GDPR Deadline

GDPR: May 25th is NOT a Deadline!

It seems there are only two ways to sell GDPR products and services:

  1. Tell everyone they are going to get fined €20M or 4% of their annual revenue; and
  2. Tell everyone that they only have until May 25th to get compliant or they’re in big trouble

These are both utter nonsense.

While the monster fines are a theoretical possibility (per Article 83), I would hope by that you know they will be reserved for the VERY worst offenders. If you don’t, read this from the UK’s Information Commissioner herself; GDPR – sorting the fact from the fiction. With my favourite quote being:

Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”

And not one of these 16 (0.09% of the total!) was anywhere near the maximum of £500K, so forget the damned fines!! Unless of course you work for a bunch of total scumbags like Keurboom, then I hope you get completely reamed.

Anyway, so here we are, less than 3 months away from May 25th, and the ‘deadline’ for compliance is the most prevalent scare tactic!

“Get compliant before May 25th or else!!” “Deadline fast approaching!!” “Trust me, I’m a certified practitioner!!”

The thing is, “or else” what, exactly? What do you think is going to happen on May 25th? That your supervisory authority is going to be banging on your door with cries of “Article 30!! Show us your records!!“? Do you expect to receive hundreds of requests for access from people who know even less about GDPR than almost anyone reading this blog? Do you think you’ll suddenly be the subject of a class action suit?

Do you think your supervisory authority even knows who you ARE at this point? [No offence]

I’ll tell you what’s going to happen on May 25th …not a bloody thing different. It will be business as usual.

However, what WILL happen from May ONWARDS is a gradual increase in how the GDPR is enforced in each member state. Guidance from supervisory authorities will increase in-line with the real-world issues they face; certification mechanisms will be released forcing all organisations to at least review and consider them; the general public will gradually come to expect the heightened protection mechanisms and vilify those organisation who are not up to speed and so on.

To put this another way; Data Protection law is not going away and cannot be ignored. By anyone. In fact, in light of things like AI/ML, Big Data and the Internet of Things, data protection is only going to become more embedded in everything we do. It has to, and you need to keep up with it.

So the more time that passes the fewer excuses you will have for doing nothing, regardless of the size / type / industry vertical in which your business operates. In the UK for example you are already 20 years too late to be proactive. The DPA has been out since 1998 and compliance to it would have covered the lion’s share of the GDPR. Which itself has been out for almost 2 year.

While I can sympathise with organisations fumbling around but doing their best, I have little sympathy for organisations who have done nothing. It’s these folks who should be the most concerned, not for May 25th, but every day after it.

Not one organisation out there is incapable of doing these 6 things before the ‘deadline’. Not to completion perhaps, but a good chunk:

  1. Find out where all your personal data is; – [even crappy questionnaires and interviews will get you most of the way there]
  2. Map that data to the business processes that created it; – [HR, Sales, Marketing and so on…]
  3. Agree on which business processes should continue as they are, which should change, and which should stop altogether;
  4. Get rid of all instances of personal data that do not support the agreed business processes;
  5. Obtain appropriate guidance on the lawful basis(es) for processing what’s left; and
  6. Commit, in writing, at the Board level, to achieving full compliance

While this is nowhere near a full demonstration of compliance, you have done 3 things that the ICO have every right to expect. You have:

  1. reduced your risk by minimising your threat exposure – you can’t lose or misuse what you don’t have;
  2. done your best to ensure that you are supporting the data subject’s rights – the whole point of this exercise; and

I don’t care if you only achieve full compliance 5 years from now, and it’s unlikely the supervisory authorities will, if, and ONLY if:

  1. Your commitment is real;
  2. You have a plan; and
  3. You don’t get reported or breached

It’s up to you to do ENOUGH now to make sure 3. doesn’t happen, work on the rest when you can. Just make sure you can justify your timelines.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Brexit

Brexit and GDPR? The Answer is in the Regulation

Is there anyone out there who still believes that Brexit will negate UK businesses from having to comply with the GDPR? Well, as long as there are also Flat Earthers and Young Earth Creationists I’d say that there’s enough ignorance out there to ensure that there are plenty of them.

The Brexit vote debacle itself showed just how pervasive ignorance is in the UK for example, as evidenced by the number of people who Googled “What is the EU?” the day after the vote. Stupidity I can forgive, it’s not a choice, ignorance is. Or as Harlan Ellison puts it so perfectly:

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

And when a weapons-grade plum (thank you @sueperkins) like Donald Trump is in favour of a decision, you know you’ve f&%$ed up.

But enough judgement, the answer to whether or not UK businesses will need to comply with the GDPR is written in the Regulation itself. Anyone who has actually read it probably has the words “third country” floating around in their heads right about now. Why? Because post-Brexit that’s exactly what the UK will be to the EU; a third country.

