Ready to go – the new EU Data Protection Regulation

It was quite a delightful start to the day to find the news on the agreement of the new EU Data Protection Regulation (GDPR). Clearly it is not complete yet with all the legal text, but end of January 2016 is realistic!

I thought to discuss some of the main points that are getting most publicity in the press…

Fines 4% of global sales

Companies that don’t abide by the rules will potentially face fines up to 4% of global turnover (sales). Clearly from a privacy advocate and privacy professional perspective this is good news.

The new data protection laws are graced with a strong set of teeth.

However putting on my business hat, the how fines are calculated is not fair to those companies that operate on low margins, versus those that operate on high margins because the fine is aligned to sales, not to profits. I am not sure if when it states ‘up to 4%’ of global turnover if that means each company will be treated based upon the nature of their business, i.e. low margins pay 1%. If this is the case a criteria will must be defined over the next 2 years to be able to do this in order to achieve consistency across member states.

Regardless, whichever camp your business is sitting in, a fine of this nature from the data protection commission is going to hurt!

Shared liability

If you are a data processor and not a controller today, you are blessed with immunity. Once the law becomes effective you will have joint liability with the data controller. So if they do their job badly, your business will suffer.

What I see happening is the implementation of a new type of Privacy Level Agreement (PLA) that works in the direction from the processor to the controller. After all, data controllers have already covered their liability in the form of SLAs that include protection of personal data aligned with existing data protection laws by jurisdiction, but there is no protection today to protect processors from incompetence of the data controller.

The right to be forgotten

Now this has been around in the Directive since 1995. The right for data subjects to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information.  So if this is nothing new, why all the fuss? Well I don’t think many member states, if any at all have implemented it in their national data protection laws. This is certainly the case in Sweden.

Hence if they don’t already have the mechanisms, companies will need to have the processes and security mechanisms implemented to be able to deal with requests from data subjects. This includes validating that they are who they say they are when a request is made pertaining to personal data. Those online services giving direct access to personal data, i.e. via a web or app within the service have a clear advantage, e.g. Facebook, Amazon, etc., many are getting to grips with the security of user access, even offering 2-factor authentication.

Parental consent for minors

The new regulation includes extra protections for minors, i.e. children under 16 years old (with option for member states to reduce to 13 yrs). Parental ‘explicit’ consent is required for the collection of personal data of minors. There is some rather bad posts and publicity concerning this new provision which is unfounded. There has been a law in the US protecting personal data of minors (under 13 years) that has been in force since 1998! So why did we in the EU take so long should be the question. Clearly there are some practicalities here, many due to the fact we didn’t do something earlier. In any case we can look to the US for some guidance here.

‘Unambiguous’ consent

This is the one I have the main problem with. My vote was with ‘explicit’ consent required from the data subject on the collection, processing, sharing, of personal data. An example of ‘explicit’ consent is a ‘tick-box’ on a form on a web-page saying you agree to the privacy policy. ‘Implicit’ can be implied by behavior, e.g. continued use of a service.

Now ‘unambiguous’ is in-between ‘implicit’ and ‘explicit’. I can’t actually find a clear definition of what this actually is! So I really don’t like this ‘half-way house’ approach.

Data Protection Officer (DPO)

It has been decided that all large companies must have a DPO. This job has been defined as mandatory, except for small and medium sized companies, unless data processing is core to their business.

In fact when you look at the penalties for non-compliance it is probably prudent to have some form of DPO, even if you are not large. One of the aspects that was in the 2012 version was some form of ‘independent’ function. I expect a new market offering DPO timeshares popping up to fill this market.

Is there more?

Yes loads, so watch this space, I don’t want to overload you with too much in one go 😉

Tip #2/10 – Eat the Elephant – the new EU Data Protection Regulation

Latest I heard is that some form of final version is coming out on 20 December. Does it mean that it is final? No, not yet. However this does not stop you thinking, and planning next steps in privacy compliance, to get ahead of the crowd, based on what we do know! Why should you start now? Well I’ve written on that already, but to summarize. Because the party hasn’t started yet. When it does, you will know, as the legal guys will be having a party at your expense!

When the party starts, you will know, as the legal guys will be having a party at your expense!

Where should a Privacy Program belong in your organization? And this the fundamental question you need to ask yourself, who owns privacy, is it legal, is it IT operations, or security operations? If you were to look around at global organizations that have privacy programs, you will find that they are sitting under the legal arm, and hence populated with legal guys and girls. (As a side-note, that’s one of the cool things about privacy, there is balanced gender diversity. I even have to queue to the rest-rooms at privacy conferences, which is not the case in information security ;))

So you have an interesting mental activity to occupy yourself over the Christmas and New Year break. Visualize how it’s going to work in your business, as a ‘thought experiment’.  Clearly I have my opinions which I’m going to share with you now…

To give you an appreciation of what lies ahead of you, and why I think as I do. One of the first projects that you will need to task yourself with is documenting every personal data collection point in your organization. For example, a web-page where your customers share their name and address, your sales & marketing engines. Depending on the size and nature of your business, this can be daunting. If you get this wrong, and hand the privacy program to your legal team, you risk creating a chasm in your business between a legal team focused on being ‘legally’ compliant with IT/ security operations, and the executive team. And why? Because nobody in your business understands legal jargon except the legal guys, who basically speak from a ‘legal’ standpoint, and basically no sane individual wants to read and interpret legal text except for a legal guy! The question and challenge is how to map this to your business?

