GDPR Year 1

GDPR: Some Thoughts on Year 1

This Saturday marks one year to the day that GDPR was enforced. 3 things are clear:

  1. The self-serving scaremongers were, as I suspected, full of $*%&;
  2. Anyone wondering why there have not been more fines continues to be ignorant of the true intent of GDPR; and
  3. Interest in GDPR took a nosedive after May 25, 2018

Re: Bullet 1.: The GDPR fines to date across the whole of the EU have totalled €56M, a full €50M* of which was levied against a single organisation (against Google by CNIL). So that’s it, €6M in fines for EVERY OTHER organisation in the world. In one year. This is good.

Re: Bullet 2.: Are you really surprised that fines have been so infrequent and relatively light? The UK’s Information Commissioner herself could not have made it more clear that fines would be a last resort. But good news never sells, does it?

If you’re looking for more punishment, you have either completely misunderstood the intent of GDPR, or you have something to gain from it (see bullet 1). It’s supposed to be a law to protect a human right of every man, woman and child, not a punishment.

Re: Bullet 3.; The graphic below perfectly sums up people’s attitude towards GDPR. It represents the number of ‘Sessions’ per month my blog has received since I first started blogging back in 2015:

Blog Sessions
Blog Sessions

Have one guess where May 25th is?

I started writing about GDPR in the middle of 2017 (beginning of the ‘mountain’) and didn’t really slow down until late 2018 (back to normal). I’d like to believe that this enormous drop was indicative of the interest in GDPR rather a reflection on my crap content. I think the coincidence is just too great to be the latter, but you never know.

In other words, May 25th was seen as a deadline. Once it passed most people thought they had dodged a bullet with everything now going back to normal.

To be clear, business under the GDPR IS the new normal. Conducting business will never go back to the way it was, and you will never again be able to process other people’s personal data outside of the 7 Principles laid down in Article 5. If you try, you’re exactly the kind of organisation the GDPR was written to defend people against.  

That said, you can [almost] be forgiven in thinking that GDPR has already had a significant impact; How tired are you of pop-up banners, privacy policies and choosing your cookie settings? Is this not an indication that organisations are taking GDPR seriously?

Actually, no, it isn’t. For a start this ‘cookie stuff’ has far more to do e-Privacy which isn’t even a law [yet], and from everything I’ve seen this ‘Internet-facing’ effort is nothing more than smoke and mirrors. Underlying processes have not changed, nor most organisations ability to demonstrate GDPR compliance effectively. All they have done is dropped themselves below the radar.

But that’s kinda the point; they HAVE done something, while those who continue to do nothing at all are setting themselves for some very hard conversations. We are now at year 20-ish since data protection was included in EU national law(s) (the Data Protection Directive), 3 years since the final draft of the GDPR was signed into EU law, and a year since it became enforced. If you have still done nothing, bad things are heading your way. This is also good.

Some final thoughts:

  • No, I do not think the GDPR is perfect, and yes, I would like to see a lot more guidance on things like ‘Representatives’ and ‘Certifications’, but we were never going to see 28 separate countries agree on the way forward these things so soon. It is still early days;
  • The GDPR was not enacted against business, it was enacted FOR you!
  • My entirely amateur opinions on data protection / privacy have been far more popular than on any subject I actually know something about, which is more than a little depressing.

If there’s one takeaway from this otherwise meaningless blog, it’s that it IS still early days in the enforcement of ‘GDPR compliance’, don’t waste this opportunity by doing nothing at all. The first steps are clear, and you don’t need a data protection expert to begin; GDPR: Getting to the Lawful Basis for Processing

[If you liked this article, please share! Want more like it, subscribe!]

* For perspective, €50M is roughly 0.05% of Google’s global revenue, a 4% fine would be over €4 BILLION.

GDPR Certification

What Will GDPR ‘Certification’ Look Like?

From my current perspective, these are the 3 most significant unknowns in the implementation of GDPR:

  1. The appropriateness of Privacy Shield (i.e. it’s not);
  2. What will ‘Representation’ look like (per Article 27); and
  3. What will ‘Certification’ look like (under Articles 42 & 43)

There will certainly be more as my knowledge grows, and you will have your own Top 3 depending on whether you know either more or less than me on the subject. Though it’s hard to imagine anyone who’s actually reading this crap knowing less.

I took on Privacy Shield last week, and I’ll take a stab at Representation at some point, but I just got through reading the European Union Agency for Network and Information Security (ENISA)’s ‘Recommendations on European Data Protection Certification1 so naturally I consider myself an expert in the field. Maybe I should create ‘Certified EU General Data Protection Regulation (GDPR) Certification Theory Foundation and Practitioner’ courses?

