FUD

Do Not Hire Companies Using GDPR Fines as a Sales Tactic

Taking a week’s break from my Step-by-Step series in order to have one final rant [I promise] about the use of GDPR fines/penalties in marketing material. Hopefully this third attempt will sort the problem out once and for all, I DO have 400 followers after all.

In my business, I am advising everyone who will listen to not do business with ANY organisation using fear, uncertainty and doubt (FUD) as a tactic to sell. If they were offering decent services they would not have to resort to such unprofessional and unethical practices.

Continue reading
GDPR Deadline

GDPR: May 25th is NOT a Deadline!

It seems there are only two ways to sell GDPR products and services:

  1. Tell everyone they are going to get fined €20M or 4% of their annual revenue; and
  2. Tell everyone that they only have until May 25th to get compliant or they’re in big trouble

These are both utter nonsense.

Continue reading
GDPR Brexit

Brexit and GDPR? The Answer is in the Regulation

Is there anyone out there who still believes that Brexit will negate UK businesses from having to comply with the GDPR? Well, as long as there are also Flat Earthers, Young Earth Creationists, and anti-vaxxers I’d say that there’s enough ignorance out there to ensure that there are plenty of them.

The Brexit vote debacle itself showed just how pervasive ignorance is in the UK for example, as evidenced by the number of people who Googled “What is the EU?” the day after the vote. Stupidity I can forgive, it’s not a choice, ignorance is. Or as Harlan Ellison put it so perfectly:

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

And when a weapons-grade plum (thank you @sueperkins) like Donald Trump is in favour of a decision, you know you’ve f&%$ed up.

But enough judgement, the answer to whether or not UK businesses will need to comply with the GDPR is written in the Regulation itself. Anyone who has actually read it probably has the words “third country” floating around in their heads right about now. Why? Because post-Brexit that’s exactly what the UK will be to the EU; a third country.

Every country in the EU has signed up to adopt the GDPR into their individual national laws in order to enforce it in the exact same way. From the creation of supervisory authorities with identical tasks and powers, to approved codes of conduct, to the imposition of penalties, every EU country ‘trusts’ every other EU country by default. Further, if for any reason two countries disagree on something, the Board can step in and sort it out per Articles 63 (Consistency mechanism) and 65 (Dispute resolution by the Board).

None of this will apply to third countries, who will need to demonstrate what the GDPR calls an “adequate level of data protection” in order to enjoy the freedoms of data processing and movement that EU countries will receive automatically. This is spelled out very clearly in Recital 103:

“The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.”

In other words, the Commission can, as long as the third country has met certain criteria, give blanket approval for that country to do business as usual within the EU.

Simple logic therefore dictates, that the criteria must fully comply with the intent of GDPR, and every business must meet the GDPR baselines in their entirety.

The criteria are broken out in Article 45(2) [edited for length]:

“When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral [edited]

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject [edited]

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

In other words, as long as ALL of the laws, judicial systems, supervisory authorities, contractual obligations etc. are at or above the levels mandated by the GDPR, that third country is good to go.

Here in the UK this will hopefully not be an issue. The ICO is the supervisory authority and the upcoming amendments to the Data Protection Act should more than cover the GDPR adequacy requirement. So as long as UK businesses comply fully with the DPA, they should not have to provide any further evidence of compliance to EU countries.

However, there are many who believe that the because of things like the Investigatory Powers Act 2016 (a.k.a. Snooper’s Charter), that the UK is at serious risk of not qualifying for the adequacy decision. We’ll have to see how it goes.

Bottom line here is that if you are sitting on your arse waiting for the ICO to tell you what to do, you are setting yourself for some very unnecessary pain. The initial preparations for GDPR/DPA are as simple as they are obvious, and well within the reach of every organisation. Whether or not your country receives an adequacy decision, your organisation will need to comply. Nothing has changed.

You do not need to understand your legal basis for processing in order to perform either a data discovery exercise or a business process mapping, both of which you should have done already. I’d get on with it if I were you.

It’s not doing the wrong thing unintentionally that will piss the supervisory authorities off the most, it’s doing nothing at all.

[If you liked this article, please share! Want more like it, subscribe!]

Know Your Right to Privacy? Clearly Most of Us Don’t

Most of us are aware that we have a right to privacy, but very few people I’ve spoken to actually understand where that is laid out, and what is in place to enforce it on your behalf. Fewer people still take an active part in their own defence.

Before I go any further, I will once again reiterate (as I have in most of my blogs on GDPR), that I am NOT a privacy expert. I do cyber/information security, and while it has very little to do with privacy, it’s clear that the two have become inextricably linked. To the detriment of both I might add.

In my experience, the average person has no idea what their right to privacy means in real terms. They have an expectation of privacy on the Internet (for example) and are somehow shocked and upset when things go wrong. Usually followed by finger pointing and lawsuits. This is little different from me thinking my right to freedom is somehow violated because I’m stuck in traffic.

To be clear, your human right is “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”. Nothing in here protects you when you give your personal data away for the sake of convenience, personal gain, or a few dozen ‘likes’ on Facebook. Nor should it.

Did you also know that privacy, while a ‘fundamental’ right is not an ‘absolute’ right? For the sake of this argument, fundamental rights are the 30 Articles of the Universal Declaration of Human Rights, and the absolute rights correspond to what are commonly called ‘natural rights’; life, liberty and so on.

