Have You Forgotten About the ‘Cookie Law’?

You’ve all heard of the Cookie Law, right?

If the answer is no, and your business has a website that uses cookies (or other ‘online identifiers’), I would suggest you do a little homework. The upcoming EU ePrivacy Regulation not only expands significantly on that law (which is actually a Directive), it includes a fine structure on par with the GDPR.

The Cookie Law is actually the EU ePrivacy Directive  and was responsible for the incredibly irritating banners that pop-up on almost every website in the EU. About the only good news for some organisations is that the banners will likely go away under the new Regulation.

Even for those who are aware of the ePrivacy Regulation (perhaps have even read it), there is still a great deal of confusion. Not just related to the contents of it, but as to whether or not it’s even relevant with the GDPR already covering ‘privacy issues’.

Just 15 minutes of research reveals the following:

  1. The ePrivacy Regulation “particularises and complements” the GDPR – In other words, ePrivacy is an expansion on a single aspect of the GDPR. In this case ‘electronic communications’ (e.g. the ‘online identifiers’ referred to in Recital 30);
  2. ePrivacy covers Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”), the GDPR covers Article 8;
  3. It’s not just about cookies, it covers EVERY aspect of electronic communication. Including; “…calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.“, and all ‘metadata’ relevant to the communication channels themselves;
  4. Unlike the GDPR, it does not just apply to ‘natural persons’, but to ‘legal persons’ as well. i.e. business-to-business; and
  5. It has the most significant impacts in the area of marketing.

So, if your business has a website, performs marketing, or communicates with clients over ‘electronic channels’, you are in scope.

So why isn’t there anywhere near the kind of panic and hype over this Regulation as there is GDPR? If anything, I’d say this one has greater impact on most business, with a far greater degree of negative impact on how you are currently conducting your business. Just ask an online publisher what they think of it and brace yourself for the answer.

Imagine, for example, you provide online content free of charge. Your revenue is driven by online advertising which is in turn personalised to the viewer by cookies. Under ePrivacy you could no longer rely on pop-up banners to force acceptance of cookies, instead you have to rely on the viewer accepting cookies by default in THEIR web browser. Not only that, the Regulation is basically saying that all browsers should be ‘block all cookies by default’, then, in plain language, walk every EU citizen through changing the defaults to more ‘merchant-friendly’ settings.

However, here are a few bloody BRILLIANT outcomes:

  1. Unsolicited marketing phone calls should use a prefix on their numbers so you know what it is before answering! And no, they cannot get around this by blocking the caller ID;
  2. Inclusion of your personal data in ‘publicly available directories‘ (a.k.a. marketing lists) must be done with consent; and
  3. Any kind of “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing” of your personal data is strictly forbidden (the usual deprecations apply, e.g. ‘pubic interest’)

Not surprising that during the ‘Stakeholder Consultation’ conducted from 12 April to 5 July 2016 that 83.4% of citizens were for it, but 63.4% of businesses were against it. The lobbying that has taken place to soften the wording, while fruitless so far, has had the likely impact of delaying the enforcement of the regulation beyond the proposed data of 25 May, 2018 (yep, same date as GDPR, that’s how closely they are linked).

So I frankly have no idea why GDPR is such a big deal and ePrivacy is so obscure, but you just know it’s because only one of these is easily monetised by snake-oil merchants. GDPR attracted cybersecurity “professionals” because it’s about ‘data protection’, and lawyers because of the ‘lawful bases for processing’ and the requirement for DPO.

ePrivacy on the other hand provides no easy remedies, but you know they’re coming.

The bottom line here is that if you’re not familiar with it, get familiar, it WILL impact you. Once again, for those in the UK the ICO has lots of material on its website, but look for Privacy and Electronic Communications Regulations (PECR)¹ instead. Like how the DPA is the UK’s implementation of GDPR, PECR is ePrivacy.

Happy reading.

[If you liked this article, please share! Want more like it, subscribe!]

¹ (Hopefully the acronym will be pronounced/known as the ‘Pecker Law’ which should give our American friends a good laugh).

Know Your Right to Privacy? Clearly Most of Us Don’t

Most of us are aware that we have a right to privacy, but very few people I’ve spoken actually understand where that is laid out, and what is in place to enforce it on your behalf. Fewer people still take an active part in their own defence.

