Right to Erasure

GDPR: The Right to Erasure Does Not Always Mean Forgotten

The title should actually be more in question form; Did you know that there’s even a difference between being erased and being forgotten?

Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already calling it that. But it’s just not accurate …enough.

The right to be forgotten is intended to allow an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” For example; you may have been guilty of a minor criminal offence 30 years ago, which in the UK would likely make that offence “spent” (i.e. it should not be considered in any decisions against you related to insurance, employment, loans and so forth). However, if this criminal record has been posted online then duplicated in numerous forms all over the place, it will never go away. In other words, you’ve paid your ‘debt to society’ but it will haunt you for the rest of your days.

Just ask that poor sod Mario Costeja González how something in your past can perpetually bite you on the arse. He just wanted something fairly benign to be ‘forgotten’ and now he’s one of the most famous names in this whole debate.

On the other hand, the right to erasure is just that; deletion of data that, for whatever reason, is of no further use or shouldn’t be there in the first place (amongst other things). For example; Your previous employer has a BUNCH on information on you, a good chunk of which is simply not relevant. Training schedules, certificates, next of kin and so on. In reality they need only enough to meet certain regulatory and/or legal obligations and a note on whether or not they’d ever hire you back.

So what are you actually trying to achieve when you ask to be erased? I think that > 95 times out of 100 all you want is for an organisation to stop pestering you in some way, but this actually precludes you from being forgotten. If you ask someone to erase everything about you how can they possibly know not to contact you again? They have to keep something, even if it’s just enough to leave you alone.

When asking to be forgotten, you actually don’t have the right in some instances, because doing so would put other people’s rights at risk. Remember, privacy is not an absolute right, it’s only a fundamental right.

For example; Would you want the system to ‘forget’ about someone’s embezzlement background when they are applying for a job in your bank? Or a person’s serious medical condition when applying for a job to drive your kids to school? What about pedophiles?

On the other hand, don’t most of us deserve a chance at retribution for minor mistakes from our past? Should we really have to suffer our whole lives for something we deeply regret and have made amends for a thousand times over?

If you think about it, ‘erasure’ and ‘forgotten’ should really be combined into the ‘Right to the Application of Appropriate Context’ as that’s what you’re looking for from anyone with access to your data.

The above is rambling, enormously oversimplified, and I’m not even sure what my original point was. In the end the implementation of GDPR is going to have an enormous impact on us all, it’s up to you to ensure that impact is positive.

So whether you are data subject trying to invoke your right to erasure, or an organisation trying to understand what your recourse is, you MUST have the right context. You can only achieve that context by doing your homework.

[If you liked this article, please share! Want more like it, subscribe!]

British Airways

BA Faces £500M Fine: Shut Up and Get Your FACTS Straight!

Just about every major news outlet in the UK has the same headline for the BA data breach: “BA faces record £500M fine for data breach!“. Some are not content with even this degree of utter nonsense and are actually making things worse by saying that affected passengers are now “threatening boycott“.

I can only assume these morons are short-selling BA stock in order to cash in on their otherwise total journalistic ignorance and complete lack of integrity.

I was personally affected by the breach, and I can assure you I will not be giving my business to Easy Jet as a result.

Yes, I am pissed off. Here’s why: 

