Let's Talk Data Security

Do you have a Black Friday data hangover?

Written by Paul Hammersley | Nov 27, 2020 8:51:31 AM


The rise in online shopping reaches a crescendo

If anything can be said to have thrived in 2020, it must surely be online shopping. They say a major disruptive crisis accelerates changes that would in any case have happened, albeit less quickly. The ease with which we now search, click and pay for goods from phones, tablets, and occasionally now laptops or desktops, has prepared us perfectly for this year's Black Friday sales.

(Black Friday also now seems to have taken over as the longest day of the year – since it seems to last for about four weeks). As our plastic heats up more and more over the coming days and weeks in the lead up to Christmas, we are all likely to revisit this same thought process:

Create an account or continue as a Guest?

  • Am I likely to shop here again? Is this just a once-off impulse purchase?

  • Would I want my friends to know I shop with this company? Are they ethical, do they respect the environment?

  • Where is this company actually based?

  • Can I trust this company with my personal data, AND my credit card?

‘Guest’. Well, that sounds reassuring – what do I get with that?

When you think about it, there must be a spectrum of responses to this. There are those of us who would not share our data online with our own government and will not be signing up for anything; but then it's probably quite rare for those people to shop online at all. But I am sure many people sign up for accounts with very very few websites, and mainly continue as a ‘Guest’. Then, some people in the middle who mix and match, and then some serious ‘in da club’ fanatics at the other end of the spectrum who would join anything on offer and gladly save their details for future. 

 

But what do we actually expect from companies in either case? If I sign up, am I signed up forever?

 

Will my password be stored:

 

  • In plain text, meaning any breach of that site could put me at risk for other sites where I’ve used the same password? (don’t say you don’t do that, we know you do, we all do to some degree!)

  • Encrypted, but with the key stored on the same server, so someone taking control of the server could get to the plain text version?

  • As a hashed value so the password is never actually stored, just turned into a hash at runtime and compared to the value that is stored? (Incidentally, this is how your SAP password is stored).

And what are their privacy terms? Who will they share my details with?

Will they be tracking what I buy and offering me deals on 600ml when I only usually buy 450ml? Or using other analytics on my online and purchasing behaviour, what content they send to me, and how responsive I am to certain campaigns?

 

These questions often prompt me to simply choose ‘Guest’ over and over. Often on the same online store, promising myself that next time, I’ll think through every angle, and perhaps sign up.

Guests outstaying their welcome

So, having handed over my address and credit card details for the transaction, I relax back, safe in the knowledge that the moment the goods leave their warehouse, my details vanish until next time I type them all in again.

 

But do they really vanish? Well, of course not. The website might link to another order fulfillment system, and then there’s a finance system, and the courier that delivery is outsourced to. How many systems and databases will actually have just had my data? And how many of them will still have my address and/or credit card details in a month? A year? A decade? And what if…they’re running SAP?

We don’t have Guests in SAP…do we?

Ok, so it's highly unlikely that your SAP system has a SAP GUI screen like this. But that doesn’t mean you don’t have Guest data in your backend ERP or S4 system. Some organisations running SAP use SAP CRM to process ‘One-time orders’, which then generate an order in ERP with a single ‘dummy’ customer and ‘9000*’ address on the ‘Ship-to’ partner function. So there is no trace of our guests in ERP Customer or Business Partner master data, but the address is in ADRC etc. and linked directly in VBPA. And I suspect many more retail organisations leverage other non-SAP webshop technologies, and interface back to SAP ERP or S/4 in a similar way. At the end of the day, if the delivery is processed in an ERP system, then the person’s name and address must be there.

The Black Friday hangover: backlog data privacy debt

If your SAP system has this type of data, you’ve probably seen a fair growth in the number of ADRC entries of this type during the global pandemic, but the Black Friday period will certainly add many more. So although it can be a welcome boost to our struggling retail sectors, it does come at a cost in terms of data privacy and our ‘backlog privacy debt’. There will be more and more data being accumulated. If someone executes a Data Subject Access Request, would you even find them? Or would you only search Customers and Business partners? If they ask you to remove their data, can you do this?

 

Over the next few months I am going to be focusing on Data Minimisation and some capabilities we have developed for removing ‘backlog privacy debt’, without the need for expensive, complex projects. This could be as part of a mass clean up, or allowing the business users to address ad-hoc requests, or implementing periodic removal of data as it falls outside of a retention period.

How to satisfy historical data minimisation requirements for compliance

Find out how EPI-USE Labs can help your organisation address their ‘backlog privacy debt’ as part of a data minimisation initiative, and provide ongoing Privacy by Design. This includes a unique, simple alternative to archiving or full removal of records.