Administrative Fines

GDPR: Administrative Fines for Data Breach, 4% or 2%?

As we all know, and as we are all sick to death of hearing, the final version of the GDPR dated 27th of April 2016 has, in Article 83, provision for the “imposition of administrative fines”. Having read through that Article (General conditions for imposing administrative fines) about a 1,000 times I came to the conclusion that the:

  1. 4% / €20M fines were going to be reserved for infringements of processing (data subject rights, legal basis for processing etc.); and
    o
  2. 2% / €10M fines would cover data breaches

From that point forward I was on a mission to embarrass any cybersecurity organisation using the GDPR fine structure as a launchpad into a bulls*** sales pitch. Because they always, I mean ALWAYS, used 4% /€20M as their benchmark.

But why am I so convinced that it’s 2% not 4%? First, you have to take a very close look at the Articles to which the individual fine structures refer.

Article 83(4) (2% / €10M) refers to (sorry, this a long list):

  • Article 8 – Conditions applicable to child’s consent in relation to information society services
  • Article 11 – Processing which does not require identification
  • Article 25 – Data protection by design and by default
  • Article 26 – Joint controllers
  • Article 27 – Representatives of controllers or processors not established in the Union
  • Article 28 – Processor
  • Article 29 – Processing under the authority of the controller or processor
  • Article 30 – Records of processing activities
  • Article 31 – Cooperation with the supervisory authority
  • Article 32 – Security of processing
  • Article 33 – Notification of a personal data breach to the supervisory authority
  • Article 34 – Communication of a personal data breach to the data subject
  • Article 35 – Data protection impact assessment
  • Article 36 – Prior consultation
  • Article 37 – Designation of the data protection officer
  • Article 38 – Position of the data protection officer
  • Article 39 – Tasks of the data protection officer
  • Article 41(4) – Monitoring of approved codes of conduct
  • Article 42 – Certification
  • Article 43 – Certification bodies

It’s clear that the vast majority of these are related to the ‘administration’ of an organisation’s GDPR compliance, and the ONLY 3 Articles related directly to either data security or breach notification are contained here in full. In other words; take the RUNNING of your compliance program seriously, including the confidentiality, integrity and availability of the data itself.

Article 83(5) (4% / €20M) refers to (sorry again, another long list):

  • Article 5 – Principles relating to processing of personal data
  • Article 6 – Lawfulness of processing
  • Article 7 – Conditions for consent
  • Article 9 – Processing of special categories of personal data
  • Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 – Information to be provided where personal data are collected from the data subject 1.
  • Article 14 – Information to be provided where personal data have not been obtained from the data subject
  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (‘right to be forgotten’)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 44 – General principle for transfers
  • Article 45 – Transfers on the basis of an adequacy decision
  • Article 46 – Transfers subject to appropriate safeguards
  • Article 47 – Binding corporate rules
  • Article 48 – Transfers or disclosures not authorised by Union law
  • Article 49 – Derogations for specific situations
  • Article 58(1) – Powers
  • Article 58(2) – Powers

This contains just about everything in the GDPR related to the Principles of privacy itself and Rights of the data subject. In other words, PROCESS the data correctly.

The only link to data security in the whole of Article 83(5) is the reference to Article 5(1)(f) which states; “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

So you tell me, if you lose data, which fines do you think will apply? Seriously, tell me, I’ve not seen any guidance on it and there are many people out there who know this stuff a damned sight better than me.

I work in cybersecurity, I WISH it was 4% /€20M fines, but like I keep saying, data security does NOT equal privacy. The GDPR is about privacy, so which infringements should attract the biggest punishment?

In the end, if you think GDPR is about fines and penalties, you’ve completely missed the point. Don’t believe me? Then take it from Elizabeth Denham, the UK’s Information Commissioner herself, who wrote this excellent blog; GDPR – sorting the fact from the fiction.

And yes, I totally stole her featured image.

[If you liked this article, please share! Want more like it, subscribe!]

Know Your Right to Privacy? Clearly Most of Us Don’t

Most of us are aware that we have a right to privacy, but very few people I’ve spoken actually understand where that is laid out, and what is in place to enforce it on your behalf. Fewer people still take an active part in their own defence.

