Problems of protection consumers personal data by domestic enterprises: aspects of social and ethical marketing

In modern conditions society pays more and more attention to the ethical problems of marketing activities of enterprises. Among these problems the important role belongs to the protection of personal information about consumers and the adequate using of this information. Researches show that people do not pay enough attention to these issues in Ukraine. It can negatively affect the image of enterprises and the attractiveness of their cooperation with foreign partners. Cases of leakage of consumers' personal data at domestic enterprises have been analyzed (with the help of) using secondary marketing information. Most of them are related to the human factor the actions of their employees. The level of interest of Ukrainian citizens about safety of their personal data has been determined on the basis of collecting primary marketing information using Google Forms. The analysis was the basis for justification of the measures in the field of increasing the level of personal data protection at the enterprise level and the level of individual consumers.

It demands to provide a clear and understandable definition of the purpose of data collection and directions for their further using The principle of limiting the purpose and minimizing the collection of data Actions with personal data should always provide for a legitimate purpose. Actions on personal data must always have a legitimate aim. Also, enterprises must guarantee that the information they store and process is relevant and limited The principle of accurate and relevant processing of data It requires constantly checking by the controllers that the processed information is still accurate, relevant and suitable for the purposes The principle of limiting the storage of personal information in a form that allows its identification It restricts the movement and duration of the accumulation and preservation of information The principle of confidentiality and safety of information storage It demands the protection of the integrity and confidentiality of the collected data through the further maintenance of their storage reliability The principle of accountability and responsibility At any time enterprises must provide confirmation to public authorities regarding the compliance of conducted operations with the specified requirements of the GDPR Formed on the basis [9] Ukraine also operates GDPR, which, although not directly related to the legislation of Ukraine but relates to the activities of many domestic enterprises. This is explained by the fact that according to Art. 3 The regulation has an extraterritorial effect, that is also extended to companies located outside the EU and receive information from the source in the EU member states [6]. The principle under which Ukrainian enterprises will be held liable is applied in case of failure non-fulfillment of the Regulation requirements. A company located in the territory of the EU, which entrusted with the processing of personal information to an enterprise in the territory of Ukraine should be aware that in case of a breach of the Regulation requirements European company will be the first one that falls under its penalty. That's why it is primarily unprofitable for European company to cooperate with those Ukrainian enterprises that do not comply with the main provisions of the Regulation.
Despite the fact that the technology in the field of information security is progressing rapidly, even leading specialists can't always guarantee the absolute safety of clients' personal data. The larger, more influential and more profitable the company is, the more attempts and ways of stealing important data by outsiders and competing companies exist.
Frequently there are cases when the transfer of personal data is carried out for the personal benefit of enterprises' employees. The result of such case is the enforcement of the judgment of the Moscow District Court of Kharkiv on February 16, 2018, under Art. 361 and art. 361-2 (computer network hacking and illegal sale of restricted information) regarding the employee of "Nova Poshta", who accessed the company's database and tried to sell clients' personal data [11].
Information about clients of the bank can be stolen not only by "reading" cards: on June 6, 2018, it became known about a collective lawsuit against "PrivatBank". It is noted that the bank has unauthorized transfers of their clients` personal data to the third parties. The lawsuit is directed from 750 clients of the bank, whose representative is the lawyer association "ISU LAWYERS" [12].
Three months later, on September 27, 2018, by the court decision found guilty the manager of the branch of "PrivatBank", who deliberately unauthorizedly copied the information with limited access to the clients' personal data, after which provided them to the unidentified person by using the messenger Telegram, which specify on the leak of such information. It is ISSN 2522-9087 (Print) ISSN 2523 N. Kosar, N. Kuzo, A. Kyrylenko. Problems of protection consumers personal data by domestic enterprises: aspects of social and ethical marketing 81 also determined that in February the manager transferred data of the client of "PrivatBank" to an outsider and he had received 400 UAH to his bank account for it. [13].
A progressive way to receive an access to personal data is social engineering, which involves the wrecking of a private account through the preliminary legitimate collection of the personal information. Exactly by this way the famous service Moneyveo provided a large number of fake online loans, having issued them to Ukrainians, as it became known on November 12, 2018, on the news site Segodnya.UA. The Security Service of Ukraine reported that the number of deceivers exceeds 1,000 people [14]. The same day, officers of the cyber police during the monitoring of the Internet revealed an intruder who tried to sell personal data of Ukrainian citizens. A man previously held a managing position in one of the Ukrainian banks. He was trying to sell the database which contained the information about 500 thousand people [15].
