Don’t wait, fix what is known – the new EU Data Protection Regulation

Yet another ‘breakfast seminar’, subject the upcoming Data Protection Regulation (GDPR). You turn up between 8 and 8.30 for a sandwich and coffee, and the following hour is spent listening to experts speaking on a subject that is burning in the back of the heads of every CEO, CTO, CSO and CISO in EU member states.

Déjà vu – the message is the same again, received loud and clear: the Regulation is not complete, and in fact 30% is incomplete! Panic ensues as the CxOs absorb and comprehend. The news is not new, but it’s just that as each month encroaches, eating into the end of 2015, the CxOs are expecting something new!

Focus on what we know, there is so much to do without losing sleep over the unknowns!

I am disappointed again, and have to stop myself jumping up and stealing the stage. What I am missing is the message stating what is actually in place, what we know. The message the 30% is incomplete is not contextually correct. Sure member states cannot agree on specifics, e.g. should it be 2% or 5% imposed as fines on offenders not following the rules, how long should breach notification be from 24 to 72 hours? However what is decided on is the basic underlying principles that were defined in the EU Data Protection Directive of 1995. The Directive has 2 fundamental goals:

  1. To facilitate the flow of personal data across national boarders within the EU, and
  2. Protect the rights of EU data subjects.

All the legal text written within the Directive, and the upcoming Regulation is founded on these goals. The EU Data Protection (as is all privacy legislation worldwide) is based on 8 privacy principles (OECD Guidelines): Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability (embedded podcast gives an intense view of these). These principles have been further classified into 11 in an the ISO 29100 Privacy Framework standard, whereby Consent and Data Minimisation have be broken out and described further.

There is so much CxOs can do before the Regulation is finalized and implemented. Principally, one can establish the GAP between the local Data Protection Legislation and the Directive (1995). For example in Sweden this is significant. Personal data is public information due to a clash with Freedom of Press Act which makes the Swedish Data Protection Act somewhat impotent. Today 996 Swedish companies have something called an ‘utgivningsbevis’ which permits them to publish and make money from the personal data of Swedish citizens and residents. The data-subject in Sweden has no rights to have this data removed… believe me I’ve tried! This is incompatible with the Directive, and the upcoming Regulation. There is also some interesting deviations on how structured and unstructured personal data is treated, basically how the existing laws deals with unstructured personal data will not be compatible with the Regulation, just as it is incompatible with the Directive today. Both of these examples are in contradiction of some/all of the 8 privacy principles that the Directive, and the Regulation are grounded upon. There is so much work to do now……

So I’m going to help you to help yourself! You can get an intense exposure to the 8 privacy principles in the embedded podcast below, but it is pretty intense, and you need to stay focused for 12 minutes of listening to my voice… maybe not easy 😉

[soundcloud url=”″ params=”auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true” width=”100%” height=”450″ iframe=”true” /]

Alternatively if you want to fast-track yourself or some keen privacy enthusiasts in your company to be ready to run in 2016, I have just launched a 10-hour online course (Privacy & Data Protection – Introduction) that is kind on time and budget (€225). The Learner will earn a Privacy EAGLE badge that is compatible with Mozilla’s OpenBadge standard. Sitting behind the learning platform in addition to myself will be a young lady legal geek qualified in both English and Swedish IT and Data Protection Laws.

Tip #3/10 – the GDPR KISS – the new EU Data Protection Regulation

I am frustrated by the number of companies that say they do privacy, when they don’t know what ‘privacy’ is! Just because an consulting company states they have consultants on privacy projects, does not mean they are privacy experts. They are not lying, it’s just they don’t know themselves. Having said this, I ‘take my hat off’ to a couple of security consulting companies that are taking steps to proactively extend the skill-set of their consultants into privacy. But what does this mean?

Privacy, i.e. data protection, kept short and simple is what we all want…

Clearly the Regulation is not short and it is not simple. To try and implement a privacy program across your organization fueled by the stringent requirements of the Regulation is enough to keep any CxO awake at night. The punishment fine of 4% of global turnover is not being taken lightly by any of those I talk with. There is more confusion pertaining to, ‘well what does it mean’?

I’ve have touched on briefly in another post the fundamental building blocks of privacy, and the legal text is based upon these fundamental goals and principles. Hence despite the legal complexity of the GDPR it does offer hope for us normal guys and girls that don’t eat legal jargon for breakfast!