Before I go any further, I will once again reiterate (as I have in most of my blogs on GDPR), that I am NOT a privacy expert. I do cyber/information security, and while it has very little to do with privacy, it’s clear that the two have become inextricably linked. To the detriment of both I might add.

In my experience, the average person has no idea what their right to privacy means in real terms. They a have an expectation of privacy on the Internet (for example) and are somehow shocked and upset when things go wrong. Usually followed by finger pointing and lawsuits. This is little different from me thinking my right to freedom is somehow violated because I’m stuck in traffic.

To be clear, your human right is “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”. Nothing in here protects you when you give your personal data away for the sake of convenience, personal gain, or a few dozen ‘likes’ on Facebook. Nor should it.

Did you also know that privacy, while a ‘fundamental’ right is not an ‘absolute’ right? For the sake of this argument, fundamental rights are the 30 Articles of the Universal Declaration of Human Rights, and the absolute rights correspond to what are commonly called ‘natural rights’; life, liberty and so on.

For example, and certainly from my perspective, my right to life far outweighs your right to data protection (unless the loss of privacy puts YOUR life at risk!). This is what the GDPR means when it says in Recital 4;

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

But do you know what’s more ludicrous than not understanding your rights? Not understanding that the GDPR and all other privacy regulation were written for YOU! To protect YOU and YOUR loved ones, not to protect the businesses you work for! The number of articles on LinkedIn alone where people are complaining about how difficult/complicated it all is, how it’s impossible to comply, is ridiculous. Are you kidding me?!

This is YOUR data it’s trying to protect, and it’s trying to protect it from the very organisations who segued our personal data into profit for the last few decades without a thought to the impact. It’s putting the power back into your hands, giving you the mechanisms to control who does what with your data.

None of which does you any good if you don’t know what those mechanisms are.

And now be honest; have you even read the GDPR? Not just by giving it the once over, I mean actually READ it? Taken each Recital and tried to translate it into both a simple title and a plain language description that anyone can understand? Taken each Article and mapped it to not only the underlying Recitals, but every external document that supports it?

I have, and it took me over a month. Time well spent given the enormous impact the GDPR is going to have on the very fabric of life online.

The GDPR is the most important step in the world of privacy in a generation, and it is the responsibility of every ‘natural person’ / ‘data subject’ to understand it. As an individual AND an employee, take the time, it’s worth it.

[If you liked this article, please share! Want more like it, subscribe!]

Security Good Practices

When Security Good Practices Aren’t Good Enough

For the better part of 20 years I have fought with – and sometime against – my clients to help them achieve a particular standards of security. Whether it was PCI, ISO 27001 or any other standard, all I have ever done my whole career is beg my clients to take security a little more seriously. I’d say that I have failed more than I have succeeded, security is just not a priority to most organisations. Kinda like insurance.

Recently however, I have had the distinct pleasure to be told that neither the ISO 2700X standards or NIST Cybersecurity Frameworks are enough, they wanted more. A lot more. In fact, they wanted security so good that they could actually use it as a selling point for their services. For security itself to be a distinct and measurable competitive advantage.

Once the shock wore off, we had to work out how we would actually deliver this. Not only have I never been asked for more than ‘good enough’, I’ve never actually thought about what truly great security looked like. For individual components, yes, but not for a soup-to-nuts security program. And I have certainly not given much thought as to how I would begin the implementation of one. What was the point?

So where did we start? First, we had to address:

  1. What standard(s) to use for alignment – like it or not, unless you align yourself to industry accepted good practices, it is far more difficult to demonstrate the ‘appropriateness’ of your security program. Any client with regulatory compliance obligations must bear this in mind;
    o
  2. How to determine what ‘great’ looks like – regardless of the request to go above and beyond, the final result has to be achievable. In an industry plagued with pointless technology and buzz-words, the final result has to be both achievable, and justifiable. If you cannot demonstrate a meaningful ROI you have wasted their money;
    o
  3. What’s is foundational, and what is a separate project – In security, there are a number of basics you cannot do without. What I call core concepts. Management buy-in, governance, policy set etc. Then there are things that can begin as a project before consolidating the output with the whole (logging and monitoring, access control etc.);
    o
  4. What are the client’s business goals / principles – as I’ve said too many times; security is only here to enable the business. If a security solution does not map to a goal it’s wrong; and
    o
  5. How long do we have? – The implementation of any security program takes time, and the more you want the longer it takes. The desire for great security has enormous ramifications on resources and capital expenditure, and absolutely cannot be rushed. The resulting program must not only be sustainable, but it has to be embedded in the culture. We’re talking years, not months, and this must be understood at all levels.