Every country in the EU has signed up to adopt the GDPR into their individual national laws in order to enforce it in the exact same way. From the creation of supervisory authorities with identical tasks and powers, to approved codes of conduct, to the imposition of penalties, every EU country ‘trusts’ every other EU country by default. Further, if for any reason two countries disagree on something, the Board can step in and sort it out per Articles 63 (Consistency mechanism) and 65 (Dispute resolution by the Board).

None of this will apply to third countries, who will need to demonstrate what the GDPR calls an “adequate level of data protection” in order to enjoy the freedoms of data processing and movement that EU countries will receive automatically. This is spelled out very clearly in Recital 103:

The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

In other words, the Commission can, as long as the third country has met certain criteria, give blanket approval for that country to do business as usual within the EU.

Simple logic therefore dictates, that the criteria must fully comply with the GDPR, and every business must meet the GDPR baselines in their entirety.

The criteria are broken out in Article 45(2) [edited for length]:

When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral [edited]

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject [edited]

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

In other words, as long as ALL of the laws, judicial systems, supervisory authorities, contractual obligations etc. are at or above the levels mandated by the GDPR, that third country is good to go.

Here in the UK this will hopefully not be an issue. The ICO is the supervisory authority and the upcoming amendments to the Data Protection Act should more than cover the GDPR adequacy requirement. So as long as UK businesses comply fully with the DPA, they should not have to provide any further evidence of compliance to EU countries.

However, there are many who believe that the because of things like the Investigatory Powers Act 2016 (a.k.a. Snooper’s Charter), that the UK is at serious risk of not qualifying for the adequacy decision. We’ll have to see how it goes.

Bottom line here is that if you are sitting on your arse waiting for the ICO to tell you what to do, you are setting yourself for some very unnecessary pain. The initial preparations for GDPR/DPA are as simple as they are obvious, and well within the reach of every organisation out there. Whether or not your country receives an adequacy decision, your organisation will need to comply. Nothing has changed.

You do not need to understand your legal basis for processing in order to perform either a data discovery exercise or a business process mapping, both of which you should be doing already. I’d get on with it if I were you.

It’s not doing the wrong thing unintentionally that will piss the supervisory authorities off the most, it’s doing nothing at all.

[If you liked this article, please share! Want more like it, subscribe!]

Know Your Right to Privacy? Clearly Most of Us Don’t

Most of us are aware that we have a right to privacy, but very few people I’ve spoken actually understand where that is laid out, and what is in place to enforce it on your behalf. Fewer people still take an active part in their own defence.

Before I go any further, I will once again reiterate (as I have in most of my blogs on GDPR), that I am NOT a privacy expert. I do cyber/information security, and while it has very little to do with privacy, it’s clear that the two have become inextricably linked. To the detriment of both I might add.

In my experience, the average person has no idea what their right to privacy means in real terms. They a have an expectation of privacy on the Internet (for example) and are somehow shocked and upset when things go wrong. Usually followed by finger pointing and lawsuits. This is little different from me thinking my right to freedom is somehow violated because I’m stuck in traffic.

To be clear, your human right is “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”. Nothing in here protects you when you give your personal data away for the sake of convenience, personal gain, or a few dozen ‘likes’ on Facebook. Nor should it.

Did you also know that privacy, while a ‘fundamental’ right is not an ‘absolute’ right? For the sake of this argument, fundamental rights are the 30 Articles of the Universal Declaration of Human Rights, and the absolute rights correspond to what are commonly called ‘natural rights’; life, liberty and so on.

For example, and certainly from my perspective, my right to life far outweighs your right to data protection (unless the loss of privacy puts YOUR life at risk!). This is what the GDPR means when it says in Recital 4;

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

But do you know what’s more ludicrous than not understanding your rights? Not understanding that the GDPR and all other privacy regulation were written for YOU! To protect YOU and YOUR loved ones, not to protect the businesses you work for! The number of articles on LinkedIn alone where people are complaining about how difficult/complicated it all is, how it’s impossible to comply, is ridiculous. Are you kidding me?!

This is YOUR data it’s trying to protect, and it’s trying to protect it from the very organisations who segued our personal data into profit for the last few decades without a thought to the impact. It’s putting the power back into your hands, giving you the mechanisms to control who does what with your data.

None of which does you any good if you don’t know what those mechanisms are.

And now be honest; have you even read the GDPR? Not just by giving it the once over, I mean actually READ it? Taken each Recital and tried to translate it into both a simple title and a plain language description that anyone can understand? Taken each Article and mapped it to not only the underlying Recitals, but every external document that supports it?

I have, and it took me over a month. Time well spent given the enormous impact the GDPR is going to have on the very fabric of life online.