  1. The fines under GDPR for a data breach are 2%, not 4% so off the bat the headline should be “BA faces record £250M fine for data breach!” – this one shows either ignorance of the regulation, a deliberate attempt to dramatise the headline, or plagiarism;
  2. The maximum fines under GDPR are reserved for the most egregious offences, not any offence, and must at all times be “effective, proportionate and dissuasive” (Art. 83(1)) – explain to me how a half-BILLION pound fine for the loss of 380K payment cards is in any way ‘proportionate’ given the apparent sophistication of the attack; 
  3. Loss of payment card details is already covered under the Payment Card Industry Data Security Standard (PCI DSS), as are appropriate fining / recompense structures – so why would the ICO jump in and investigate when there is a program in place already, and has been for over a decade? For what it’s worth, the fine for the loss of 380K payment cards under PCI would be in the order of £2.5M, if one is given at all;
  4. According to Art. 34(1), you may assume BA had no choice but to notify the data subjects of the breach; “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”, but seeing as all fraud losses related to breached payment cards is actually covered by the card issuers, can this really be called ‘high risk’? BA did it anyway;
  5. There is no such thing as 100% security – if someone with the right skill-set and patience wants in, they’re getting in, and there’s nothing you can do to stop it. You protect data to a level appropriate to its value, and no matter what business you’re in, there will always be gaps. Always.
  6. I have worked with the BA security team in a previous life, and I VERY much doubt this breach was either negligence or incompetence, they take security very seriously. This by itself would negate a huge chunk of the GDPR fine, and their obvious pro-activity related to every other factor in Art. 83(2) should negate the vast majority of the rest.

Bad news sells, I get that, but I will forever be disgusted by journalists hell-bent on destroying the image of good people and otherwise good organisations for the sake of a brief and anaemic limelight and a few column inches.

It takes an incredible variety of skills to design and build a house, any idiot with a bulldozer can knock one down.

It will be your turn soon, it’s just a matter of time.

[If you liked this article, please share! Want more like it, subscribe!]

Lawful Basis for Processing

GDPR: Getting to the Lawful Basis for Processing

I have made no secret of my distain for organisations and individuals who consider themselves qualified to determine their client’s lawful basis for processing without having the necessary education or experience to do so. Just reading the GDPR a few times and doing some homework (like me), or taking the “Certified” GDPR Practitioner course (or equivalent), does NOT qualify you to talk legal matters with anyone. Don’t try.

On the other hand, a privacy lawyer (or equivalent subject matter expert) is just as likely to be spectacularly unqualified to get the information required to make the legal determinations in the first place. It is even more unlikely that they can manage the project from start to finish. Even if they could, there’s no way they’d be available, or affordable.

So what you end up with is either someone(s) who can only get you most of the way, or someone(s) only able to take you over the finish line.

In reality, getting to the point of, then actually determining the lawful basis, were never a single person’s responsibility. The work necessary in gathering everything ‘legal’ needs is 99% of the effort, requires only very limited data protection knowledge, and done properly, should make retaining a true privacy expert significantly more cost effective. Depending on the size and complexity or your organisation, perhaps even redundant.

In GDPR Compliance Step-by-Step: Part 3 – Process Mapping I spelled out all of the basic information required for a determination of lawful basis, but here I want not only give it some real-world context based on experience, but provide an example of a completed form.

I have developed a spreadsheet that anyone can use to gather all of the information a lawyer would need to not only make a determination of the lawful basis for process, but then give you every action item necessary to get each of your defined business processes GDPR compliant. I call it the ‘Data Inventory / Detailed Process Narrative’ or ‘DI/DPN’ for short. You can download it, and its corresponding instruction manual, here: http://www.davidfroud.com/downloads/

Please take a minute to review…

For the purposes of this exercise, let’s assume that the ‘Business Function’ you’re trying to ‘legalise’ is sales related. We’ll call it “New Client Acquisition” (download completed example here), and these are the steps to follow:

Step 1: Find a person who is best suited to describe, in significant detail, the process you’re trying to justify. In this example it will be someone whose job it is to process the data on a prospective client list received from a third party broker;

Step 2: Shadow this person while they perform the actual function, record all of the following:

  1. Data Repositories – e.g. spreadsheets, a CRM, network shares and so on. Everywhere the data has touched, or is going to touch at some point. Give them a ‘friendly name’, one everyone uses to refer to that source;
  2. Communications Channels – e.g. phone, email, fax, snail-mail etc;
  3. Data Fields Used – e.g. first name, last name, work email, work mobile etc. Record not only the ones actually used, but those that are available, as this has implications later for security safeguards (specifically access control);
  4. Determine Any Data Outputs – Does the data the salesperson uses then go TO anyone else outside of the organisation for further action?;

