Understanding the relationship between digital accumulation behaviours and GDPR

Personal data and its protection is a key feature of the new GDPR. This includes clear limitations on is collection, storage and use being outlined in law, but also requires disclosure of data breaches, for which a high financial penalty may be applied. Our research has demonstrated that the accumulation and failure to delete digital data is very common, and lack of individual and organisational awareness of exactly what data is being held, may lead to inadvertent lack of compliance with GDPR, and also have cybersecurity implications. In this project we aim to measure the extent of digital accumulation of personal data, and interview stakeholder employees and management to assess the extent of this issue, and how effective are current organizational attempts to address employee understanding and compliance. We also aim to gain insight into developing intervention strategies to encourage employees to think more carefully about email deletion, especially in relation to personal data.

Author: James Nicholson

James is a Lecturer in the School of Computer and Information Sciences. James is interested in inclusive cybersecurity and leads the CyberGuardians research project. He is also interested in usable security, social engineering, and everyday surveillance. Previously, James was a senior researcher in PaCT Lab working on the Cybersecurity Across the Lifespan (cSALSA) project. The project explores how cyber-security is understood, and the attitudes and behaviours of people to cyber-security and risk. During his time in PaCT Lab, James also worked on Choice Architecture for Information Security (ChAISe), Digital Economy Research Centre (DERC), and the Horizon 2020 project CYBECO. Prior to PaCT Lab, James worked at Open Lab, Newcastle University on the TEDDI and SiDE projects. James’ work has focused on improving user authentication, both by repurposing existing graphical authentication systems and by evaluating novel ones. He is also interested in user privacy and how groups of users (children, parents, older adults) experience location tracking technologies, as well as how CCTV video can be crowdsourced to de-centralise the surveillance landscape. More recently, he has developed tools and methodologies for uncovering and understanding employees’ mental models of security threats with the aim of improving training programmes and/or organisational policies, as well as practical means for improving users’ protection against these security threats (e.g. phishing).