Just to recap, the Regulation is at its most basic level has 2 fundamental goals: 1) to facilitate the flow of personal data across national boarders within the EU, and 2) protect the rights of EU data subjects. Moreover it is founded on 8 -easy to understand- privacy principles that have been around since 1980 in the OECD Guidelines, and in fact these were originally adapted from US FIPPs (Fair Information Privacy Principles) defined in 1973.

These 8 principles are:

  • Collection Limitation – There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate with the knowledge or consent of the data subject;
  • Data Quality – Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date;
  • Purpose Specification – The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as not incompatible with those purposes, and as are specified on each occasion of change of purpose;
  • Use Limitation – Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except (a) with the consent of the data subject; or (b) by the authority of law:
  • Security Safeguards – Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure;
  • Openness – There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller;
  • Individual Participation – An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended;
  • Accountability – A data controller should be accountable for complying with measures which give effect to the principles stated above.

Below is an embedded podcast which provides an intense view of the principles, along with some contextual help.



Ready to go – the new EU Data Protection Regulation

It was quite a delightful start to the day to find the news on the agreement of the new EU Data Protection Regulation (GDPR). Clearly it is not complete yet with all the legal text, but end of January 2016 is realistic!

I thought to discuss some of the main points that are getting most publicity in the press…

Fines 4% of global sales

Companies that don’t abide by the rules will potentially face fines up to 4% of global turnover (sales). Clearly from a privacy advocate and privacy professional perspective this is good news.

The new data protection laws are graced with a strong set of teeth.

However putting on my business hat, the how fines are calculated is not fair to those companies that operate on low margins, versus those that operate on high margins because the fine is aligned to sales, not to profits. I am not sure if when it states ‘up to 4%’ of global turnover if that means each company will be treated based upon the nature of their business, i.e. low margins pay 1%. If this is the case a criteria will must be defined over the next 2 years to be able to do this in order to achieve consistency across member states.

Regardless, whichever camp your business is sitting in, a fine of this nature from the data protection commission is going to hurt!

Shared liability

If you are a data processor and not a controller today, you are blessed with immunity. Once the law becomes effective you will have joint liability with the data controller. So if they do their job badly, your business will suffer.

What I see happening is the implementation of a new type of Privacy Level Agreement (PLA) that works in the direction from the processor to the controller. After all, data controllers have already covered their liability in the form of SLAs that include protection of personal data aligned with existing data protection laws by jurisdiction, but there is no protection today to protect processors from incompetence of the data controller.

The right to be forgotten

Now this has been around in the Directive since 1995. The right for data subjects to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information.  So if this is nothing new, why all the fuss? Well I don’t think many member states, if any at all have implemented it in their national data protection laws. This is certainly the case in Sweden.

Hence if they don’t already have the mechanisms, companies will need to have the processes and security mechanisms implemented to be able to deal with requests from data subjects. This includes validating that they are who they say they are when a request is made pertaining to personal data. Those online services giving direct access to personal data, i.e. via a web or app within the service have a clear advantage, e.g. Facebook, Amazon, etc., many are getting to grips with the security of user access, even offering 2-factor authentication.

Parental consent for minors

The new regulation includes extra protections for minors, i.e. children under 16 years old (with option for member states to reduce to 13 yrs). Parental ‘explicit’ consent is required for the collection of personal data of minors. There is some rather bad posts and publicity concerning this new provision which is unfounded. There has been a law in the US protecting personal data of minors (under 13 years) that has been in force since 1998! So why did we in the EU take so long should be the question. Clearly there are some practicalities here, many due to the fact we didn’t do something earlier. In any case we can look to the US for some guidance here.

‘Unambiguous’ consent

This is the one I have the main problem with. My vote was with ‘explicit’ consent required from the data subject on the collection, processing, sharing, of personal data. An example of ‘explicit’ consent is a ‘tick-box’ on a form on a web-page saying you agree to the privacy policy. ‘Implicit’ can be implied by behavior, e.g. continued use of a service.

Now ‘unambiguous’ is in-between ‘implicit’ and ‘explicit’. I can’t actually find a clear definition of what this actually is! So I really don’t like this ‘half-way house’ approach.

Data Protection Officer (DPO)

It has been decided that all large companies must have a DPO. This job has been defined as mandatory, except for small and medium sized companies, unless data processing is core to their business.

In fact when you look at the penalties for non-compliance it is probably prudent to have some form of DPO, even if you are not large. One of the aspects that was in the 2012 version was some form of ‘independent’ function. I expect a new market offering DPO timeshares popping up to fill this market.

Is there more?