Step 3: From relevant departments, gather all of the following ancillary information related to the data repositories, as it’s unlikely the salesperson will either know or care:

  1. Functional Responsibility – Who manages the data source(s), internal resources or outsourced third party(ies)?;
  2. Location of the Data – While the location of data should be known to its exact location (it IS an asset), for the purposes of this process a determination of ‘in the EU’ or which ‘third country’ will suffice;
  3. Data Source Format – e.g. database, flat file, email, pdf etc. This has implications for security safeguards;
  4. Security Controls (a.k.a. Safeguards) – for the internally controlled data sources, what security controls are in place on the data? e.g. encryption, RBAC, network segmentation etc.;

Step 4: Complete all of the following against every data field in use:

  1. Category of Individual(s) – Here you will need to have pre-determined exactly what your organisation will use as categories e.g. ‘Employee – Former’, ‘Client – Current’, ‘Third Party’ etc. (See the ‘Metatags‘ tab on the DI/DPN template for an example);
  2. Category of Personal Data – Again, you will need to have a pre-determined your categories e.g. ‘Core Personal Data’, ‘Contact Data’, ‘Financial Data’ etc. (again, see the ‘Metatags‘ tab);
  3. Mandatory – What data fields do you absolutely have to have to perform the function? Mark them with a ‘Yes’. If they are just nice-to-haves put ‘No’, and you later will need to either justify their continued use, or get rid of them;
  4. Responsibility – are you the Controller, Joint Controller, or a Processor? The lawyer will likely make this determination for you anyway;
  5. Data Type – Directly Identifiable (DID), Indirectly Identifiable (IID), or Sensitive (SPD). While not a hugely important factor, this could have implications down the road if you’re claiming anonymisation of data, or are disclaiming profiling.

Step 5: Complete the Detailed Process Narrative’ tab of the DI/DPN spreadsheet.

While a lot of this is regurgitation from the DI tab, there are several fields you’ll need to populate with the information you’ve collected above. In the end, the only things you absolutely HAVE to provide to get to an initial determination of the lawful basis for processing are the:

  1. Purpose of Processing and Process Description – it’s critical that these are detailed enough that a lawyer knows exactly what you do to the data, and what result you get from it;
  2. Categories of Individual;
  3. Categories of Personal Data; and
  4. determination of Controller or Processor

Literally everything else is used to get you compliant.

Step 6: Hire an appropriate data protection expert. While I keep using the word ‘lawyer’, there are many data protection experts out there who perfectly capable of getting you to the lawful basis for processing. The issue is that vast majority of the work an expert does is after the determinations are made.

Even I can tell you that in the example above the lawful basis for processing is Article 6(1)(f) – Legitimate Interest, I can even tell you the data subject rights that you now have enable as a result …because a lawyer told me (see Annex A of the DI/DPN Instruction Manual).

What I CAN’T do is everything else:

  1. Develop a complete set of relevant data protection policies and standards to adequately demonstrate that the organisation is demonstrating accountability (Art. 5(2));
  2. Data transfers between legal entities under the same corporate umbrella still require some form of “legally binding and enforceable instrument” e.g. an Intra-Company Data Transfer Agreement (ICDTA) using “standard data protection clauses“.
  3. Third parties will require a Data Processing Agreement (DPA);
  4. Ensure that the contracts in place with third party data sources include guarantees that the data was collected fairly and lawfully;
  5. Data transfers to third countries outside of an ‘adequacy’ decision will require either a DTA, binding corporate rules, a Code of Conduct, and/or certification when it becomes available; 
  6. All correspondence to the prospect will need to contain links to an  opt-out mechanisms backed by not only an appropriate privacy notice, but all information required by the data subject to exercise their relevant rights;
  7. Perform a Legitimate Interest Assessment (LIA) to ensure that the organisation’s interests are appropriately “balanced against the individual’s interests, rights and freedoms“;
  8. Perform a Data Protection Impact Assessment (DPIA) if necessary;
  9. Add contingencies for variances in national laws if applicable;
  10. and so on…

And if YOU can’t do that stuff, you need to find someone who can.