You will notice however that at no point were we concerned with technology. Yes, technology will be enormously important – there can be no great without automation – but technology choices are driven by the processes they are meant to enhance, not a solution by themselves. Besides, it’s always the functional requirements you define first as you have no idea who’s going to be managing it yet.

So we ended up going with a combination of ISO 27001 and the NIST Cybersecurity Framework (v1.1), but we mapped these to what we considered to be the most logical groupings encompassing a full security program. Governance, Policy Set, Risk Management, Asset Management and so on. There are 18 of them.

But even this combination could only ever represent average, as ‘compliance’ with either standard is achievable long before you could be considered secure. So then we had to define a scale where average was where it should be, in the middle, and ‘great’ went up from there. We went with the ages old Capability Maturity Model (CMM), then mapped all of things we believe represent each level. ‘Defined’ = average.

For example, this is what Governance looked like:

The are simply no standards or documents for what happens next. The client has to understand what each of the groupings means, then they have to choose how far up the scale they wish to go. This is a long conversation, and if the results of this conversation aren’t understood at the Board level, we’re already derailed.

There are also many dependencies to consider. You can’t have great vulnerability management without very mature asset management, or business continuity without top notch incident response for example.

And above all, if the implementation of the program is not simple, with clear direction and guidance, the people who have to do the work will never get on board. Nor will they ever be able to manage it after we’re gone.

Honestly, I have no idea how this is going to end up, I’m in new territory for the first time in many years. This is also the first blog I think I’ve written where I’m not either trying to help, or bitching about someone/something.

I just thought I’d share something positive for a change, and I look forward to sharing my numerous mistakes and lessons learned! 🙂

[If you liked this article, please share! Want more like it, subscribe!]

Data Protection

GDPR and DPA are Not Actually About Data Security

Before you get up in arms, yes, both the DPA and GDPR contain elements of true data protection, but addressing that can be summarized in 3 words; ‘appropriate security measures‘. Everything else in both the GDPR and DPA refers to privacy.

In case you’re not familiar with the difference between security and privacy – or haven’t ready any of my other blogs – data security does NOT equal privacy. Loss of data can potentially lead to a loss in privacy, but misuse of the data is not prevented by the normal implementation of data security controls. Misuse of data = loss of privacy.

For example; even a data-centric security control like Data Loss Prevention (DLP) is not going to tell you if you have appropriate consent, legitimate interest, or appropriate contract language.

So imagine the confusion of the vast majority of the population, who have likely not read either regulation, when unscrupulous cybersecurity experts offer unqualified ‘GDPR compliance’ services. That’s like a plumber offering to build the entire house …maybe they have the skills, but what are the chances?

In truth, the laws should be called the General Data Subject Privacy and Data Protection Regulation (GDSPDPR) and the Data Subject Privacy and Data Protection Act (DSPDPA) respectively. Because that is exactly what they are. Even I hate acronyms greater than 4 characters, but it would have helped!

So how did this confusion begin in the first place? First you have to remember that our concept of data in the 2010’s is very different from that even 20 years ago? Think amount this prediction for a minute; ‘More data will be created in 2017 than the previous 5,000 years of humanity’. Or this one; ‘Amount of Data Created Annually to Reach 180 Zettabytes in 2025‘ (that’s 180 TRILLION gigabytes). Would you have even considered this possible in 1997 when the price of storage per gigabyte was around $175.00 USD? It’s now less than 2 cents.

Frankly we really weren’t that concerned about the data stored, especially in the [almost] absence of technologies such as big data processing or AI. Now it’s all about the data. Partly because of these ‘new’ technologies (amongst others), we are now equating the storage and failure to protect our data with transgressions against our privacy. They are not.

To compound the problem, the incredible rate of innovation in mobile devices has given us unprecedented functionality and convenience. While our options to self-educate on the impact of this convenience has likewise improved, the majority of us just can’t be bothered. We prefer instead to complain and blame others when things go wrong. We’d rather listen to those who are promising the world, instead of those who offer real solutions.