Create a ‘Privacy Architect’ role to be the ‘spider’ in your privacy ‘web’, i.e. Privacy Program

What I see as one of the largest initial risks is that your privacy project risks becoming an enormous elephant that will basically give you indigestion if you try to execute. This is where I say do not bring in the legal guys yet. Get some of your senior information security team that are great architects and PM guys (Project Managers), involved. You need to train them though, but it’s much easier to train these guys in privacy than it is to train legal expertise in your business operations. What’s more if you pull together the right guys, they will thank you, as privacy is such a cool career move! Your privacy team will be motivated and bring loads of energy, a recipe for success in your privacy program.  In fact I would advise you create a ‘Privacy Architect’ role, give them a ‘carrot’ to get certified in privacy and data protection principles (Certified Information Privacy Professional, CIPP). This individual should be tasked to map all data collection points in your business, packaged them into individual projects, and pass them onto project managers, who are trained in privacy -who you could call your ‘privacy champions‘. Your ‘Privacy Architect’ will be the ‘spider’ in your privacy ‘web’. Clearly you need to bring in the legal guys, but do this as, and when necessary.

What is smart by doing it this way you map your privacy program into neat  projects aligned to privacy ‘purpose’ that has in fact been around since 1973!

  • A privacy principle mentioned in Fair Information Privacy Practices (FIPPs) in the US in 1973;
  • ‘Purpose Specification’ privacy principle is 1 of 8, defined in 1980 by OECD  Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. These guidelines have become the framework of privacy practices and regulations worldwide;
  • As 1 of the 11 Privacy Frame Principles (ISO 29100) in 2011, of where it is described as ‘Purpose legitimacy & specification’.

So you have a awful lot to be starting with, and maybe even enough to go beyond the ‘thought experience’ mentioned at the beginning of this article.

Tip #1/10 – Get Started – the new EU Data Protection Regulation

data-privacy-000019536561_SmallQu.1 – Who owns personal data, is it the Data Subject or the Data Controller?

Does it really matter? Yes, because by asking this question you can weed out the real privacy experts from those who claim they are experts.

The answer to this question is fundamental to privacy and data protection principles, not just the Regulation. If you get this wrong, you will get it all wrong. The funny thing is that most IT and information security experts will get it wrong.  This is not surprising because they spend most of their working life protecting the intellectual property of their employers and clients, so it would never occur to them that personal data stored by the company (data controller) does not belong to the company, but the data subjects themselves.

Personal data belongs to the Data Subject, not the Data Controller!

So I’m a skeptic, but a deserving one at that, having come from the camp of information security experts myself. I almost cringe at my early consulting efforts to assist one especially large client, who decided that compliance with the Data Protection Directive would be a good thing. I was so focused on the information security aspects that I missed  everything else.

Qu.2 – Privacy is the flip side of the coin to Security?

I often hear that privacy is the flip side of the coin to security, when in fact the inverse is true. These sweeping statements imply that privacy is a part of security, or a mirror of security, or in best case that security versus transparency. However privacy is not security, or purely transparency.  Security is needed for privacy, and this is about as far as the boundaries of security goes within the scope of privacy.

Qu.3 – Privacy is about compliance the same as Information Security, right?

Any individual which claims that compliance with the Data Protection Regulation can be managed under the same umbrella as an InfoSec Program knows nothing about privacy. Much of the Regulation is focused on controlling the collection, quality and processing of personal data. It is about protecting the rights of the data subject. It is about ensuring transparency and openness between the data controller and the data subject. There must be evidence showing that the data controller is taking seriously their role as guardians of the personal data, and in the Regulation this will be strongly enforced.

Qu.4 – This is going to be expensive?

Now it is 2015 and the new Regulation is peeking at us just around the corner. I have during the second half of this year become increasingly concerned that this time and money wasting scenario that I inflicted on some poor client all that time ago, is going to be repeated 100s, 1000s and millions of times across the EU, by 100s, 1000s and millions of young, and older, energetic and enthusiastic information security consultants during the next 2 years and more. It’s going to be expensive unless you take some action yourself.

Qu. 5 – Now where do I start?

So what can you do to help yourself? Apart from the very simple question I posed at the beginning of this article, I have some nuggets of gold, where you can find some privacy wisdom, which you can check out for yourself…

  • If you want to get certified in privacy… read the next bullet point… would love to have you join the global movement of privacy professionals!
  • Visit the International Association of Privacy Professionals (IAPP) website. There you will find the real privacy experts from all around the world. You need to individuals that have the CIPP (Certified Information Privacy Professionals) certifications which can be likened with CISSP in information security. Here you will find experts in privacy that could be technical and/or security and/or qualified in law.
  • IAPP have great conferences globally. I was in Washington in April and Glen Greenvald (Snowden files) was keynote, it was a great place to absorb the amount of expertise on tap concerning privacy and data protection, and to network. The one scheduled to be in Brussels this week was cancelled.
  • They also have local KnowledgeNets around the world (even in the cold Nordics ;)) where you can network with the local privacy geeks.
  • 4 times a year a ‘Privacy After Work’ bash is scheduled wherever there are KnowledgNets, and next is on Data Protection Day, 28 January 2016, let me know if you want to join us for the one in Stockholm!

If you just want a basic grounding – I have just released an online 10 hour training available for only €225 that opens for registration on 1 December 2015. This is great and inexpensive route to get yourself or your privacy champions on boarded with the new Regulation.