Unless you’ve been living out in the remotest frontier of some Data Protection Wild West, you will no doubt be aware that a ‘supervisory authority’ Sheriff will soon be riding into town, clutching a lengthy new scroll of law and order in the form of the General Data Protection Regulation (GDPR).
ICYMI or simply passed over it as not particularly relevant; whilst debate in the UK heats up around whether we stay in the EU or ‘Brexit’ – in December 2015, the European Council finally agreed upon a new regulation first put forth in 2012.
Built upon the impressively long-standing 95/46/EC Directive, the GDPR will establish one single set of data protection law across all 28 European member states, replacing their own legislations by 2018. Its intended reach does not stop there, however. In principle, this now affects all organizations who may have operations on the continent or are handling EU citizens’ data regardless if they are actually headquartered there or not.
As PWC recently summarised:
“This will impact every entity that holds or uses European personal data both inside and outside of Europe.”
Given the global nature of today’s digital economy, the potential scope soon becomes quite mind boggling. When you delve into the level of detail included in the legislation, yet more so. It is certainly not my intention here to attempt any in-depth analysis of what amounts to 200+ pages of complex regulatory text.
Instead, let’s just look at few key ticket items and their potential impacts from some very different perspectives. To lighten in places what is in some peoples view a rather dry subject (yes, really) I include a few fast shootin’ spaghetti western references from Sergio Leone’s epic 1966 movie to hopefully help illustrate some serious points.
Whatever one’s views of the European Council, concerns around the intricacies of the new legislation or the practicalities of its enforcement; the overarching GDPR principle to ‘give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU’ – would in most people view at least, certainly be of ‘the Good.’
A harmonization of standards if achieved even broadly would surely benefit everyone in the business of ‘controlling’ or ‘processing’ data in the long term? More significantly, in terms of the greater ‘Good,’ the rights of data subjects are more important than ever.
We are all ‘data subjects’ and we live in a world where key aspects of our lives will be ever more determined by the data held about us. We also live in a world where that same data is more at risk and open to compromise than ever.
A present worry for the data subject (or customer/citizen) is that as there is no legal onus to report data breaches in many countries, you may not even be aware that your data has been stolen or otherwise compromised – ever. Unless, of course, you fall victim to a direct or indirect consequence of the breach and then it is a little too late.
Under GDPR, in the event of a personal data breach, controllers must now notify their appropriate supervisory authority:
“Without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay. Furthermore, if the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals” it must also formally communicate information regarding the breach to the affected data subjects. Under Article 32, this must also be done “without undue delay.”
Whilst the new timelines for reporting ‘all’ relevant breaches will no doubt force many to up their game, this should not, in theory, be a huge challenge for ‘the Good’ organizations and controllers out there.
They will, of course, already have in place incident reporting processes and proactively inform the relevant authority within their jurisdiction of breaches when required to do so. They will already responsibly and transparently inform their customers/citizens if their information had been seriously breached.
Whilst other debates about encryption and legislation rage on, ‘the Good’ organizations will also have taken the sensible step of encrypting the personal data under their stewardship where other controls may be absent or the data may otherwise be put at risk.
Under GDPR if done consistently and effectively this will still provide one of the justified exemptions for notifying data subjects of a breach. That is, where the controller has:
“Implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption.”
Well implemented security controls will, therefore, be more critical than ever in staying on the right side of the law. But really, so far, business as usual and not exactly a huge leap for ‘the Good,’ right?
A significant change, however, will be that the responsibility for protecting personal information under GDPR will now clearly extend to data processors, as well as data controllers. This should come as some welcome news for many of ‘the Good’ controllers who have on occasion, struggled with gaining suitable levels of assurance from a certain breed of suppliers and service providers.
That is the ones who may initially profess high standards to win the controller’s business but in keeping with the general theme here, may bluntly be as described as operating in reality, like ‘cowboys!’
It is, of course, the responsibility of the controller to conduct any necessary diligence to ensure the suitability of their processors. Something already clear under the current Directive and the UK’s existing Data Protection Act (seventh principle; paragraphs 11 and 12, Part 2, Schedule 1) but the intended leveling of the balance of accountability here is noteworthy.
Under GDPR, processors will not only have a legal requirement above any contractual agreement to inform controllers of breaches but they may also have to shoulder the same monetary penalties when things go wrong – which will hopefully focus more attention and efforts towards getting things genuinely right, rather than engaging in smoke and mirrors or tick-box diligence respectively on both sides of the processor/controller fence.
Positions of Good & Bad aren’t always quite that clear cut, however. Going back to Sergio Leone’s movie, Clint Eastwood’s character of Blondie “the Good,” (a.k.a The Man With No Name) is in many respects (and most common understandings of the word) not really more ‘Good’ than his opponents. He is, after all, another gun-toting bounty hunter with an eye on the hidden gold, albeit one who is often quicker on the draw, smarter and luckier.