One more example of leakage of data through deliberate actions of the employees of the enterprises is that on November 14, 2018, the Kyiv Prosecutor's Office sent a prosecution of an employee of the State Fiscal Service in the Kyiv region, who in May 2018 copied the information about legal entities, which are taxpayers, and transferred the information to the third party for the corresponding monetary compensation [16].
The above analysis allows to conclude that most cases of data leakage in Ukraine arise precisely because of the human factor: individuals who have an access to the confidential information, wish to receive additional funds, self-assert, or influence other persons with the help of this information. According to the existing data, 25% of the employees of the enterprises are ready to betray the interests of their own enterprise immediately, 50% are ready to do so under certain conditions, and only 25% are patriots of their enterprise [17]. Employees may provide information to third parties as a result of bribery, intimidation or prosecution. That's why domestic enterprises should pay much attention to working with employees in order to create a loyalty to the company through the implementation of internal marketing measures. They should also increase responsibility for disclosing confidential information about the enterprise and its employees through the using of administrative methods.
Non-compliance with established requirements of the legislation on the protection of consumers' personal data, which resulted in unauthorized access to them by third parties (outsiders) or in violations of the rights of the subjects' personal data, may lead to the imposition of fines on citizens in the amount of 100 to 500 non-taxable minimum incomes of citizens, and on business entities -in the amount from 300 to 1000 non-taxable minimum incomes (according to Art. 188 of the Code of Ukraine on Administrative Offenses) [18]. Illegal collection, as well as storage, use or dissemination of confidential personal information about a person may result in the imposition of fines in the amount of 500 to 1,000 non-taxable minimum incomes of citizens or involvement in correctional proceedings for a term up to two years or until the term of arrest up to six months, or until the restraint of liberty for a term of up to three years (according to Art. 182 of the Criminal Code of Ukraine) [19].
The losing of money by an enterprise due to the payment of fines for violating the Law "On Protection of Personal Data" is not the worst thing that happens to an enterprise. In addition to administrative and criminal responsibility for the admittance of leakage of data, there are a many others also important consequences for the enterprise. Among them: • temporary violations in work schedules, schedules of certain events, etc. • violation of rights (copyright, adjacent, patent, inventive); • complete or partial failure of the company's security system; • reduction of client base. It is clear that each of the listed consequences is undesirable for the enterprise, but the most serious one is a significant decrease of the level of consumers' confidence.
Enterprises should use methods for providing the safety of information in order to establish a high level of personal data protection during the development and implementation of information processing systems. These methods are conventionally divided into legal, software, technical and organizational-economic - Figure 1.
Methods of ensuring the safety of personal data of consumers  All methods for protecting of personal data at enterprise level will be more effective if they are integrated into an algorithm to provide reliable protection of personal data [21]. This algorithm contains a series of stages - Figure 2. The main condition for the successful using of the algorithm is that all of the above actions should be executed in accordance with the Law of Ukraine "On Protection of Personal Data".
The active using of the Internet by domestic enterprises in different directions makes this algorithm relevant for most domestic enterprises -  The poll was conducted in order to develop recommendations for strengthening the protection of personal data of consumers. The sample size was determined by the formula given in [23]. During forming of the sample, the error in the results was 4%. In this case, the maximum value of the coefficient of variation which is taken into consideration is 0.25. Intended sample size is 150 people.
The survey was conducted within two weeksfrom January 15 to January 28, 2019, using the Google Forms service. During this time, 222 people were interviewed.
During analyzing of the answers to the question about public wi-fi connection, it's possible to differ three large groups. The respondents from the first group (27%) connect to the public network every time they come into the area of "free wi-fi" coverage; interviewed from the second group (34.2%) use the public network only when they want to save the resource of mobile Internet and the respondents of the third group (28.8%) do not use public wi-fi at all (Figure 3).  While analyzing answers to the question about the amount, complexity and way of storing passwords for accounts, it has been discovered that the most common (every second one) is the choice of creating several simple passwords that "protect" all the accounts of a person. Every fifth respondent has created only one reliable password that is used for all his user pages, every tenth person store his passwords on paper. Only 7.2% of respondents use a special application for generating and storing passwords (Figure 4).

Figure 4 -Using different options for setting the password by respondents
Survey results showed that more than 50% of respondents do not publish their mobile phone number on social networks. Another third do it, "protecting" it from strangers by using point "only for friends". Every tenth of the respondents publishes the work telephone number on the page, and only 5.9% of respondents set free access to their phone number on social networks ( Figure 5).  On the question about "sign in via Facebook / Google" feature, which is available on almost every web-resource, the most respondents (47.3%) answered that they often use it, as it saves time on registration. One third of the respondents (30.6%) use this function only when they trust the site where the registration takes place. A fifth of the respondents answered that they favored a separate registration on each site ( Figure 6).