Basically the subject of ‘certification’ is far from straightforward. Not complicated per se, just very difficult.

For a start, what certification do you mean? Do you mean an organisation getting certified against the GDPR itself? Or do you mean someone who is certified to perform the certification?

First, it’s clear that there cannot be certification TO the GDPR, and that there will be no PCI DSS-esque tick-box exercise to perform. Instead, and only if applicable to your organisation, you will be certified AGAINST the GDPR in terms of adherence to its principles and intent. Or as ENISA puts it; “[…] compliance with the GDPR is not possible to be certified. What can be certified, is compliance with (or else: conformity to) certification criteria that are derived from the GDPR.

‘Criteria’ in this example could be as broad as; “Provide a summary of the appropriate technical and organisational measures in place.” (for Article 32). Or it could go as deep as; “For data protection, describe your encryption/anonymisation/pseudonymisation mechanism(s), including [where relevant] the cipher type and bit strength.”. Either way, it’s not telling you what to do, it’s making you demonstrate the appropriateness of what you have (i.e. compliance ‘against’, not ‘to’).

ENISA also makes it very clear that we must be specific and accurate in our terminology. ‘Certification requires the “provision of assessment and impartial third-party attestation that fulfilment of specified requirements has been demonstrated.“, whereas a ‘self-assessment‘ (first or second-party) can only lead to a self-declaration of conformity, never certification.

By far the lion’s share of organisations will be self-assessing, as hiring a third party to perform an onsite assessment would be overkill for a voluntary process (surmised from Art. 42(1) final sentence and Art. 42(3)). Yes, this could make a farce of the whole thing (like PCI SAQs), but should you BS your way through your self-assessment what do you think the supervisory authority is going to do if you appear on their radar? (Articles 58 and 83 for your reference.)

What I think this means in practice is that ‘compliance‘ will consist of demonstrating that your controls, processes, and documentation related to the processing of personal data are appropriate to meet the intent of the Regulation. And while that sentence seems to be just as wooly as the Articles 42 and 43 themselves, it should actually be very good news for you.

Why? Because it means that while no certification or even self-assessment mechanisms are available (and won’t be for some time) that compliance with the GDPR is determined by you!

Yes, you should be able to demonstrate that you are meeting the intent, and yes, you will actually have to fix what you know you’re doing wrong, but it means that May 25th is no longer a deadline, it’s an indication of your risk appetite. In other words, do you [stupidly] do nothing and wait for more definitive guidance, or do you do the best you can now until such times as a bar can be set by the supervisory authorities?

So, as I stressed way back in There is No Such Thing as GDPR Certification …Yet!, there still isn’t, and ANYONE with the word ‘certified’ anywhere near the word ‘GDPR’ is no more qualified to help you than someone who has done a few weeks of reading on their own (like me).

To reiterate one more time (for the UK):

  1. There is no certification mechanism for organisations wanting to validate GDPR/DPA compliance through a third-party;
  2. There is no official self-assessment mechanism for organisations wanting to self-assess their conformity to GDPR/DPA;
  3. There are no organisations able to provide ANY form of OFFICIAL certification program for businesses or individuals; and
  4. There are no individuals certified to a program sponsored by ANY body associated with the administration of GDPR/DPA

For certification to work in a harmonised fashion across all member states there is still a lot of work to be done. I cannot see a mechanism for certification, self-assessing etc. in place for some time. So UNTIL they officially announce one, focus on doing the basics that will be required regardless of how this issue get settled.

Waiting for this certification mechanism before you do anything towards compliance is no different from letting yourself drown until someone throws you a life preserver. The first steps in ANY GDPR project are as simple as they are common sense:

  1. Find your personal data;
  2. Map the data to your business processes;
  3. Get rid of everything you don’t need;
  4. Protect the rest with appropriate security controls; and
  5. Determine your lawful basis(es) for processing.

ALL of these things can be done now by anyone, and once they are done, the remaining aspects of GDPR implementation will be reasonably self-evident. Yes, 5. may be difficult for non-legals, but you’d be amazed at the number of qualified people out there willing to help for next to nothing in return.

Basically stay away from anyone promising you certification of any sort, and just keep swimming.

[If you liked this article, please share! Want more like it, subscribe!]

1 My thanks to Gabriel Avigdor and for his direct guidance/advice and for his excellent blog;