Have You Forgotten About the ‘Cookie Law’?

You’ve all heard of the Cookie Law, right?

If the answer is no, and your business has a website that uses cookies (or other ‘online identifiers’), I would suggest you do a little homework. The upcoming EU ePrivacy Regulation not only expands significantly on that law (which is actually a Directive), it includes a fine structure on par with the GDPR.

The Cookie Law is actually the EU ePrivacy Directive  and was responsible for the incredibly irritating banners that pop-up on almost every website in the EU. About the only good news for some organisations is that the banners will likely go away under the new Regulation.

Even for those who are aware of the ePrivacy Regulation (perhaps have even read it), there is still a great deal of confusion. Not just related to the contents of it, but as to whether or not it’s even relevant with the GDPR already covering ‘privacy issues’.

Just 15 minutes of research reveals the following:

  1. The ePrivacy Regulation “particularises and complements” the GDPR – In other words, ePrivacy is an expansion on a single aspect of the GDPR. In this case ‘electronic communications’ (e.g. the ‘online identifiers’ referred to in Recital 30);
    o
  2. ePrivacy covers Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”), the GDPR covers Article 8;
    o
  3. It’s not just about cookies, it covers EVERY aspect of electronic communication. Including; “…calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.“, and all ‘metadata’ relevant to the communication channels themselves;
    o
  4. Unlike the GDPR, it does not just apply to ‘natural persons’, but to ‘legal persons’ as well. i.e. business-to-business; and
    o
  5. It has the most significant impacts in the area of marketing.

So, if your business has a website, performs marketing, or communicates with clients over ‘electronic channels’, you are in scope.

So why isn’t there anywhere near the kind of panic and hype over this Regulation as there is GDPR? If anything, I’d say this one has greater impact on most business, with a far greater degree of negative impact on how you are currently conducting your business. Just ask an online publisher what they think of it and brace yourself for the answer.

Imagine, for example, you provide online content free of charge. Your revenue is driven by online advertising which is in turn personalised to the viewer by cookies. Under ePrivacy you could no longer rely on pop-up banners to force acceptance of cookies, instead you have to rely on the viewer accepting cookies by default in THEIR web browser. Not only that, the Regulation is basically saying that all browsers should be ‘block all cookies by default’, then, in plain language, walk every EU citizen through changing the defaults to more ‘merchant-friendly’ settings.

However, here are a few bloody BRILLIANT outcomes:

  1. Unsolicited marketing phone calls should use a prefix on their numbers so you know what it is before answering! And no, they cannot get around this by blocking the caller ID;
    o
  2. Inclusion of your personal data in ‘publicly available directories‘ (a.k.a. marketing lists) must be done with consent; and
    o
  3. Any kind of “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing” of your personal data is strictly forbidden (the usual deprecations apply, e.g. ‘pubic interest’)

Not surprising that during the ‘Stakeholder Consultation’ conducted from 12 April to 5 July 2016 that 83.4% of citizens were for it, but 63.4% of businesses were against it. The lobbying that has taken place to soften the wording, while fruitless so far, has had the likely impact of delaying the enforcement of the regulation beyond the proposed data of 25 May, 2018 (yep, same date as GDPR, that’s how closely they are linked).

So I frankly have no idea why GDPR is such a big deal and ePrivacy is so obscure, but you just know it’s because only one of these is easily monetised by snake-oil merchants. GDPR attracted cybersecurity “professionals” because it’s about ‘data protection’, and lawyers because of the ‘lawful bases for processing’ and the requirement for DPO.

ePrivacy on the other hand provides no easy remedies, but you know they’re coming.

The bottom line here is that if you’re not familiar with it, get familiar, it WILL impact you. Once again, for those in the UK the ICO has lots of material on its website, but look for Privacy and Electronic Communications Regulations (PECR)¹ instead. Like how the DPA is the UK’s implementation of GDPR, PECR is ePrivacy.

Happy reading.

[If you liked this article, please share! Want more like it, subscribe!]

¹ (Hopefully the acronym will be pronounced/known as the ‘Pecker Law’ which should give our American friends a good laugh).

GDPR in Plain English

Free Resource: The GDPR in Plain English

So here we are, it’s 2018 and the GDPR will be enforced THIS year. I suspect that both marketing budgets and the corresponding hype will now grow exponentially until everyone is sick to death of it. I know I am, and judging by the majority of questions on LinkedIn, I’m one of the seemingly few who have actually read the damned thing. Really read it.

