GDPR Deadline

GDPR: May 25th is NOT a Deadline!

It seems there are only two ways to sell GDPR products and services:

  1. Tell everyone they are going to get fined €20M or 4% of their annual revenue; and
  2. Tell everyone that they only have until May 25th to get compliant or they’re in big trouble

These are both utter nonsense.

While the monster fines are a theoretical possibility (per Article 83), I would hope by that you know they will be reserved for the VERY worst offenders. If you don’t, read this from the UK’s Information Commissioner herself; GDPR – sorting the fact from the fiction. With my favourite quote being:

Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”

And not one of these 16 (0.09% of the total!) was anywhere near the maximum of £500K, so forget the damned fines!! Unless of course you work for a bunch of total scumbags like Keurboom, then I hope you get completely reamed.

Anyway, so here we are, less than 3 months away from May 25th, and the ‘deadline’ for compliance is the most prevalent scare tactic!

“Get compliant before May 25th or else!!” “Deadline fast approaching!!” “Trust me, I’m a certified practitioner!!”

The thing is, “or else” what, exactly? What do you think is going to happen on May 25th? That your supervisory authority is going to be banging on your door with cries of “Article 30!! Show us your records!!“? Do you expect to receive hundreds of requests for access from people who know even less about GDPR than almost anyone reading this blog? Do you think you’ll suddenly be the subject of a class action suit?

Do you think your supervisory authority even knows who you ARE at this point? [No offence]

I’ll tell you what’s going to happen on May 25th …not a bloody thing different. It will be business as usual.

However, what WILL happen from May ONWARDS is a gradual increase in how the GDPR is enforced in each member state. Guidance from supervisory authorities will increase in-line with the real-world issues they face; certification mechanisms will be released forcing all organisations to at least review and consider them; the general public will gradually come to expect the heightened protection mechanisms and vilify those organisation who are not up to speed and so on.

To put this another way; Data Protection law is not going away and cannot be ignored. By anyone. In fact, in light of things like AI/ML, Big Data and the Internet of Things, data protection is only going to become more embedded in everything we do. It has to, and you need to keep up with it.

So the more time that passes the fewer excuses you will have for doing nothing, regardless of the size / type / industry vertical in which your business operates. In the UK for example you are already 20 years too late to be proactive. The DPA has been out since 1998 and compliance to it would have covered the lion’s share of the GDPR. Which itself has been out for almost 2 year.

While I can sympathise with organisations fumbling around but doing their best, I have little sympathy for organisations who have done nothing. It’s these folks who should be the most concerned, not for May 25th, but every day after it.

Not one organisation out there is incapable of doing these 6 things before the ‘deadline’. Not to completion perhaps, but a good chunk:

  1. Find out where all your personal data is; – [even crappy questionnaires and interviews will get you most of the way there]
  2. Map that data to the business processes that created it; – [HR, Sales, Marketing and so on…]
  3. Agree on which business processes should continue as they are, which should change, and which should stop altogether;
  4. Get rid of all instances of personal data that do not support the agreed business processes;
  5. Obtain appropriate guidance on the lawful basis(es) for processing what’s left; and
  6. Commit, in writing, at the Board level, to achieving full compliance

While this is nowhere near a full demonstration of compliance, you have done 3 things that the ICO have every right to expect. You have:

  1. reduced your risk by minimising your threat exposure – you can’t lose or misuse what you don’t have;
  2. done your best to ensure that you are supporting the data subject’s rights – the whole point of this exercise; and
  3. MADE A BLOODY START!

I don’t care if you only achieve full compliance 5 years from now, and it’s unlikely the supervisory authorities will, if, and ONLY if:

  1. Your commitment is real;
  2. You have a plan; and
  3. You don’t get reported or breached

It’s up to you to do ENOUGH now to make sure 3. doesn’t happen, work on the rest when you can. Just make sure you can justify your timelines.

[If you liked this article, please share! Want more like it, subscribe!]

PIN on Mobile

PCI: Software-Based PIN Entry on COTS (a.k.a. PIN-on-Mobile)

Almost four YEARS ago I wrote Software PIN, the Rosetta Stone of Future Payments, then just over a year later I wrote; Mobile Authentication: Exceeding Card Present Security?

Just this month the SSC finally came out with their Software-Based PIN Entry on COTS Security Requirements v1.0.

[Ed. While I don’t have to wonder why PIN was my primary focus, I can see how pointless it was …almost. It just makes the delay on this standard that much more inexcusable.]