Before I go any further, I will once again reiterate (as I have in most of my blogs on GDPR), that I am NOT a privacy expert. I do cyber/information security, and while it has very little to do with privacy, it’s clear that the two have become inextricably linked. To the detriment of both I might add.

In my experience, the average person has no idea what their right to privacy means in real terms. They a have an expectation of privacy on the Internet (for example) and are somehow shocked and upset when things go wrong. Usually followed by finger pointing and lawsuits. This is little different from me thinking my right to freedom is somehow violated because I’m stuck in traffic.

To be clear, your human right is “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”. Nothing in here protects you when you give your personal data away for the sake of convenience, personal gain, or a few dozen ‘likes’ on Facebook. Nor should it.

Did you also know that privacy, while a ‘fundamental’ right is not an ‘absolute’ right? For the sake of this argument, fundamental rights are the 30 Articles of the Universal Declaration of Human Rights, and the absolute rights correspond to what are commonly called ‘natural rights’; life, liberty and so on.

For example, and certainly from my perspective, my right to life far outweighs your right to data protection (unless the loss of privacy puts YOUR life at risk!). This is what the GDPR means when it says in Recital 4;

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

But do you know what’s more ludicrous than not understanding your rights? Not understanding that the GDPR and all other privacy regulation were written for YOU! To protect YOU and YOUR loved ones, not to protect the businesses you work for! The number of articles on LinkedIn alone where people are complaining about how difficult/complicated it all is, how it’s impossible to comply, is ridiculous. Are you kidding me?!

This is YOUR data it’s trying to protect, and it’s trying to protect it from the very organisations who segued our personal data into profit for the last few decades without a thought to the impact. It’s putting the power back into your hands, giving you the mechanisms to control who does what with your data.

None of which does you any good if you don’t know what those mechanisms are.

And now be honest; have you even read the GDPR? Not just by giving it the once over, I mean actually READ it? Taken each Recital and tried to translate it into both a simple title and a plain language description that anyone can understand? Taken each Article and mapped it to not only the underlying Recitals, but every external document that supports it?

I have, and it took me over a month. Time well spent given the enormous impact the GDPR is going to have on the very fabric of life online.

The GDPR is the most important step in the world of privacy in a generation, and it is the responsibility of every ‘natural person’ / ‘data subject’ to understand it. As an individual AND an employee, take the time, it’s worth it.

[If you liked this article, please share! Want more like it, subscribe!]

Data Protection

GDPR and DPA are Not Actually About Data Security

Before you get up in arms, yes, both the DPA and GDPR contain elements of true data protection, but addressing that can be summarized in 3 words; ‘appropriate security measures‘. Everything else in both the GDPR and DPA refers to privacy.

In case you’re not familiar with the difference between security and privacy – or haven’t ready any of my other blogs – data security does NOT equal privacy. Loss of data can potentially lead to a loss in privacy, but misuse of the data is not prevented by the normal implementation of data security controls. Misuse of data = loss of privacy.

For example; even a data-centric security control like Data Loss Prevention (DLP) is not going to tell you if you have appropriate consent, legitimate interest, or appropriate contract language.

So imagine the confusion of the vast majority of the population, who have likely not read either regulation, when unscrupulous cybersecurity experts offer unqualified ‘GDPR compliance’ services. That’s like a plumber offering to build the entire house …maybe they have the skills, but what are the chances?

In truth, the laws should be called the General Data Subject Privacy and Data Protection Regulation (GDSPDPR) and the Data Subject Privacy and Data Protection Act (DSPDPA) respectively. Because that is exactly what they are. Even I hate acronyms greater than 4 characters, but it would have helped!

So how did this confusion begin in the first place? First you have to remember that our concept of data in the 2010’s is very different from that even 20 years ago? Think amount this prediction for a minute; ‘More data will be created in 2017 than the previous 5,000 years of humanity’. Or this one; ‘Amount of Data Created Annually to Reach 180 Zettabytes in 2025‘ (that’s 180 TRILLION gigabytes). Would you have even considered this possible in 1997 when the price of storage per gigabyte was around $175.00 USD? It’s now less than 2 cents.