With GDPR and the new DPA now we don’t have to worry too much about this as data subjects, it’s the organisations who are responsible for putting control of our data back in our hands. But if you represent an organisation, you better know the difference between data security and data privacy.

There is no excuse, or lenience, for ignorance.

[If you liked this article, please share! Want more like it, subscribe!]

Consent as a Service

GDPR: Data Subject Consent as a Service (DSCaaS), it’s Coming

In [X]aaS, The Outsource of Everything I made fun of the trend to “…as a Service.” everything under the sun, and that eventually we would run out of letters. Well, that happened years ago, so we’re now doubling and tripling up on the letters. Data Subject Consent as a Service (DSCaaS) is my latest attempt in a long line of failures to coin an acronym.

It’s every security professional’s dream.

And yes, Privacy Consent as a Service (PCaaS) would have been better, but that was taken by those damned Personal Computers!

Regardless of what it’s called, I believe the service is not only viable, it’s basically a necessity. 99% of organisations simply do not have the skill-sets, knowledge, or technical capability to manage the collection and management of consent. Especially in a fashion that has been vetted by privacy experts and kept up to date with EU-wide precedent.

Not that consent will be an organisation’s first choice for complying with GDPR. Legitimate Interest, contractual language, even binding corporate rules will likely be easier to maintain. But to get any of these to work requires each organisation to hire their own lawyers, and I’m fairly sure a lot of us would rather pay for a technology instead.

One of the first hurdles for any service like this is to explain to organisations that having yourselves the data is not your competitive edge. Making the best use of the data is. The only thing you should really care about is getting what you need out of the data, not what it took to get there, and definitely not where the data is. And let the experts worry about how to do that in line with the GDPR.

It’s like when I ask a room-full of merchants if credit cards are core to their business. 99% of them say yes, when it’s actually being paid that’s core to their business, not how they were paid.

So what does DSCaaS look like?

  1. First, it must clearly be a Cloud-based service with a seamless iFrame-esque integration with your organisation’s webpage. Where you would normally collect the personal information on your webpages, you would simply redirect this collection to a 3rd party provider;
    o
  2. Depending on the type of information collected and the reason for collection, very simple consent notices can be developed. For e-commerce for example, these consent notices can be pretty much boiler-plated into; payment authorisation, product/service updates, customer service, marketing, etc. For HR, these would be in-line with the individual employment contract and so on. This consent is now tracked by the DSCaaS provider;
    o
  3. The existing personal data previously collected by the organisation would be normalised/parsed and imported into the service in order to allow for the following:
    1. The removal of the vast majority personal data from an organisation’s systems (using tokenisation and APIs to link existing systems if required);
    2. tracking and collection of consent, plus renewal of consent where necessary;
    3. automated personal data removal/destruction based on data retention policies;
    4. online portal for data subject to change/erase data, or demand processing cessation;
    5. all data controller and processor contracts in place.
      o
  4. DSCaaS provider would need to be able to demonstrate ‘appropriate security measures’ through compliance with (and/or certification to) well-known standard like ISO 27001, ITIL, COBIT, NIST and so on;
    o
  5.  DSCaaS provider would have existing and robust relationships with supervisory bodies (ICO in the UK for example) to standardise reporting of processing (if required).

Clearly this is oversimplified, but if there’s one thing missing in all of these bandwagon ads for GDPR services it’s the spreading of the cost across multiple parties. Especially as it’s very likely that the millions of smaller organisation cannot afford privacy expertise on an individual basis.

The intent of the GDPR is a good one, and organisations have to understand that the data they are making so much money off does not belong to them. While I have no issue with them doing so – as long as I also benefit – I want complete control over what happens to it. The vast majority of organisations in the UK cannot even comply with the existing DPA, let alone one amended inline with the draft Data Protection Bill. For organisations to ‘comply’ with the intent of the GDPR, they will need help, and that help will not come from cybersecurity organisations, ‘certified’ GDPR practitioners, and not even privacy lawyers. It will come from organisations who combine all of these skills into a service where access to data is appropriately controlled.

Gone are the days when you could do whatever you wanted to profit from personal information. It’s what you do WITH the data that matters, and it’s almost always the best ideas that win out. We all need help doing that appropriately.

[If you liked this article, please share! Want more like it, subscribe!]