On with the story… Software PIN is more commonly referred to as PIN-on-Mobile (or the catchier PIN-on-Glass), and is the ‘game-changing’ technology that will; “enable merchants to accept PIN-based payments with the PIN entered on a commercial off-the-shelf device, such as a consumer-grade mobile phone or tablet.”

What has taken them so long to make what – from my jaded perspective – is the only move that will delay their inevitable demise? It’s not like there was some miraculous innovation in mobile or encryption technology in the last couple of years! Every requirement in the standard was available/achievable long before I even wrote my blogs. As were viable solutions for that matter.

I suspect there’s lots of reasons of why they were so slow, but chief amongst these has to be their complete inability to adapt to the fast-paced innovation rampant in the FinTech industry. Especially given their hopelessly antiquated technology. It’s only their global adoption and sheer ubiquity that keeps them where they are. I blame the banks too, change for them means acceptance of liability.

Come to think of it, what an amazing coincidence that PSD2 – the biggest nail in the payment card’s coffin since …well ever, came out this month as well. Weird huh?

As far as I am concerned, PIN-on-Mobile was the card brand’s last hold-out, now they’re done. Hopefully between the XYZ-Pays (ApplePay, SamsungPay etc.) and now the entry of cardholder PIN on [almost] any CoTS device, big merchants / retail associations will finally have the balls to stand up for themselves.

How many millions have they spent in the US on EMV terminals just to find out a few years later that it was not only entirely unnecessary, but they’re now tied into an investment that will leave them lagging behind their competition who were slower of the EMV block?

I know that’s harsh, and we really have no right to judge. Have any of the following questions ever occurred to you?:

  1. If I can use my phone to pay for something, why do I have to tie that payment to a branded card?;
  2. With all of the security requirements required for the entry of a software PIN, why the Hell do I still have to use one? In other words, if it’s that bloody difficult to secure it, why not use something else?; and
  3. Isn’t there a better way!?

If you’re like the majority of the population, these questions are more like:

  1. Why doesn’t MY bank support this?! (looking at YOU Barclay Business!), or more commonly; why would I use this service when I have a piece of plastic?;
  2. What’s wrong with PIN?; and
  3. [nothing]

The fact is that the lion’s share of the cashless transactions globally are performed by those who have never known a time before payment cards. We simply can’t imagine anything else and we don’t even notice their inconvenience. We also don’t see the costs imposed by the middlemen.

But let me ask you this; Would you ever go back to using a feature phone? I’ll [almost] guarantee that you had no idea what features you wanted in a phone until you used a smartphone for the first time. And now you can’t live without it. Hell, most of us can’t even put the damned things down!

The same thing WILL happen to payments, but not until consumer indifference is overcome by something shiny and new.

Frankly this blog is boring even to me, and I really have nothing more to say about payment innovation that I have not already said a hundred times. But I simply can’t let anything so patently meaningless as PIN on Mobile to go unanswered.

Innovation my arse.

[If you liked this article, please share! Want more like it, subscribe!]

AI

If AI is the Answer, You’ve Asked ALL the Wrong Questions

For those reading this who are cybersecurity professionals (and who else would read this crap?); In your entire career, have you ever come out of the back-end of a risk assessment and said; “We need Artificial Intelligence.”

Anyone?

I seriously doubt it, unless you happen to sell artificial intelligence, or more likely, you’re trying to pass off your product as artificial intelligence.

But let me just clarify before I continue whining; AI is exciting as Hell, and I cannot WAIT to see what comes next. I am not in the ‘Skynet’ camp, and I even disagree with people a thousand times smarter than me. No, not my wife (this time), but the likes of Stephen Hawking, Bill Gates and Elon Musk, all of whom have issued their own warnings/predictions on the subject. I think AI is going to make our lives better in almost every way. Almost.

But not in cybersecurity at the organisation level. Not yet. Most businesses simply don’t have anywhere near the foundations in place to implement it appropriately, let alone effectively. Implementing any technology on top of broken processes and/or an indifferent security culture may only serve to make things worse.

I can see it in working the threat intelligence arena, where a behemoth like Alphabet – and their mind-boggling access to almost everything -, can fund something like Chronicle. But this is just one small part of a security program, feeding into the ages-old clichés of ‘defence in depth’ or ‘layered security’. AI is certainly not the panacea those with a vested interest would have you believe. Basically, if you don’t have the same access and deep pockets as Alphabet, you should be probably be focusing on the hundreds of other things you should have done long before now.