Yes loads, so watch this space, I don’t want to overload you with too much in one go 😉

Tip #2/10 – Eat the Elephant – the new EU Data Protection Regulation

Latest I heard is that some form of final version is coming out on 20 December. Does it mean that it is final? No, not yet. However this does not stop you thinking, and planning next steps in privacy compliance, to get ahead of the crowd, based on what we do know! Why should you start now? Well I’ve written on that already, but to summarize. Because the party hasn’t started yet. When it does, you will know, as the legal guys will be having a party at your expense!

When the party starts, you will know, as the legal guys will be having a party at your expense!

Where should a Privacy Program belong in your organization? And this the fundamental question you need to ask yourself, who owns privacy, is it legal, is it IT operations, or security operations? If you were to look around at global organizations that have privacy programs, you will find that they are sitting under the legal arm, and hence populated with legal guys and girls. (As a side-note, that’s one of the cool things about privacy, there is balanced gender diversity. I even have to queue to the rest-rooms at privacy conferences, which is not the case in information security ;))

So you have an interesting mental activity to occupy yourself over the Christmas and New Year break. Visualize how it’s going to work in your business, as a ‘thought experiment’.  Clearly I have my opinions which I’m going to share with you now…

To give you an appreciation of what lies ahead of you, and why I think as I do. One of the first projects that you will need to task yourself with is documenting every personal data collection point in your organization. For example, a web-page where your customers share their name and address, your sales & marketing engines. Depending on the size and nature of your business, this can be daunting. If you get this wrong, and hand the privacy program to your legal team, you risk creating a chasm in your business between a legal team focused on being ‘legally’ compliant with IT/ security operations, and the executive team. And why? Because nobody in your business understands legal jargon except the legal guys, who basically speak from a ‘legal’ standpoint, and basically no sane individual wants to read and interpret legal text except for a legal guy! The question and challenge is how to map this to your business?

Create a ‘Privacy Architect’ role to be the ‘spider’ in your privacy ‘web’, i.e. Privacy Program

What I see as one of the largest initial risks is that your privacy project risks becoming an enormous elephant that will basically give you indigestion if you try to execute. This is where I say do not bring in the legal guys yet. Get some of your senior information security team that are great architects and PM guys (Project Managers), involved. You need to train them though, but it’s much easier to train these guys in privacy than it is to train legal expertise in your business operations. What’s more if you pull together the right guys, they will thank you, as privacy is such a cool career move! Your privacy team will be motivated and bring loads of energy, a recipe for success in your privacy program.  In fact I would advise you create a ‘Privacy Architect’ role, give them a ‘carrot’ to get certified in privacy and data protection principles (Certified Information Privacy Professional, CIPP). This individual should be tasked to map all data collection points in your business, packaged them into individual projects, and pass them onto project managers, who are trained in privacy -who you could call your ‘privacy champions‘. Your ‘Privacy Architect’ will be the ‘spider’ in your privacy ‘web’. Clearly you need to bring in the legal guys, but do this as, and when necessary.

What is smart by doing it this way you map your privacy program into neat  projects aligned to privacy ‘purpose’ that has in fact been around since 1973!

  • A privacy principle mentioned in Fair Information Privacy Practices (FIPPs) in the US in 1973;
  • ‘Purpose Specification’ privacy principle is 1 of 8, defined in 1980 by OECD  Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. These guidelines have become the framework of privacy practices and regulations worldwide;
  • As 1 of the 11 Privacy Frame Principles (ISO 29100) in 2011, of where it is described as ‘Purpose legitimacy & specification’.

So you have a awful lot to be starting with, and maybe even enough to go beyond the ‘thought experience’ mentioned at the beginning of this article.

Tip #1/10 – Get Started – the new EU Data Protection Regulation

data-privacy-000019536561_SmallQu.1 – Who owns personal data, is it the Data Subject or the Data Controller?

Does it really matter? Yes, because by asking this question you can weed out the real privacy experts from those who claim they are experts.

The answer to this question is fundamental to privacy and data protection principles, not just the Regulation. If you get this wrong, you will get it all wrong. The funny thing is that most IT and information security experts will get it wrong.  This is not surprising because they spend most of their working life protecting the intellectual property of their employers and clients, so it would never occur to them that personal data stored by the company (data controller) does not belong to the company, but the data subjects themselves.

Personal data belongs to the Data Subject, not the Data Controller!

So I’m a skeptic, but a deserving one at that, having come from the camp of information security experts myself. I almost cringe at my early consulting efforts to assist one especially large client, who decided that compliance with the Data Protection Directive would be a good thing. I was so focused on the information security aspects that I missed  everything else.