Figure 6 -Using of "log in via Facebook / Google" by respondents
In one of the questions, respondents were asked to indicate a protocol indicating that the data transmission on this site is protected. Every second (49,5%) respondent marked the right answer "https://", and 40,1 % answered, that they don't know the answer for this question. The rest of respondents gave incorrect answers (Figure 7).  Based on the analysis of the collected primary marketing information, it was found that only 12.6% of users are thoroughly familiarizing with the privacy policy on the sites before agreeing with it. More than half of the respondents (52.7%) believe that the rules of privacy on all resources are the same, therefore refamiliarization does not make sense, and another 34.2% of respondents do not attach importance to this document at all (Figure 8).

Figure 8 -Relation of respondents to the privacy policy on the sites
In order to determine whether consumers are interested in the purpose of using their data, respondents were offered a situation in which the store consultant offers to fill out a questionnaire for obtaining a customer's card. One in three answered that in this situation he would not ask the consultant about the purpose of obtaining personal data, because of "all shops are asking for the same standard data"; next 24.3% of respondents will be interested only if the questionnaire contains questions that are not related to the seller-buyer relationship; almost 30% will answer only those questions which they consider necessary, and only 10.4% of consumers in any case will be interested in the purpose of collecting and processing their personal data ( Figure 9).  It has been established that the most popular correspondence channels are messengers that use message encryption (Figure 10). The second place in popularity is the standard (without encryption) correspondence in social networks, on the third -e-mail. The last place is the SMS correspondence channel (only 16.2%), which is also considered the most vulnerable channel for data transmission. The last question was not required for the answer, so only 49.1% of respondents answered it. The respondents were asked to imagine a situation in which the "unknown" company had illegally gained their data, and now it imposes its' goods / services by using this data. The vast majority of respondents (86.7%) answered that they would immediately block this contact and hope that this company will no longer care for them. Only 13.3% answered that they would solve this problem by filing complaints and involving law enforcement officers.
Therefore, effective protection of personal data of consumers in Ukraine requires efforts of state bodies, enterprises and, of course, consumers. Taking into account the foregoing, it is possible to provide certain recommendations for the protection of personal information by enterprises and consumers - Table 3.
Compliance with these recommendations by businesses and consumers will not provide one-hundred percent guarantee against the leakage of personal data, but will facilitate their effective control and better protection.  3. Use reliable communication channels. 4. Avoid using the "sign in with Facebook / Google" feature.

Check the address bar of the visited sites.
Data sharing is secure if it starts with the "https" protocol.
6. Pay attention on the purpose of collecting consumers' personal data and how they will be processed.
7. In case of data leakage, customer should file the complaints, and require the removal of his data.
1. Collect only the information necessary for the operation of the enterprise and / or agree to provide the consumer with a detailed explanation of the purpose for which they will be used.
2. Delete consumers' data at the first requirement, if the consumer breaks the relationship with the enterprise.
3. Provide instructions for creating a secure password for access to your personal cabinet.
4. Provide reasonable answers to all questions of consumers about ways of collecting personal data and methods of their processing. 5. Use secure communication channels for conversations.
6. Carefully select employees who will work with consumer databases and warn them about administrative and criminal liability in case of leaking information.

Developed by authors
Conclusions from this research and prospects for further developments n this area. Nowadays Ukraine is on the list of countries with a low level of protection of personal data, that reduces not only the attractiveness of business and possible cooperation with other states, but also the reputation of Ukraine in general. It has been established that the majority of leaksages of personal data are caused by a human factor -deliberate or unintentional actions of employees of enterprises and inadequate attention to this issue at the enterprise level.
The survey provided an opportunity to define the level of interest of Ukrainian citizens in the security of their personal data. According to the results of the study, it was found that people in many cases behave carelessly when providing their data to third parties, and in the case of theft of these data often choose to ignore the situation, measures for protection of personal data by consumers were developed on the basis of the results of the analysis of secondary and primary information. These recommendations include creation of complex passwords for accounts, checking the address line of sites, avoiding of using of public wi-fi connection and the "log in through Facebook" function, active protection of law to privacy on their own or with the help of law enforcement agencies.
The article also claimed the recommended measures to ensure a high level of protection of personal data at the enterprise level, in particular: to collect only the necessary information for the enterprise; to delete consumers' data at their request; to provide instructions and advice for creating reliable passwords; to select employees to work with databases carefully; to use secure communication channels. For minimizing the threat of massive leakages of consumers' personal data, first of all the following measures are needed: a legislative base, an effective control system and, most importantly, a high level of legal literacy among the population. In case of a successful combination of these three factors it becomes possible to make reliable protection of personal data of Ukrainian citizens and to reduce the amount and complexity of thefts and fraud related to them.
Prospects for further development are related to the analysis of trends in the use of personal data of consumers in the marketing activities of domestic enterprises.