Frankly we really weren’t that concerned about the data stored, especially in the [almost] absence of technologies such as big data processing or AI. Now it’s all about the data. Partly because of these ‘new’ technologies (amongst others), we are now equating the storage and failure to protect our data with transgressions against our privacy. They are not.

To compound the problem, the incredible rate of innovation in mobile devices has given us unprecedented functionality and convenience. While our options to self-educate on the impact of this convenience has likewise improved, the majority of us just can’t be bothered. We prefer instead to complain and blame others when things go wrong. We’d rather listen to those who are promising the world, instead of those who offer real solutions.

With GDPR and the new DPA now we don’t have to worry too much about this as data subjects, it’s the organisations who are responsible for putting control of our data back in our hands. But if you represent an organisation, you better know the difference between data security and data privacy.

There is no excuse, or lenience, for ignorance.

[If you liked this article, please share! Want more like it, subscribe!]

Consent as a Service

GDPR: Data Subject Consent as a Service (DSCaaS), it’s Coming

In [X]aaS, The Outsource of Everything I made fun of the trend to “…as a Service.” everything under the sun, and that eventually we would run out of letters. Well, that happened years ago, so we’re now doubling and tripling up on the letters. Data Subject Consent as a Service (DSCaaS) is my latest attempt in a long line of failures to coin an acronym.

It’s every security professional’s dream.

And yes, Privacy Consent as a Service (PCaaS) would have been better, but that was taken by those damned Personal Computers!

Regardless of what it’s called, I believe the service is not only viable, it’s basically a necessity. 99% of organisations simply do not have the skill-sets, knowledge, or technical capability to manage the collection and management of consent. Especially in a fashion that has been vetted by privacy experts and kept up to date with EU-wide precedent.

Not that consent will be an organisation’s first choice for complying with GDPR. Legitimate Interest, contractual language, even binding corporate rules will likely be easier to maintain. But to get any of these to work requires each organisation to hire their own lawyers, and I’m fairly sure a lot of us would rather pay for a technology instead.

One of the first hurdles for any service like this is to explain to organisations that having yourselves the data is not your competitive edge. Making the best use of the data is. The only thing you should really care about is getting what you need out of the data, not what it took to get there, and definitely not where the data is. And let the experts worry about how to do that in line with the GDPR.

It’s like when I ask a room-full of merchants if credit cards are core to their business. 99% of them say yes, when it’s actually being paid that’s core to their business, not how they were paid.

So what does DSCaaS look like?

  1. First, it must clearly be a Cloud-based service with a seamless iFrame-esque integration with your organisation’s webpage. Where you would normally collect the personal information on your webpages, you would simply redirect this collection to a 3rd party provider;
  2. Depending on the type of information collected and the reason for collection, very simple consent notices can be developed. For e-commerce for example, these consent notices can be pretty much boiler-plated into; payment authorisation, product/service updates, customer service, marketing, etc. For HR, these would be in-line with the individual employment contract and so on. This consent is now tracked by the DSCaaS provider;
  3. The existing personal data previously collected by the organisation would be normalised/parsed and imported into the service in order to allow for the following:
    1. The removal of the vast majority personal data from an organisation’s systems (using tokenisation and APIs to link existing systems if required);
    2. tracking and collection of consent, plus renewal of consent where necessary;
    3. automated personal data removal/destruction based on data retention policies;
    4. online portal for data subject to change/erase data, or demand processing cessation;
    5. all data controller and processor contracts in place.
  4. DSCaaS provider would need to be able to demonstrate ‘appropriate security measures’ through compliance with (and/or certification to) well-known standard like ISO 27001, ITIL, COBIT, NIST and so on;
  5.  DSCaaS provider would have existing and robust relationships with supervisory bodies (ICO in the UK for example) to standardise reporting of processing (if required).

Clearly this is oversimplified, but if there’s one thing missing in all of these bandwagon ads for GDPR services it’s the spreading of the cost across multiple parties. Especially as it’s very likely that the millions of smaller organisation cannot afford privacy expertise on an individual basis.