And that’s the point of this blog. As a privacy novice I have made a significant effort to truly understand the GDPR. I have, quite literally, spent months poring over it in an effort to fully grasp its intent in order to provide appropriate guidance to my clients, and to more junior cybersecurity professionals. But just as importantly, I read it because the GDPR is about MY personal data, MY privacy, MY fundamental human right.

More often than not my guidance to others has been; “Talk to a privacy expert/lawyer.”, but I am now in a position to provide something a little more useful. In partnership with Angela Boswell (Lawyer / DPO / GDPR implementer), we have drafted a ‘GDPR in Plain English‘ resource designed to allow anyone to get a significantly better understanding of its meaning without having to either be a lawyer, or go through months of soul-destroying tedium.

The resource consists of 3 spreadsheet tabs:

o

  1. ‘Recitals’ – All 173 Recitals with 3 additional columns:o
    1. Recital Title‘ – Very brief summary of the Recital’s main theme, similar to those provided for the Articles;
    2. Plain English‘ – Angela’s and my attempt at turning legal-ese into plain language; and
    3. References‘ – Links to every Article or external document for more convenient access to relevant context
      o
  2. ‘Articles (Reference)’ – The Articles contain a significant number of references to other Articles, Recitals, and external documentation. They are all provided here for convenience. ‘In-cell’ comments provide titles and, where appropriate, relevant content
    o
  3. ‘Articles (Operations)’ – Work in progress, but we intend to provide implementation and operationalisation guidance as and when available. This will include the excellent guidance so far produced by the likes of the UK’s ICO, the WP29, and numerous law firms happy to share their knowledge for free (most notably Bird & Bird from whom I have plagiarised shamelessly).
    We have broken this tab into 7 distinct columns.

    1. Regulation‘ – A significant portion of the Articles relate to the ‘administration’ of the regulation itself and require no specific action on behalf of the controllers or processors. These cannot be ignored, but you should probably spend more time on the other stuff;
    2. Principles‘ – The foundational principles of the GDPR and should be fully understood by everyone. Again, no specific action is required other than to read and understand them, because these underpin everything that the GDPR is about;
    3. Process‘ – These are the things that will eventually need to be operationalised in some fashion. Documentation, record keeping, technology, security etc. all fall within this category;
    4. Legal/Compliance‘ – Things that will require legal expertise to handle. While this does not have to be a privacy lawyer, or any lawyer for that matter, if these things are not handled by subject matter experts you’re leaving yourself wide open;
      o
      …and eventually;
      o
    5. People Requirements‘ – The implementation and ongoing maintenance of GDPR is the definitive team effort. This is not an IT problem, or a legal one, it is a business challenge. This section will provide guidance, examples/samples, links and hopefully, in time, some real-world input from generous contributors;
    6. Process Requirements‘ – From policies and procedures, to privacy notices, to contractual language, at some point you are going to have to DO something. This section will provide guidance and sanitised samples of what others have done to meet a requirement; and
    7. Technology Requirements‘ – Technology can never fix a broken process, it can only make a good process better. This is as true for security as it is for the GDPR. Technology will be required to support/enable your ongoing operational efforts, and this section will provide guidance on technologies to consider, and to avoid. We will only care about function, not brand.

Hopefully this resource will be of some benefit to you, and you’re welcome to do with it as you wish. We only ask 2 things:

  1. Credit both Angela and myself if you do end up using this for commercial benefit; and
    o
  2. Add to it! This resource has been the work of only 2 people who have nowhere near the experience or skill-sets to make it universally relevant. There will be translation gaps, naive assumptions, and things that we didn’t know we didn’t know. Help us!

Finally, I would just like to reiterate that the GDPR is not just a burden placed on businesses, it is a fundamental shift in how YOUR personal data is used. This is a significant enhancement to one of your fundamental human rights. Everyone should read this regulation, so please do your part to get this out to every ‘data subject’ and ‘natural person’ who needs it.

Download the Excel spreadsheet here: GDPR in Plain English

Please provide any feedback to david@coreconceptsecurity.com

We thank you in advance.

[If you liked this article, please share! Want more like it, subscribe!]

Administrative Fines

GDPR: Administrative Fines for Data Breach, 4% or 2%?