Step 6 seems like a lot, but this is a worst case scenario and most qualified experts have an extensive portfolio of templates from which to choose. I am therefore convinced that if you can provide a completed DI/DPN for your relevant business process, the steps to make you fully GDPR compliant are actually very straightforward.

Honestly, there’s really nothing in the first 99% of this process that you should not be doing anyway.

[If you liked this article, please share! Want more like it, subscribe!]

Information Security vs Privacy

Information Security vs Privacy, are the Lines Blurring?

My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.

As for Data Protection, it’s not, in and of itself Privacy, and so on…

But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…

For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’:

  • Information Security – “…is the practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information.”; and
    o
  • Privacy – “…is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.”

It should be immediately obvious that these are NOT the same thing. Significant overlap, yes, but as always, security is just an enabler. Security does not dictate the goals of a business, it enables them; security does not give you privacy, it enables you to have it. A personal trainer does not make you healthy, s/he provides guidance in ONE aspect of your health goals. You still have to eat better, drink less, stop smoking, reduce stress and so on.

But now there seems to be an expectation that security people should also be privacy experts (I’m not saying they can’t be, but I actually don’t know any). Because GDPR is a big deal and ‘data protection’ is seen as the same as ‘data security’, everyone is looking to security people for guidance. Would you hire a fat personal trainer?

Take me for example: I have spent a large chunk of the last 2 years learning more about privacy (and GDPR in particular), I still consider myself 99.9% a security guy. I have even written fairly extensively on both privacy (personal opinion) and GDPR (hopefully accurately), but once again, neither of these things is what I DO. Privacy is not a core competence of security (just look at the CISSP CBKs).

But, and to the point of this blog, can a ‘security guy’ keep doing just security in the brave new world post-May 25th? The short answer is of course yes, if that’s all they want, but are they doing their careers any favours? And what about their clients? Can a security expert without at least a foundation in privacy really perform their function appropriately? For security to enable anything, they need context, privacy is now a major factor of that context for any business.

In other words, has privacy now become so important, that any field with a significant impact on it must revise its training syllabus? And given that information security has such a significant overlap with privacy, are security people best placed to take on a bigger role in providing privacy guidance?

The answer, as in everything else, is; that depends. A business has to be able to find the appropriate help, and the ‘expert’ has to have the appropriate skillset. There is no standard here, and only the people [on both sides of the equation] who educate themselves should be making any decisions. Should.

In reality, most organisations don’t even have in-house security expertise, let alone privacy expertise, so where is this guidance supposed to come from? I now think that security folks are very well placed to begin taking on a larger privacy mantle. I even believe that security folks who don’t get a foundation in privacy are severely limiting their careers. Could you imagine hiring a CISO who hasn’t even read the GDPR?

Information Security and Privacy will never merge completely, they are just too big and too different, but the lines are indeed blurring.

[If you liked this article, please share! Want more like it, subscribe!]

Privacy

The Right to Privacy: Don’t Tell Me I Have to Care!

I’ve already written on the subject of privacy several times, and will likely be regurgitating a lot of what I’ve said previously, but an article I read last week really pissed me off; Three Reasons Why the “Nothing to Hide” Argument is Flawed. It’s exactly this kind of absolutist nonsense [from both sides of the privacy ‘debate’] that makes true progress so bloody difficult.