The GDPR is the most important step in the world of privacy in a generation, and it is the responsibility of every ‘natural person’ / ‘data subject’ to understand it. As an individual AND an employee, take the time, it’s worth it.

[If you liked this article, please share! Want more like it, subscribe!]


Going From PCI to GDPR? You Are Starting from Square One

To be very clear from the outset, if you think the PCI DSS is a good ‘stepping stone’ to GDPR, you need to do a lot more homework. Data security represents less than 5% of the entire GDPR, and the PCI DSS is – in my admittedly biased estimation – no more than 33% of a true security program.

I have, for years, railed against the PCI DSS as an inadequate baseline for security, and even the card brands and the SSC have never claimed it be more than what it is; a set of MINIMUM security controls related to the protection of cardholder data. Well, except for this ill-advised and rather naive quote perhaps;

People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.

The PCI DSS was written for ONE very specific purpose, and it’s only ego, desperation, or vested interest that would lead people to think it’s anything more.

The reason for this particular blog is reading articles like the two samples below. It’s articles like these that lead organisations who don’t know better [yet] into making bad decisions. They also give cybersecurity professionals a bad name. Well, worse name, unscrupulous QSA companies and greedy product vendors have already caused significant damage.

Article 1, and by far the most egregiously overstated quote [so far] is from an article in SecurityWeek (PCI 3.2 Compliant Organizations Are Likely GDPR Compliant); “Any company that fully and successfully implements PCI DSS 3.2 is likely to be fully GDPR compliant — it’s a case of buy one and get one free.” Given the author’s apparent credentials, he should know better. Since when does the PCI DSS deal with explicit consent, or children’s data, or the right to erasure/correction/objection/portability and so on.

Then, in the very recent article 2; How the PCI DSS can help you meet the requirements of the GDPR – the author states that; “Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover, whichever is higher. Breaches or failure to uphold the sixth data protection principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover (whichever is higher).

No part of the above statement is factually correct:

  1. Just because Article 33 – Notification of a personal data breach to the supervisory authority is included in Article 83(4)(a) – General conditions for imposing administrative fines, it does NOT mean that failure to respond in 72 hours will attract a fine. There are many caveats; e.g. Recital 85 states ; “the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Recital 85)”‘
  2. sixth data protection principle“? – Nothing to do with confidentiality and integrity, assume author meant the seventh principle (security).
  3. Maximum fines for data breaches are 2% (for an undertaking, a.k.a. a group of companies), not 4%.

The author then goes on to say; “The ICO is also likely to treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organisational measures” to protect personal data…” which is clearly not the case. The ICO has always left loss of cardholder data / PCI up to the card schemes, and have already mentioned ISO 27001 in their “The Guide to Data Protection“.

Every article I have read on how PCI helps with GDPR, is at best, hugely overstated, and at worst, full of self-serving lies. I can fully appreciate the desire for cybersecurity companies (especially QSAs) to branch out from the massively price compressed and ultimately doomed PCI space, but to do so in this manner is unconscionable.

Unfortunately if you are falling for this advice, I can safely assume that you:

  1. have little idea of how limited the PCI DSS is, even as protection for the only form of data to which it’s relevant;
  2. have little idea what the GDPR is trying to achieve if you think a bunch of security controls are that significant a component; and
  3. don’t actually know what an ‘appropriate’ security program should look like.

This is actually not meant as a criticism, these things may not be your job, but if you have any responsibility for GDPR, you absolutely must learn to ask the right questions.  I will finish with some reasoning below, but leave it up to you to work out whose guidance to take.

PCI and GDPR are very far removed from each other.

  1. Data protection Articles are only 3.34% of the Regulation – yes, I actually worked this out on a spreadsheet. That means the GDPR is 96.66% NOT security control relevant. Of course IT and IT security are important and intrinsic to GDPR, but PCI does not cover anything else other than those things.;
  2. PCI DSS makes no mention of the need for Governance – PCI compliance is almost invariably an IT project, and while this is obviously wrong, does not prevent organisations from achieving compliance. In GDPR, the IT folks have absolutely no idea where to start. Nor should they, IT/IS people aren’t lawyers and they do not control the organisation’s direction, they are business enablers who do as bid by senior management. GDPR requires a team effort from every department, which is exactly what Governance is.;
  3. PCI DSS is about compliance to an already defined standard of security controls, the GDPR requires a demonstration of ‘appropriate security’ measures – For example, what if your annual risk assessment showed that the PCI controls were actually excessive? Could you scale some of them back? No, you can’t. Alternatively, what if your risk assessment showed that they weren’t enough, could your QSA insist that you went above and beyond? Again, no, so what the hell is the point of the risk assessment in PCI?
  4. Only QSAs that started out as security consultants [not the other way around] have the skill-set to provide any help at all. If they were experts in ISO 27001, CoBIT, NIST etc., then yes, they can help you both define and implement ‘appropriate security’. If all they did was pass the QSA exam, the only guarantee you have is that they can read.
  5. The PCI DSS can never keep pace with the threat landscape – It’s already way behind, and with its complete inability to change significantly, the DSS can never represent appropriate security. If the DSS did change significantly, both the card brands and the SSC would be lynched. Millions of organisations have spent BILLIONS on PCI, they will simply refuse to start all over again. GDPR on the other hand has no defined controls, it’s up to YOU to show that your controls meet the measured risk.