As we all know, and as we are all sick to death of hearing, the final version of the GDPR dated 27th of April 2016 has, in Article 83, provision for the “imposition of administrative fines”. Having read through that Article (General conditions for imposing administrative fines) about a 1,000 times I came to the conclusion that the:

  1. 4% / €20M fines were going to be reserved for infringements of processing (data subject rights, legal basis for processing etc.); and
    o
  2. 2% / €10M fines would cover data breaches

From that point forward I was on a mission to embarrass any cybersecurity organisation using the GDPR fine structure as a launchpad into a bulls*** sales pitch. Because they always, I mean ALWAYS, used 4% /€20M as their benchmark.

But why am I so convinced that it’s 2% not 4%? First, you have to take a very close look at the Articles to which the individual fine structures refer.

Article 83(4) (2% / €10M) refers to (sorry, this a long list):

  • Article 8 – Conditions applicable to child’s consent in relation to information society services
  • Article 11 – Processing which does not require identification
  • Article 25 – Data protection by design and by default
  • Article 26 – Joint controllers
  • Article 27 – Representatives of controllers or processors not established in the Union
  • Article 28 – Processor
  • Article 29 – Processing under the authority of the controller or processor
  • Article 30 – Records of processing activities
  • Article 31 – Cooperation with the supervisory authority
  • Article 32 – Security of processing
  • Article 33 – Notification of a personal data breach to the supervisory authority
  • Article 34 – Communication of a personal data breach to the data subject
  • Article 35 – Data protection impact assessment
  • Article 36 – Prior consultation
  • Article 37 – Designation of the data protection officer
  • Article 38 – Position of the data protection officer
  • Article 39 – Tasks of the data protection officer
  • Article 41(4) – Monitoring of approved codes of conduct
  • Article 42 – Certification
  • Article 43 – Certification bodies

It’s clear that the vast majority of these are related to the ‘administration’ of an organisation’s GDPR compliance, and the ONLY 3 Articles related directly to either data security or breach notification are contained here in full. In other words; take the RUNNING of your compliance program seriously, including the confidentiality, integrity and availability of the data itself.

Article 83(5) (4% / €20M) refers to (sorry again, another long list):

  • Article 5 – Principles relating to processing of personal data
  • Article 6 – Lawfulness of processing
  • Article 7 – Conditions for consent
  • Article 9 – Processing of special categories of personal data
  • Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 – Information to be provided where personal data are collected from the data subject 1.
  • Article 14 – Information to be provided where personal data have not been obtained from the data subject
  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (‘right to be forgotten’)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 44 – General principle for transfers
  • Article 45 – Transfers on the basis of an adequacy decision
  • Article 46 – Transfers subject to appropriate safeguards
  • Article 47 – Binding corporate rules
  • Article 48 – Transfers or disclosures not authorised by Union law
  • Article 49 – Derogations for specific situations
  • Article 58(1) – Powers
  • Article 58(2) – Powers

This contains just about everything in the GDPR related to the Principles of privacy itself and Rights of the data subject. In other words, PROCESS the data correctly.

The only link to data security in the whole of Article 83(5) is the reference to Article 5(1)(f) which states; “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

So you tell me, if you lose data, which fines do you think will apply? Seriously, tell me, I’ve not seen any guidance on it and there are many people out there who know this stuff a damned sight better than me.

I work in cybersecurity, I WISH it was 4% /€20M fines, but like I keep saying, data security does NOT equal privacy. The GDPR is about privacy, so which infringements should attract the biggest punishment?

In the end, if you think GDPR is about fines and penalties, you’ve completely missed the point. Don’t believe me? Then take it from Elizabeth Denham, the UK’s Information Commissioner herself, who wrote this excellent blog; GDPR – sorting the fact from the fiction.

And yes, I totally stole her featured image.

[If you liked this article, please share! Want more like it, subscribe!]

Know Your Right to Privacy? Clearly Most of Us Don’t

Most of us are aware that we have a right to privacy, but very few people I’ve spoken actually understand where that is laid out, and what is in place to enforce it on your behalf. Fewer people still take an active part in their own defence.

Before I go any further, I will once again reiterate (as I have in most of my blogs on GDPR), that I am NOT a privacy expert. I do cyber/information security, and while it has very little to do with privacy, it’s clear that the two have become inextricably linked. To the detriment of both I might add.

In my experience, the average person has no idea what their right to privacy means in real terms. They a have an expectation of privacy on the Internet (for example) and are somehow shocked and upset when things go wrong. Usually followed by finger pointing and lawsuits. This is little different from me thinking my right to freedom is somehow violated because I’m stuck in traffic.

