LONDON, May 21 (Thomson Reuters Foundation) - When London accountant Arvind Verma got a call in April from someone posing as a salesman for the British retailer Carphone Warehouse, the offer was too enticing to refuse and he saw no reason not to hand over his credit card details.
It wasn’t until the real Carphone Warehouse called that he realised scammers had gained access to his private information in the company’s database and used it to take out a contract with the extra details he had provided.
Now Verma hopes a new European law designed to give people more control over how their data is held and used will stop such scammers in their tracks.
“It’s not uncommon for a company to call you and offer you better services or a better contract and for you to commit to that service over the phone,” he told the Thomson Reuters Foundation.
“What had happened is this (fake) company had gathered as many of my details as possible, called me up to get the rest of the details, and then called up Carphone Warehouse to take a contract out in my name.”
The European Union’s General Data Protection Regulation (GDPR) has been billed as the biggest shake-up of data privacy laws since the birth of the web and is the largest change in data protection law in Europe for more than 20 years.
It gives EU citizens more control over how their personal data are stored and used. Companies breaching the new rules on how they handle people’s data could incur fines of up to 4 percent of their annual revenue.
Carphone Warehouse, which is owned by Dixons Carphone, said it had reviewed how it stored customers’ information ahead of the new law, which comes into effect on May 25.
The mobile phone retailer was fined in January by Britain’s Information Commissioner’s Office for a 2015 cyber attack which exposed the personal data of over 3 million customers.
Under GDPR, companies will have to report serious data breaches within 72 hours and have to be able to provide European customers with a copy of the personal data they hold.
“Citizens will now have greater rights to know what is being held by corporations, organisations,” said Richard Benham, founder of The Cyber Trust, which aims to protect those most vulnerable from cyber fraud.
“They will have the right not only to access that information but also have the right for that information to be deleted if appropriate.”
Businesses around the world have been racing to make sure they comply with the rules, which apply to all companies that do business with Europeans.
The industries most affected will be those that collect large amounts of customer data, including technology companies, retailers, healthcare providers, insurers and banks.
“It’s not just a tech sector issue. Data protection is key to all organisations of every size and every sector,” said Jeremy Lilley, policy manager for data protection at trade association TechUK.
For the consumer, analysts say the law will have the added benefit of decreasing the number of marketing emails hitting their inbox.
It will be policed by a patchwork of national and regional watchdogs across the 28-nation European Union bloc.
Although his experience has made him more careful, Verma has not stopped using online services and is optimistic the new EU law will help with data protection.
“I cannot avoid my data being out there ... For me, GDPR offers that extra bit of security that gives me that comfort that there’s an extra barrier. It’s like having a house and putting an alarm on it,” he said. (Reporting by Serena Chaudhry, Editing by Claire Cozens. Please credit Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers humanitarian news, women’s rights, trafficking, property rights, climate change and resilience. Visit news.trust.org)