San Francisco 49ers’ web site offered to install the games to my exchange calendar. That sounded like a good idea so I clicked on the link and was presented with this:
And I stopped. You need to take a moment to read all the above permissions I needed to give so the dates and times of some football games could be added to my calendar.
Even I did not understand the impact on my privacy and security of some of these things.
Now I know it is an American company and GDPR does not apply. Well here is where my studying comes in useful. The SF 49er franchise is a company based in California and they have a law very similar to our Data Protection Act, which incorporates the GDPR, called the CCPA. In 2019 Catherine Barrett wrote a peer reviewed paper where she makes the case that the GDPR and CCPA are becoming the world standard for data privacy protection (Barrett, 2019).
So the football franchise should be thinking about my privacy. But maybe it was the web designer who came up with this idea. Did he know the company stance on privacy? Did his team report to someone who reported to the board level member responsible for security and privacy? Let’s make one thing clear here – the SF 49ers have plenty of money so these checks and balances will be in place – they will have a board level person responsible for implementing a privacy and security governance programme across the whole organisation.
And yet I did not click on the link and agree to share stuff just to get some dates in my calendar.
We are all small and not so small businesses and we should be considering security and privacy in our businesses every day. Every decision we make may have an impact on our data in a way we did not think about. Documentation and statements written when GDPR was a thing may no longer be relevant and will give a bad impression of our organisations. You may be expecting a response from new customers on your web site – but what you are saying there may be putting them off.
I found a “private and secure” method to add the fixtures to my calendar. Can I help you to find a better way to approach privacy and security in your organisation?
Clive Catton MSc (Cyber Security) – by-line and other articles
Reference: Barrett, C., 2019. Are the EU GDPR and the California CCPA becoming the de facto global standards for data privacy and protection?. Scitech Lawyer, 15(3), pp.24-29.