And even if there was an AI ‘appliance’ that you could just plug-and-play on your network, do you honestly think the bad guys won’t work out how to circumvent it with some AI tricks of their own? Regardless of the technology, the good guys always have to play by the rules and the bad guys will always do whatever it takes. This is not a fight we are EVER going to win, so stop trying. The only thing we can do, and the sole premise of my career, is to minimise the damage. Security folks are the definitive guys bringing a knife to a gunfight. But we will fight.

This is neither cynical, nor a cop-out, it’s reality, and spending money on a technology you’ll never understand, or maintain yourself, is not going to change that.

But none of this will stop organisations spending money on nonsense. On the one side you have product vendors, technology-centric consultants, hype in the press, and indifferent CEOs. On the other side, you have the ages-old security basics and a very limited number of stubborn practitioners. It’s not really that surprising that acronyms and the latest shiny-things get all the attention, just unfortunate.

In fact, it’s no different from ‘get rich quick schemes’ or ‘diet pills’, there are very few shortcuts to wealth and none to losing weight. Both involve getting off your lazy arse and doing something. So does security.

But most of all I simply can’t abide vendors who try to fit every single problem into the one thing they can do. From operationalising the whole of GDPR with ISO 27001, to solving every limitation of digital payments with biometrics, the attraction of the silver-bullet is just too much for some to resist. AI and machine learning are the latest purveyors in a long line of empty promises.

Perhaps I’m no better, all I can do is help you implement the basics. But I’ll guarantee what I’m selling is a damned sight cheaper and significantly more permanent! 🙂

[If you liked this article, please share! Want more like it, subscribe!]

GDPR in Plain English

Free Resource: The GDPR in Plain English

So here we are, it’s 2018 and the GDPR will be enforced THIS year. I suspect that both marketing budgets and the corresponding hype will now grow exponentially until everyone is sick to death of it. I know I am, and judging by the majority of questions on LinkedIn, I’m one of the seemingly few who have actually read the damned thing. Really read it.

And that’s the point of this blog. As a privacy novice I have made a significant effort to truly understand the GDPR. I have, quite literally, spent months poring over it in an effort to fully grasp its intent in order to provide appropriate guidance to my clients, and to more junior cybersecurity professionals. But just as importantly, I read it because the GDPR is about MY personal data, MY privacy, MY fundamental human right.

More often than not my guidance to others has been; “Talk to a privacy expert/lawyer.”, but I am now in a position to provide something a little more useful. In partnership with Angela Boswell (Lawyer / DPO / GDPR implementer), we have drafted a ‘GDPR in Plain English‘ resource designed to allow anyone to get a significantly better understanding of its meaning without having to either be a lawyer, or go through months of soul-destroying tedium.

The resource consists of 3 spreadsheet tabs:

o

  1. ‘Recitals’ – All 173 Recitals with 3 additional columns:o
    1. Recital Title‘ – Very brief summary of the Recital’s main theme, similar to those provided for the Articles;
    2. Plain English‘ – Angela’s and my attempt at turning legal-ese into plain language; and
    3. References‘ – Links to every Article or external document for more convenient access to relevant context
      o
  2. ‘Articles (Reference)’ – The Articles contain a significant number of references to other Articles, Recitals, and external documentation. They are all provided here for convenience. ‘In-cell’ comments provide titles and, where appropriate, relevant content
    o
  3. ‘Articles (Operations)’ – Work in progress, but we intend to provide implementation and operationalisation guidance as and when available. This will include the excellent guidance so far produced by the likes of the UK’s ICO, the WP29, and numerous law firms happy to share their knowledge for free (most notably Bird & Bird from whom I have plagiarised shamelessly).
    o
    We have broken this tab into 7 distinct columns.

    1. Regulation‘ – A significant portion of the Articles relate to the ‘administration’ of the regulation itself and require no specific action on behalf of the controllers or processors. These cannot be ignored, but you should probably spend more time on the other stuff;
    2. Principles‘ – The foundational principles of the GDPR and should be fully understood by everyone. Again, no specific action is required other than to read and understand them, because these underpin everything that the GDPR is about;
    3. Process‘ – These are the things that will eventually need to be operationalised in some fashion. Documentation, record keeping, technology, security etc. all fall within this category;
    4. Legal/Compliance‘ – Things that will require legal expertise to handle. While this does not have to be a privacy lawyer, or any lawyer for that matter, if these things are not handled by subject matter experts you’re leaving yourself wide open;
      o
      …and eventually;
      o
    5. People Requirements‘ – The implementation and ongoing maintenance of GDPR is the definitive team effort. This is not an IT problem, or a legal one, it is a business challenge. This section will provide guidance, examples/samples, links and hopefully, in time, some real-world input from generous contributors;
    6. Process Requirements‘ – From policies and procedures, to privacy notices, to contractual language, at some point you are going to have to DO something. This section will provide guidance and sanitised samples of what others have done to meet a requirement; and
    7. Technology Requirements‘ – Technology can never fix a broken process, it can only make a good process better. This is as true for security as it is for the GDPR. Technology will be required to support/enable your ongoing operational efforts, and this section will provide guidance on technologies to consider, and to avoid. We will only care about function, not brand.

