We’re sure you’ve heard of data breaches. They’re becoming all-too-commonplace, unfortunately.
The chances are you’re unsure what the data in question is, what it’s used for and how companies get their hands on it in the first place.
Data is a real, quantifiable commodity these days. In days-gone-by it might have been physical items such as precious metals, oil, salt, silk or saffron, depending on the era. And, just like the most precious commodities of the past which were worth their weight in, well, gold, having access to and control over data is valuable.
Data is big business now. It’s some companies’ bread and butter, backbone, lifeblood and cornerstone. There’s a reason firms are keen to get their hands on it, and why you should take as much care of it as you can.
Data allows companies to get a better understanding of their operations, giving them insights as to how they can prosper in the future. Business owners can analyse that priceless data and make better, well-informed strategic decisions as a result. Some companies’ business models are built solely around data. They may be interested in identifying a new customer base or market audience, learning more about their existing clients, creating targeted advertisements or simply making money by selling the data to third parties.
Whatever their plans, some companies have data gathering at the heart of their operations. That’s why hackers and other cyber-criminals are so keen to get their hands on it. If users willingly provide companies with their data, that company should not, under no circumstances, share that personal and confidential information or use it in a way that was not authorised by the user.
So, how is your data collected? What sources do firms gather data from? And what do they do with it?
We should probably start by clarifying the term ‘personal data’. Since the UK left the European Union, it has not been covered by the EU’s General Data Protection Regulation (GDPR). The UK does, however, have its own GDPR, which is largely the same and defines personal data as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Snippets of information that can be pieced together to paint a picture of an unsuspecting victim.
These could be identification numbers, National Insurance, account and reference numbers, location data or online identifiers such as your email or IP address.
Let’s not forget the most sensitive data, covered by special categories including genetic, health and biometric data, any political or religious beliefs or sexual orientation.
All of this can be gathered, collected, stored, structured and processed – that could be by small enterprises or tech giants. Subscription services tap into personal data in order to provide recommendations to its users, as do online retailers.
Companies use a range of methods to capture this all-important demographic, behavioural and engagement data. These can be loosely classed under three collection methods:
A company’s website is potentially a precious source of data collection. Whenever someone visits a site it’s possible to examine how and why they arrived there, such as an advert or social media post directing them there. With analytics tools you can also track the pages they visited and how long they stayed. Most, if not all, social media platforms will be able to provide business users with analytics regarding interactions, follows, likes and more, allowing those businesses to swell their customer base with targeted marketing.
Any purchases or other transactions carried out on a website will save things like payment details and delivery addresses but also data covering how the purchaser found the products too. This could be keywords used on search engines, comparisons with other products or vouchers (and how and where they got them). Subscribing or registering customers can also provide a host of that precious data.
Some businesses take a direct approach and will collect data from their own customers by asking them to complete satisfaction surveys. These will mostly be online and the feedback provided by customers is in itself a trove of information.
Customer interaction with sales and support staff, and feedback on various products and services, is also manna from heaven for data gatherers.
It’s clear that capturing, storing and analysing data, be it personal details, engagement data (how and why consumers interact with businesses), behavioural data (buying history, information on product use and more) or attitudinal data (information on things that can’t be observed directly, such as feelings towards a product or brand) is huge.
Again, data collection, storage and use is a business model all of its own. Companies can expand their customer base, boost interaction with better customer service and user experience protocols and refine marketing strategies.
Collecting data for legitimate business activity is perfectly legal but (with apologies to Spiderman fans) the power of data comes with great responsibility. Any business holding personal data is expected to protect it from cyber-criminals who want to use it for their own underhand purposes.
If a business holds your data, it must secure it.
Failure to do so can put your personal security at risk and the misuse of data presents similar hazards. Guidelines for businesses are set by data privacy laws and by industry regulators to protect data owners, as the misuse of data and information can lead unintentionally to data being compromised.
It’s important for international organisations such as Microsoft and Google to be aware of, and adhere to, laws and guidelines in the many countries in which they operate. Google is currently being looked at by Ireland’s Data Protection Commission – the ‘enforcers’ of the EU’s GDPR – over the use of confidential data in the development of its AI assistant Gemini and whether data misuse has taken place.
Google has already fallen foul of data protection regulators in France. The country’s administrative authority CNIL hit the company with a €50m fine in 2019 for a failure to comply with the European GDPR. Google didn’t provide users with the full information on its data consent policies and its appeal against the fine was dismissed the following year.
So, data and its use is big business; data misuse even more so. There are guidelines for the collection, storage and use of our confidential details and if companies such as Google and Microsoft take advantage of people submitting their personal data, i.e. putting data to work for projects beyond their stated intentions and customer authorisations, they may have committed data misuse.
Copyright © 2026 Barings Law.
All rights reserved.