To be clear, your human right is “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”. Nothing in here protects you when you give your personal data away for the sake of convenience, personal gain, or a few dozen ‘likes’ on Facebook. Nor should it.

Did you also know that privacy, while a ‘fundamental’ right is not an ‘absolute’ right? For the sake of this argument, fundamental rights are the 30 Articles of the Universal Declaration of Human Rights, and the absolute rights correspond to what are commonly called ‘natural rights’; life, liberty and so on.

For example, and certainly from my perspective, my right to life far outweighs your right to data protection (unless the loss of privacy puts YOUR life at risk!). This is what the GDPR means when it says in Recital 4;

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

But do you know what’s more ludicrous than not understanding your rights? Not understanding that the GDPR and all other privacy regulation were written for YOU! To protect YOU and YOUR loved ones, not to protect the businesses you work for! The number of articles on LinkedIn alone where people are complaining about how difficult/complicated it all is, how it’s impossible to comply, is ridiculous. Are you kidding me?!

This is YOUR data it’s trying to protect, and it’s trying to protect it from the very organisations who segued our personal data into profit for the last few decades without a thought to the impact. It’s putting the power back into your hands, giving you the mechanisms to control who does what with your data.

None of which does you any good if you don’t know what those mechanisms are.

And now be honest; have you even read the GDPR? Not just by giving it the once over, I mean actually READ it? Taken each Recital and tried to translate it into both a simple title and a plain language description that anyone can understand? Taken each Article and mapped it to not only the underlying Recitals, but every external document that supports it?

I have, and it took me over a month. Time well spent given the enormous impact the GDPR is going to have on the very fabric of life online.

The GDPR is the most important step in the world of privacy in a generation, and it is the responsibility of every ‘natural person’ / ‘data subject’ to understand it. As an individual AND an employee, take the time, it’s worth it.

[If you liked this article, please share! Want more like it, subscribe!]

Data Protection

GDPR and DPA are Not Actually About Data Security

Before you get up in arms, yes, both the DPA and GDPR contain elements of true data protection, but addressing that can be summarized in 3 words; ‘appropriate security measures‘. Everything else in both the GDPR and DPA refers to privacy.

In case you’re not familiar with the difference between security and privacy – or haven’t ready any of my other blogs – data security does NOT equal privacy. Loss of data can potentially lead to a loss in privacy, but misuse of the data is not prevented by the normal implementation of data security controls. Misuse of data = loss of privacy.

For example; even a data-centric security control like Data Loss Prevention (DLP) is not going to tell you if you have appropriate consent, legitimate interest, or appropriate contract language.

So imagine the confusion of the vast majority of the population, who have likely not read either regulation, when unscrupulous cybersecurity experts offer unqualified ‘GDPR compliance’ services. That’s like a plumber offering to build the entire house …maybe they have the skills, but what are the chances?

In truth, the laws should be called the General Data Subject Privacy and Data Protection Regulation (GDSPDPR) and the Data Subject Privacy and Data Protection Act (DSPDPA) respectively. Because that is exactly what they are. Even I hate acronyms greater than 4 characters, but it would have helped!

So how did this confusion begin in the first place? First you have to remember that our concept of data in the 2010’s is very different from that even 20 years ago? Think amount this prediction for a minute; ‘More data will be created in 2017 than the previous 5,000 years of humanity’. Or this one; ‘Amount of Data Created Annually to Reach 180 Zettabytes in 2025‘ (that’s 180 TRILLION gigabytes). Would you have even considered this possible in 1997 when the price of storage per gigabyte was around $175.00 USD? It’s now less than 2 cents.

Frankly we really weren’t that concerned about the data stored, especially in the [almost] absence of technologies such as big data processing or AI. Now it’s all about the data. Partly because of these ‘new’ technologies (amongst others), we are now equating the storage and failure to protect our data with transgressions against our privacy. They are not.

To compound the problem, the incredible rate of innovation in mobile devices has given us unprecedented functionality and convenience. While our options to self-educate on the impact of this convenience has likewise improved, the majority of us just can’t be bothered. We prefer instead to complain and blame others when things go wrong. We’d rather listen to those who are promising the world, instead of those who offer real solutions.

With GDPR and the new DPA now we don’t have to worry too much about this as data subjects, it’s the organisations who are responsible for putting control of our data back in our hands. But if you represent an organisation, you better know the difference between data security and data privacy.

There is no excuse, or lenience, for ignorance.

[If you liked this article, please share! Want more like it, subscribe!]