Indeed, Leonne saw the movie’s title as ironic and its characters and plot, a certain departure from the more simplistic, classic Western mythology. Likewise, in the real world of data protection, whilst some controllers are unquestionably more of ‘the Good’ than others, there will be few beyond the smallest of operations who can genuinely claim to be beyond reproach.
Some are most certainly luckier than others and although not quite as mercenary perhaps as a bounty hunter, commercially operated entities will invariably have to put their bottom line before the cost of any security or data controls which can’t clearly and quantifiably be justified.
Even the very ‘Good’ organizations are unlikely to be completely prepared for the all of the imminent GDPR obligations and enhancements around areas as complex as consent, data anonymisation, trans-border data transfers and the much-debated rights of erasure (formally known as the right to be forgotten).
Which brings us to as good a place as any to veer over into the terrain of the bad… and the downright ugly.
There has been noise and consternation for some time around the additional compliance burdens and costs GDPR will place on businesses and whether it could even put some at a competitive disadvantage. So much so that in 2013 the UK Information Commissioners Office (ICO) commissioned a study with the London School of Economics to look into such implications.
The full report can still be accessed here although one of the key findings was simply that the majority of businesses are presently unable to reliably quantify their current spending in relation to data protection. Making such assumptions around the potential increases in operating cost under GDPR equally difficult to accurately quantify or corroborate.
It is certainly clear, however, that organizations with over 250 permanent employees or those with “core activities” that consist of regular and systematic monitoring of data subjects will need to appoint a permanent and appropriately qualified Data Protection Officer for a minimum of two years. Whilst not of itself, an unreasonable ask and something you would certainly hope larger operations already have, it will likely be a new and tangible cost for many SMEs nonetheless.
It is in the otherwise borderless world of cloud computing that far greater implications and related costs may be felt and are of most concern, however. Some will certainly need to invest in better technology solutions to compliably respond to requests for data deletion, retention or portability – all of which is cost that will no doubt soon be passed on to their customers.
Matters such as the replacement for Safe Harbor for those with US operations, whilst becoming clearer are still not exactly clear as day (see Hudson Harris’s neat recent summary here.) With so much confusion and difference of opinion, even amongst the supposed experts right now about what certain aspects and nuances will mean in practice, there is a risk that unnecessary costs may be incurred by organizations (especially those reactively investing in misguided or poorly advised control measures and consultancy).
Another risk is that although good security and data protection practice should in principle always align and complement one another; disproportionate emphasis, funding and resource may be placed on addressing perceived GDPR gaps to the detriment of other areas of an organization’s cyber defences.
According to a report by Ovum, in December 2015, 66% of the 366 Global IT companies they surveyed were apparently reviewing their business strategies in Europe as a direct result of GDPR. Rather more concerning still, over 50% did not believe they can meet all of the new requirements with 58% of US and and a staggering 62% of German respondents believing that their businesses will likely end up being fined.
Every great movie loves to keep its audience guessing until the very end and the ‘Mexican Standoff’ near the close of TGTB&TU is no exception. GDPR too kept its rather more captive audience in a certain sense of suspense.
Since its first proposal in 2012, there was much speculation and anxiety around the anticipated increase in the level of monetary penalties which authorities could award for data breaches. This element was finally clarified in December 2015 when a two-tier structure was announced, carrying with it maximum fines of up to €20 million or 4% of global annual turnover, whichever is the greater.
When you consider the stats from the Ovum report, things could soon get very ugly indeed. Any such penalties will certainly have to be consistently applied by all supervisory authorities for all equivalent breaches or face potential counter challenge themselves, which would all get rather uglier still.
All of this is before any considerations of compensation to data subjects themselves of course. Article 77 of the makes clear:
“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Quite how the closing scene of the GDPRs long arrival will play out as it begins to enter in force this spring will remain to be seen. Whether the effects will be good, bad or ugly on your business, operations will depend a lot on the nature of what you do and how you already do it.
Twenty years is a long time in anything, however, and the 95/46/EC Directive was after all written in a world before Big Data, smartphones or even the mass reliance on the Internet we have today. Change is, therefore, inevitable.
Those for whom Privacy & Data Protection is a formal responsibility will no doubt already be reading up on all they can (myself included) and working out what it will mean for their organization.
I also highly recommend referring to the final source text as much as possible, to check fact against some of the FUD and misinformation that’s now out there on this topic. If you haven’t already started to consider it at all, I suggest you do, or to end with a quote from ‘the Man With No Name’: “If your friends stay out in the damp, they’re liable to catch a cold aren’t they… or a bullet.”
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King’s College London, one of the worlds’ top 20 universities
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.