The “newcomers”: “Consent on Everything” and “Insufficient Data Quality”
The three biggest privacy risks in web applications in 2021 are
1. Vulnerabilities in the applications
2. Data leaks on the part of the operators and
3. Inadequate responses to data leaks.
This has not changed since 2014.
What is new, however, is the risk at rank 4 on the list: “Consent for Everything”. This refers to Web applications that do not obtain data processing consent from their users separately for each purpose - such as website use and profiling for targeted advertising.
Also new on the list is “Insufficient Data Quality” at position 7, which means the use of outdated, incorrect or falsified user data. The problem of “Non-Transparent Terms of Use” remains No. 5 on the list of the top 10 data protection risks, while “Insufficient Deletion of Personal Data” has fallen from No. 4 to No. 6.
Top 10 List published for the first time in 2014
The Top 10 List was created and published by the Open Web Application Security Project (OWASP). OWASP is a non-commercial open source organization that provides best practices and de facto standards for application security. In the Top 10 Privacy Risks Project, OWASP also addresses the issue of Web application data protection.
With the aim of helping developers and suppliers of Web applications to improve data protection, it provides tips on how to implement privacy by design in Web applications. The project looks at technical as well as organizational aspects and focuses on real risks rather than legal issues. The Top 10 List was published for the first time in 2014.
Due to new regulations such as the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) as well as a rapidly changing environment, the list has now been updated and version 2.0 of the 10 most important data protection risks has been published.
To assess the risks, the severity and frequency of occurrence of twenty potential risks were equally considered. The frequency of occurrence was assessed in a survey of sixty experts, and the severity was evaluated in five different categories such as impairment of personal freedom, financial or image damage.
Take appropriate countermeasures
Florian Stahl is leading the project and comments: “Having such a list of privacy risks and appropriate countermeasures compiled by an independent organization is important for the community. That’s why I got involved in this project with volunteers from around the world who contributed their different experiences and perspectives.”
The detailed results are available on the project website in various languages. The next step is to update the appropriate countermeasures in each case as well. After all, data protection risks shouldn’t simply be known. Above all, something should be done about them.
