GDPR: Some More Answers
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
I keep getting questions by the ton about GDPR. So, for everyone who still does not understand this landmark set of regulations, I thought I would take another stab at answering some of the queries.
The objective is simply to give citizens control over the use of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritized and in so doing, it will allow European citizens and businesses to fully benefit from the digital economy and I am certain, it will form the outline for a similar regulation here in the U.S and by year-end. That assumes Congress can avoid more three or four month-long vacations.
The EC’s theory is that consumer trust is essential to fostering growth in the digital economy. And it thinks trust can be won by giving users of digital services more information and greater control over how their data is used. And I agree. In fact, I think it is actually a pretty smart marketing idea given the amount of clandestine data brokering that pervades our industry. Mass surveillance used to be something that we frowned on. Now it is a fundamental tenet in modern marketing theory.
But enough already. As Facebook and Google found out within minutes of the courts opening for business on the 25th, big poppa is loaded for bear.
To refresh, the GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens and/or EU residents need to comply. Facebook, for example is going to have to rework multiple (and costly) business processes to comply with the new rules.
GDPR rules require organizations to appoint a data protection officer if they process sensitive data on a large scale (which Facebook very clearly does), or are collecting data on many consumers, such as by performing online behavioral tracking, which eliminates oh, about no one these days.
As a least devilish precaution, many US companies are ditching the expense of fragmenting their data handling processes to accommodate the treatment of personal data obtained from different geographies differently and instead are just accepting GDPR as the new ‘gold standard’ for how they handle all personal data, regardless of where it comes from. Which is smart, because I guarantee you that by the end of the summer, California, Massachusetts and New York will have copycat legislation either enacted or rushing through the approval processes.
Privacy experts tell us that the really big change here is around enforcement. Laws have been in place for years but without the financial penalty teeth to enforce or punish. This all changes with this regulation.
Now, the maximum fine that organizations can incur for the most serious infringements of the regulation is 4% of their global annual turnover or €20M, whichever is greater. This really is a massive change, because while data protection agencies (DPAs) in different EU Member States can impose financial penalties for breaches of existing data laws, the current fine structure imposes very small fees.
In the UK, for example, prior to the GDPR, the Information Commissioner’s Office (ICO) could only impose a maximum fine of £500,000. Compared to £4 billion, (Google’s potential fee under GDPR) the EU has a much larger stick.
The processing of personal data that is being protected can include information such as location data, online identifiers (such as IP addresses) and other metadata about people. So this means that businesses must conduct an audit to identify all the types of personal data they hold, regardless of whether they are contemplating a divisional system of data protection or not. Businesses cannot continue to simply ignore this regulation, because mist businesses that I have audited have no idea what data they store or process and even where most of it resides, which is another topic entirely.
Some businesses I know think that this whole data protection issue is a new thing and that data privacy suddenly has become the topic du jour, but as Kim Green of KAZO Security, my favorite CISO and cybersecurity analyst on the planet says, “Give me a friggin break; that ship sailed eons ago.”
While ‘processing’ of personal data can mean any operation performed on that data, from storing to structuring to feeding it into an AI model, GDPR also includes provisions specifically related to the results of processing as well. So, it isn’t just the data itself but the regulation applies to results from processing the data as well.
I have been asked about age limits for opting in or out. The GDPR sets a 16-year-old age limit on ‘children’ and their ability to consent to their data being processed. However individual Member States can choose (and some have) to set their own age limits with a hard cap at 13, so the impact on teens’ social media habits seems likely to be relatively limited. Which I know you were worried about.
I’ve had other questions about the use of pseudonymization as a way to avoid the regulation through encrypting personal data and storing the encryption key separately and securely, On that you get a hard buzzer and a thanks for playing. Pseudonymized data will still be considered personal data due to the risk of reidentification owing to a security breach. So, it does not get a general pass from requirements under the regulation.
The rules also apply to both ‘data controllers’ (those entities that determine the purpose and means of processing personal data) and ‘data processors’ (those entities that are responsible for processing data on behalf of a data controller). Data processors have direct compliance obligations under GDPR and can also be held equally responsible for data violations, with individuals now having the legal ability to bring compensation claims for violations directly against them.
It is clear that the intent is to be intolerant of any diminishing responsibility along the chain of data handling subcontractors. Many companies rely on subcontractors to handle data operations on their behalf and they face a stiff penalty if they choose to shrug off that portion of their responsibility. They will be held liable for any privacy violations, so companies employing subs will have to perform rigorous risk assessments before continuing with business as usual.
The new interpretation under GDPR is that ‘privacy by design’ and ‘privacy by default’ are now firm legal requirements. This means that there’s a requirement on data controllers to limit processing activity to only what’s necessary for a specific purpose, carrying out privacy impact assessments and maintaining up-to-date records to prove their compliance. If you are a data custodian, you now see that this is a really big deal in terms of effort. In addition, the consent requirements for processing personal data are also now much stronger, which means that lengthy, enigmatic and incomprehensible ToUs and ToSs won’t work anymore. The new premise is that consent should be an ongoing, mutually and actively managed process and not some one-off rights grab.
Transparency is another major requirement under GDPR, expanding the notion that personal data must be lawfully and fairly processed to include a third principle of accountability. This is why they have established the need for data controllers to clearly communicate with data subjects as to the specific purpose each time they process their data in any form differing from the one used in prior processing.
The fact that companies processing data across borders within the EU itself face scrutiny from DPAs in different Member countries if they have covered subjects in those Member countries and are processing their personal data raises additional assessment and audit requirements and God-forbid, additional protection rules based on each Member country’s individual privacy rules. Now, imagine how much fun that will be when each U.S. state implements their own version of the (newly penned) Federal regulation.
As a real-life example, Facebook’s tactic of claiming they are under the jurisdiction of a single EU DPA isn’t going to wash. The one-stop-shop provision in the GDPR is designed to create a co-operative mechanism that will allow multiple DPAs to work together in instances where they have joint concerns, instead of paving the way for multinationals like Google and Facebook to go ‘forum shopping’, which the regulation does not permit.
Companies who have been comfortable using privacy policies that contain vague phrases like ‘We may use your personal data to develop new services’ or ‘We may use your personal data for research purposes’ will be out of luck. All of these intentionally sloppy ToUs and ToSs will need to be re-written immediately, and any changes to privacy policies must be clearly communicated to the customer or user on an ongoing basis. The references in the privacy statement that most companies have relied on that inform their customers and users to ‘regularly check for changes or updates’ are now legal history.
As to explanation of intent, perhaps the Gartner research director Bart Willemsen summed it up best by saying that “Organizations should acknowledge they don’t exist to process personal data, but they process personal data to do business. Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too.”
However you view all this, you now have no more time to dither about whether you should start doing risk assessments. The clock has run out.