In the end, the only way PCI can help with GDPR is to use the assigned budget to do security properly. You will never reach GDPR ‘compliance‘ using PCI, but you will achieve both PCI and GDPR compliance on the way to real security.

[If you liked this article, please share! Want more like it, subscribe!]


GDPR: Focus on the WHY First, Not the HOW

By far the most common answers to the questions; “Are you worried about GDPR?” and “If yes, why?”, are, in this order:

  1. The fines;
  2. Possible loss of reputation;
  3. What’s GDPR again? (no, unfortunately I’m not joking)
  4. The cost / complexity; and
  5. Board-level accountability (a.k.a. it’s a law now).

While from a business perspective I can empathise with most of these, I have zero empathy for 3. That’s not really the point though, which is that not one person I have ever spoken to about GDPR got anywhere near touching on the actual reason GDPR is here in the first place;

It protects a human right.o.

If you haven’t read the Universal Declaration of Human Rights, and surprisingly few seem to have done so, it forms what I will call a code of conduct for what the United Nations calls the ‘human family’. So while it’s not a global law (per se), and somewhat impractical taken in its entirety, you have to be something of a sociopath not to recognise its basic goodness. It just fits. For example, and most relevant to this blog:

UDHR Article 12

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Fair enough, right?

Therefore, the GDPR starts out of the gate with:

GDPR Recital 1

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

And while the GDPR does go on to say things like; “The right to the protection of personal data is not an absolute right because it must be considered in relation to its function in society and be balanced against other fundamental rights... (Recital 4)”, it’s meaning and intent remain both clear and unwavering.

So if you want to know why fines are in place, why loss of reputation is such a big deal, and why infringements will be breaking the law, look no further. Compliance should go way beyond being just another consideration in your effort to demonstrate corporate social responsibility. This is not just some PR exercise you can fake your way through.

On the other hand, why is this so one sided against businesses? Why do they have to do all the work? I have made no secret of my disdain for people who don’t take responsibility for their own lives and actions. People who blame retailers for using personal data in ways they resent when they were the ones who gave it away without question. Even people who blame criminals for stealing their identity when it’s the victim themselves who made it possible by posting their entire life on social media.

When was the last time you read Google’s T&Cs? Or iTunes? Or anyones? No, I haven’t either.

I have long contended that your privacy is a currency that you spend for the conveniences you crave. GDPR is there to make the risks of spending it far more transparent. Or as Angela Boswell (a privacy lawyer, DPO, and GDPR implementation lead for her organisation) puts it; “What GDPR intends is to put the choice of ‘if’ and ‘to what extent’ back in the hands of the data subject.

So while organisations will have a lot more responsibility moving forward, you should still do your homework before sharing personal data.

But in the end, the main reasons it’s the businesses who are now [mostly] responsible for protecting people from themselves are clear. For years, many businesses who should have been guarding your privacy, weren’t. And those businesses who were supposed to protect the data they had, weren’t. Not even close. This will all change under GDPR.

In theory however, the businesses who were already doing the right thing are [for all intents and purposes] GDPR compliant, it’s only those described in the paragraph above who now have a really tough time ahead. GDPR is and extension of, and replaces the Data Protection Directive (Directive 95/46/EC) which has been out for 22 years! You really should not be starting from scratch here.

Depending on your business, GDPR might get tricky as you progress through it, but every organisation starts out the exact same way: By mapping your business processes (at both the individual asset and ‘asset interdependency’ level). This does not require a lawyer, and isn’t something you should not already be doing. If you don’t even have this in place, you will likely never be able to demonstrate the appropriateness of the ‘extent and proportionality’ of your data processing should things go wrong.

If I was a supervisory authority (e.g. the ICO here in the UK) I would reserve my biggest penalties not for those who aren’t compliant, or even necessarily those guilty of a minor infringement, it would be for those who have done nothing.

If that’s you, you’ve already wasted ~13 months of the 2 year run-up to GDPR’s application. There will be no ‘grace period’ after May 25th 2018, you’re IN the final stage. So you only have ~11 months left before the penalties can be applied. You must start asking the right questions of the right people now, and if you don’t know what and who they are, I suggest that’s where you start.

This is very basic, but it’s a beginning; Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now

[If you liked this article, please share! Want more like it, subscribe!]