Hopefully this resource will be of some benefit to you, and you’re welcome to do with it as you wish. We only ask 2 things:

  1. Credit both Angela and myself if you do end up using this for commercial benefit; and
    o
  2. Add to it! This resource has been the work of only 2 people who have nowhere near the experience or skill-sets to make it universally relevant. There will be translation gaps, naive assumptions, and things that we didn’t know we didn’t know. Help us!

Finally, I would just like to reiterate that the GDPR is not just a burden placed on businesses, it is a fundamental shift in how YOUR personal data is used. This is a significant enhancement to one of your fundamental human rights. Everyone should read this regulation, so please do your part to get this out to every ‘data subject’ and ‘natural person’ who needs it.

Download the Excel spreadsheet here: GDPR in Plain English

Please provide any feedback to david@coreconceptsecurity.com

We thank you in advance.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Brexit

Brexit and GDPR? The Answer is in the Regulation

Is there anyone out there who still believes that Brexit will negate UK businesses from having to comply with the GDPR? Well, as long as there are also Flat Earthers and Young Earth Creationists I’d say that there’s enough ignorance out there to ensure that there are plenty of them.

The Brexit vote debacle itself showed just how pervasive ignorance is in the UK for example, as evidenced by the number of people who Googled “What is the EU?” the day after the vote. Stupidity I can forgive, it’s not a choice, ignorance is. Or as Harlan Ellison puts it so perfectly:

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

And when a weapons-grade plum (thank you @sueperkins) like Donald Trump is in favour of a decision, you know you’ve f&%$ed up.

But enough judgement, the answer to whether or not UK businesses will need to comply with the GDPR is written in the Regulation itself. Anyone who has actually read it probably has the words “third country” floating around in their heads right about now. Why? Because post-Brexit that’s exactly what the UK will be to the EU; a third country.

Every country in the EU has signed up to adopt the GDPR into their individual national laws in order to enforce it in the exact same way. From the creation of supervisory authorities with identical tasks and powers, to approved codes of conduct, to the imposition of penalties, every EU country ‘trusts’ every other EU country by default. Further, if for any reason two countries disagree on something, the Board can step in and sort it out per Articles 63 (Consistency mechanism) and 65 (Dispute resolution by the Board).

None of this will apply to third countries, who will need to demonstrate what the GDPR calls an “adequate level of data protection” in order to enjoy the freedoms of data processing and movement that EU countries will receive automatically. This is spelled out very clearly in Recital 103:

The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

In other words, the Commission can, as long as the third country has met certain criteria, give blanket approval for that country to do business as usual within the EU.

Simple logic therefore dictates, that the criteria must fully comply with the GDPR, and every business must meet the GDPR baselines in their entirety.

The criteria are broken out in Article 45(2) [edited for length]:

When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral [edited]

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject [edited]

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

In other words, as long as ALL of the laws, judicial systems, supervisory authorities, contractual obligations etc. are at or above the levels mandated by the GDPR, that third country is good to go.

Here in the UK this will hopefully not be an issue. The ICO is the supervisory authority and the upcoming amendments to the Data Protection Act should more than cover the GDPR adequacy requirement. So as long as UK businesses comply fully with the DPA, they should not have to provide any further evidence of compliance to EU countries.

However, there are many who believe that the because of things like the Investigatory Powers Act 2016 (a.k.a. Snooper’s Charter), that the UK is at serious risk of not qualifying for the adequacy decision. We’ll have to see how it goes.

Bottom line here is that if you are sitting on your arse waiting for the ICO to tell you what to do, you are setting yourself for some very unnecessary pain. The initial preparations for GDPR/DPA are as simple as they are obvious, and well within the reach of every organisation out there. Whether or not your country receives an adequacy decision, your organisation will need to comply. Nothing has changed.

You do not need to understand your legal basis for processing in order to perform either a data discovery exercise or a business process mapping, both of which you should be doing already. I’d get on with it if I were you.

It’s not doing the wrong thing unintentionally that will piss the supervisory authorities off the most, it’s doing nothing at all.

[If you liked this article, please share! Want more like it, subscribe!]