The intent of the GDPR is a good one, and organisations have to understand that the data they are making so much money off does not belong to them. While I have no issue with them doing so – as long as I also benefit – I want complete control over what happens to it. The vast majority of organisations in the UK cannot even comply with the existing DPA, let alone one amended inline with the draft Data Protection Bill. For organisations to ‘comply’ with the intent of the GDPR, they will need help, and that help will not come from cybersecurity organisations, ‘certified’ GDPR practitioners, and not even privacy lawyers. It will come from organisations who combine all of these skills into a service where access to data is appropriately controlled.

Gone are the days when you could do whatever you wanted to profit from personal information. It’s what you do WITH the data that matters, and it’s almost always the best ideas that win out. We all need help doing that appropriately.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Vulture

Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

First, what do I mean by ‘qualified’? – I mean that the only people truly qualified to lead a GDPR project are lawyers specialising in privacy. That’s it.

EVERYONE else only has a part to play. Often a very significant part, but that’s it for them as well. A part.

I’m NOT saying that every single organisation has to make the significant investment in a privacy lawyer to meet the intent of GDPR. I’m saying that the only ones qualified to determine ‘intent’ in your organisation’s specific context, are privacy lawyers. No-one who is an expert in information technology, or cybersecurity, or any other subject is qualified …unless they are also a privacy lawyer.

To even further labour the point, a qualified person is neverCertified EU General Data Protection Regulation Practitioner …unless – you guessed it – they are also a privacy lawyer.

I’ve seen every type of vendor from Cyber Insurance providers, cybersecurity consultants, to single-function technology vendors, make the most ridiculous claims as to their suitability to ‘help’ with GDPR. All to make a bit more money while the GDPR bandwagon is on the roll.

The prize so far goes to a consultant who maintains that the entire GDPR can be ‘operationalized’ under the ISO 27001 standard. Unfortunately this attitude is pervasive, as no organisation seems to want to share the opportunity with appropriate partners. The attitude of ‘land-the-gig-and-we’ll-work-out-how-to-deliver-it-later’ cannot apply here. GDPR is a law, one with significant penalties attached, so unless you really know what you’re doing, stick to what you know. And ONLY what you know.

For example, I can be [very] loosely categorised as a ‘cybersecurity expert’, so that limits my ability to help with GDPR to:

  1. Data Security – As I’ve said a few times now, of the 778 individual lines of the GDPR Articles, only 26 of them are related directly to data security. That’s only 3.34%. Yes, I can help you implement ISO 27001 to cover that 3.34% (a.k.a. “appropriate security and confidentiality”), but if GDPR is the only reason you have to implement ISO, don’t bother, you’ve missed the point;
  2. Secure Technology Implementation – GDPR is not about technology, but the implementation of GDPR will have significant technology implications. From collection of consent (Recital 32), to age identification (Recital 38), to the rights to erasure and rectification (Recital 39), technology will play a big role. All of this technology will require appropriate security wrappers in-line with demonstrable good security practices; and
  3. Governance Design and Implementation – Any organisation that has a Governance function already has a GDPR Implementation Team in place. Since there can be no true Governance without full departmental representation (Technology, Security, Legal, PMO, Sales, Marketing and so on), it follows that the Security team will have full understanding of GDPR’s impact from the Legal team. In turn, Technology and Security will have significant input to Legal’s decisioning, and it’s this ‘negotiation’ under the Governance umbrella that gives GDPR its ‘organisation specific context’.

This should be more than enough for any security consultant, but apparently it’s not enough for some consultants who want to replace Governance all by themselves. But, what’s wrong with partnering up with others to do the parts you absolutely should not touch? Is it not better to be really good at the one thing you do for a living and be part of a team of experts who can cover the other bases?

To put this another way, do you really want to ruin your reputation by lying to your clients now, or be the resource they come to to solve every similar problem from this point forward? Do you want to sell used cars or be a trusted advisor?

GDPR, like security, is not complicated. It’s actually very simple, just BLOODY difficult to implement. There is not one individual who can simplify this for you, not even a privacy lawyer. So if you’re looking to implement GDPR, you can rest assured that anyone who is a) not a privacy layer, AND 2) not part of a team of experts with collaborative skill-sets, AND 3) trying to sell you something, should be listened to with caution.

As always, I am not going to lay the blame entirely at vendor’s feet, they too have a business to run. In the end, the only people who get the answers they need on GDPR are the ones asking the right questions.

You MUST do your homework!

[If you liked this article, please share! Want more like it, subscribe!]