Qu.2 – Privacy is the flip side of the coin to Security?

I often hear that privacy is the flip side of the coin to security, when in fact the inverse is true. These sweeping statements imply that privacy is a part of security, or a mirror of security, or in best case that security versus transparency. However privacy is not security, or purely transparency.  Security is needed for privacy, and this is about as far as the boundaries of security goes within the scope of privacy.

Qu.3 – Privacy is about compliance the same as Information Security, right?

Any individual which claims that compliance with the Data Protection Regulation can be managed under the same umbrella as an InfoSec Program knows nothing about privacy. Much of the Regulation is focused on controlling the collection, quality and processing of personal data. It is about protecting the rights of the data subject. It is about ensuring transparency and openness between the data controller and the data subject. There must be evidence showing that the data controller is taking seriously their role as guardians of the personal data, and in the Regulation this will be strongly enforced.

Qu.4 – This is going to be expensive?

Now it is 2015 and the new Regulation is peeking at us just around the corner. I have during the second half of this year become increasingly concerned that this time and money wasting scenario that I inflicted on some poor client all that time ago, is going to be repeated 100s, 1000s and millions of times across the EU, by 100s, 1000s and millions of young, and older, energetic and enthusiastic information security consultants during the next 2 years and more. It’s going to be expensive unless you take some action yourself.

Qu. 5 – Now where do I start?

So what can you do to help yourself? Apart from the very simple question I posed at the beginning of this article, I have some nuggets of gold, where you can find some privacy wisdom, which you can check out for yourself…

  • If you want to get certified in privacy… read the next bullet point… would love to have you join the global movement of privacy professionals!
  • Visit the International Association of Privacy Professionals (IAPP) website. There you will find the real privacy experts from all around the world. You need to individuals that have the CIPP (Certified Information Privacy Professionals) certifications which can be likened with CISSP in information security. Here you will find experts in privacy that could be technical and/or security and/or qualified in law.
  • IAPP have great conferences globally. I was in Washington in April and Glen Greenvald (Snowden files) was keynote, it was a great place to absorb the amount of expertise on tap concerning privacy and data protection, and to network. The one scheduled to be in Brussels this week was cancelled.
  • They also have local KnowledgeNets around the world (even in the cold Nordics ;)) where you can network with the local privacy geeks.
  • 4 times a year a ‘Privacy After Work’ bash is scheduled wherever there are KnowledgNets, and next is on Data Protection Day, 28 January 2016, let me know if you want to join us for the one in Stockholm!

If you just want a basic grounding – I have just released an online 10 hour training available for only €225 that opens for registration on 1 December 2015. This is great and inexpensive route to get yourself or your privacy champions on boarded with the new Regulation.

Articles from 5 of the top-rated speakers at Nordic IT Security Forum 2015

They almost achieved a brain melt-down at the Nordic IT Security Forum this year. The atmosphere was on a parallel with InfoSec Europe, but better. Better because this is the Nordics, we are only 9 million in Sweden alone, I need to count Finland, Norway and Denmark, but even together we are nowhere near the density of mass of InfoSec enthusiasts, experts and products as found in the UK.  UK boasts a population over 64 million. Clearly we can’t compete in the Nordics, but we don’t want to!

It was great to find lots of really cool guys from Finland, Norway and Denmark with us. We were graced with the presence of Mikko Hypponen who delivered a great keynote, and David Lacey from UK, the brains behind the ISO27000 standard and the Jericho forum was among our ranks, not forgetting the towering presence of Mika Kataikko! I was moderating among the esteemed female security ranks of  Ann-Marie Eklund Löwinder and some other guys too, that were great, but Ann-Marie outshines them all 🙂

I was delighted to find even more Brits over in Stockholm, Jason Hart was great! A former ethical hacker, left me with a very simple message “you will be hacked, accept and prepare”. His argument was that we waste so much time and energy trying to block the inevitable, it just makes more sense to transfer those energies. It reminds me of quantum physics funnily enough. Basically they were scratching their heads for many years trying to place quantum as a part of existing laws of physics and got nowhere. Progress was only made when it was accepted that quantum cannot be understood. Acceptance opens a new world, and a blank sheet to start working on that presents a new breed of questions.

So did I make new contacts? The problem was that I was so busy moderating or speaking that missed out on a whole load of networking. However I saw everyone else was busy, so I’ll try to do better next year!

Well now you’ve read all my ramblings I’d better finally get to the point, articles written by 5 of the top-ranked speakers at #nordicitsec can be found here, of which I am privileged to be one.