Their first point:1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.” is backed up by several metaphors, one of which is “Do you close the door when you go to the bathroom?” Seriously? Even the Universal Declaration of Human Rights qualifies the right to privacy with the word ‘arbitrary’:

“Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Every other treatise [that I’ve read] on privacy has a similar qualifier, which clearly infers that there can be very good reasons for ‘interference’. This is further supported by the fact that privacy is only a fundamental right, not an absolute right.

Their second point:2) Privacy is a fundamental right and you don’t need to prove the necessity of fundamental rights to anyone.“. If you’ve never read anything about privacy, you would think that a fundamental right is immutable and incontestable. It’s not. As Recital 4 of the GDPR phrases it; “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

In other words, your right to privacy must be put into context with EVERYONE else’s OTHER rights. e.g. Hypothetically, if I believed that ‘mass surveillance’ increases the safety of my family, then your demand for privacy-first puts my loved ones directly in harms way. Therefore, my absolute (or ‘unalienable’) rights to what American’s call ‘life, liberty and the pursuit of happiness’ are more important than you not being seen with your trousers around your ankles.

But then they go big and say: “We change our behavior when we’re being watched, which is made obvious when voting; hence, an argument can be made that privacy in voting underpins democracy.“, which is a ridiculous stretch. Democracy through a “cohesion produced by a homogenous people.”? Sure. Democracy through a ‘consensus on fundamental principles’? Absolutely. Democracy through “privacy in voting”? Get a bloody grip.

And their final point; “3) Lack of privacy creates significant harms that everyone wants to avoid.” is basically true. But their example of “You need privacy to avoid unfortunately common threats like identity theft, manipulation through ads, discrimination based on your personal information, harassment, the filter bubble, and many other real harms that arise from invasions of privacy.“, makes it sound like organisations and governments are forcing us to put this stuff online. WE have the choice about what personal data we expose online, and while there absolutely should be [more] checks and balances against Governments overstepping their bounds, and organisations like Google should be completely transparent in their dealings, we are the ones giving our personal data away in exchange for convenience.

You’ve probably heard the quote by Snowden; “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

If that’s true, I could argue that what most people actually do online is little different from someone cutting out their tongue. Regardless of whether we have the RIGHT to privacy, it does not mean we HAVE privacy, and certainly not online. If it’s online, it’s exposed, so you have two choices:

  1. Don’t put it online, so no more online banking, Facebook, Amazon, and so on; or
  2. Put online only the things you don’t care about losing (i.e. no nude selfies), or can protect in other ways (i.e. insure your bank accounts)

To one degree or another we all trade our privacy for functionality. We all want the convenience of online banking, shopping, communication, and all the world’s knowledge at our fingertips. But did you really think this was free? Our right to privacy is both a privilege, and a currency, which means you have a responsibility to protect it, and a responsibility to spend it wisely respectively. Both of these responsibilities require you to NOT be ignorant, to educate yourselves and not rely on others to do it for you.

But in the end it has to remain a CHOICE! The ‘privacy-first’ side of the debate will NEVER agree with the ‘nothing-to-hide’ side, but like every fundamental right we have (and yes, democracy itself), this choice will be determined by the majority. So even though, as Snowden said; “[…] the majority cannot vote away the natural rights of the minority.“, the opposite is equally true; “The wishes of the minority cannot outweigh the wishes of the majority.” To put it another way, if a person wants total privacy, then they should have the right to have it, but not if that conflicts with the rights of others.

What very few people address is the fact that my definition of privacy may be different from yours. You may think ‘secrecy’ is the best way to privacy, but I think ‘hiding in plain sight’ is more appropriate in the Information Age. The more that is known about me, the more unlikely it is that someone can pretend to BE me.

I could go on bitching, but there’s no point. I will not change your mind, and you will not change mine. The only difference is that I’m not going to try to shame you for your opinions, or even LACK of opinion. We choose the things we care about, and NO ONE can care about everything. As long as your decisions are not based on ignorance of the subject, do as you wish.

[If you liked this article, please share! Want more like it, subscribe!]