For example, and certainly from my perspective, my right to life far outweighs your right to data protection (unless the loss of privacy puts YOUR life at risk!). This is what the GDPR means when it says in Recital 4;

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

But what’s more ludicrous than not understanding your rights? Not understanding that the GDPR and all other privacy regulation were written for YOU! To protect YOU and YOUR loved ones, not to protect the businesses you work for! The number of articles on LinkedIn alone where people are complaining about how difficult/complicated it all is, how it’s impossible to comply, is ridiculous. Are you kidding me?!

This is YOUR data it’s trying to protect, and it’s trying to protect it from the very organisations who segued our personal data into profit for the last few decades without a thought to the impact. It’s putting the power back into your hands, giving you the mechanisms to control who does what with your data.

None of which does you any good if you don’t know what those mechanisms are.

And now be honest; have you even read the GDPR or your regional equivalent? Not just by giving it the once over, I mean actually READ it? Taken each Recital and tried to translate it into both a simple title and a plain language description that anyone can understand? Taken each Article and mapped it to not only the underlying Recitals, but every external document that supports it?

I have, and it took me over a month. Time well spent given the enormous impact the GDPR is going to have on the very fabric of life online.

The GDPR is the most important step in the world of privacy in generations, and it is the responsibility of every ‘natural person’ / ‘data subject’ to understand it. As an individual AND an employee, take the time, it’s worth it.

[If you liked this article, please share! Want more like it, subscribe!]

PCI to GDPR

Going From PCI to GDPR? You Are Starting from Square One

To be very clear from the outset, if you think the PCI DSS is a good ‘stepping stone’ to GDPR, you need to do a lot more homework. Data security represents less than 5% of the entire GDPR, and the PCI DSS is – in my admittedly biased estimation – no more than 33% of a true security program.

I have, for years, railed against the PCI DSS as an inadequate baseline for security, and even the card brands and the SSC have never claimed it be more than what it is; a set of MINIMUM security controls related to the protection of cardholder data. Well, except for this ill-advised and rather naive quote perhaps;

People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.

The PCI DSS was written for ONE very specific purpose, and it’s only ego, desperation, or vested interest that would lead people to think it’s anything more.

The reason for this particular blog is reading articles like the two samples below. It’s articles like these that lead organisations who don’t know better [yet] into making bad decisions. They also give cybersecurity professionals a bad name. Well, worse name, unscrupulous QSA companies and greedy product vendors have already caused significant damage.

Article 1, and by far the most egregiously overstated quote [so far] is from an article in SecurityWeek (PCI 3.2 Compliant Organizations Are Likely GDPR Compliant); “Any company that fully and successfully implements PCI DSS 3.2 is likely to be fully GDPR compliant — it’s a case of buy one and get one free.” Given the author’s apparent credentials, he should know better. Since when does the PCI DSS deal with explicit consent, or children’s data, or the right to erasure/correction/objection/portability and so on.

Then, in the very recent article 2; How the PCI DSS can help you meet the requirements of the GDPR – the author states that; “Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover, whichever is higher. Breaches or failure to uphold the sixth data protection principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover (whichever is higher).

No part of the above statement is factually correct:

  1. Just because Article 33 – Notification of a personal data breach to the supervisory authority is included in Article 83(4)(a) – General conditions for imposing administrative fines, it does NOT mean that failure to respond in 72 hours will attract a fine. There are many caveats; e.g. Recital 85 states ; “the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Recital 85)”‘
  2. sixth data protection principle“? – Nothing to do with confidentiality and integrity, assume author meant the seventh principle (security).
  3. Maximum fines for data breaches are 2% (for an undertaking, a.k.a. a group of companies), not 4%.

The author then goes on to say; “The ICO is also likely to treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organisational measures” to protect personal data…” which is clearly not the case. The ICO has always left loss of cardholder data / PCI up to the card schemes, and have already mentioned ISO 27001 in their “The Guide to Data Protection“.

Every article I have read on how PCI helps with GDPR, is at best, hugely overstated, and at worst, full of self-serving lies. I can fully appreciate the desire for cybersecurity companies (especially QSAs) to branch out from the massively price compressed and ultimately doomed PCI space, but to do so in this manner is unconscionable.

Unfortunately if you are falling for this advice, I can safely assume that you:

  1. have little idea of how limited the PCI DSS is, even as protection for the only form of data to which it’s relevant;
  2. have little idea what the GDPR is trying to achieve if you think a bunch of security controls are that significant a component; and
  3. don’t actually know what an ‘appropriate’ security program should look like.

This is actually not meant as a criticism, these things may not be your job, but if you have any responsibility for GDPR, you absolutely must learn to ask the right questions.  I will finish with some reasoning below, but leave it up to you to work out whose guidance to take.

PCI and GDPR are very far removed from each other.

  1. Data protection Articles are only 3.34% of the Regulation – yes, I actually worked this out on a spreadsheet. That means the GDPR is 96.66% NOT security control relevant. Of course IT and IT security are important and intrinsic to GDPR, but PCI does not cover anything else other than those things.;
    o
  2. PCI DSS makes no mention of the need for Governance – PCI compliance is almost invariably an IT project, and while this is obviously wrong, does not prevent organisations from achieving compliance. In GDPR, the IT folks have absolutely no idea where to start. Nor should they, IT/IS people aren’t lawyers and they do not control the organisation’s direction, they are business enablers who do as bid by senior management. GDPR requires a team effort from every department, which is exactly what Governance is.;
    o
  3. PCI DSS is about compliance to an already defined standard of security controls, the GDPR requires a demonstration of ‘appropriate security’ measures – For example, what if your annual risk assessment showed that the PCI controls were actually excessive? Could you scale some of them back? No, you can’t. Alternatively, what if your risk assessment showed that they weren’t enough, could your QSA insist that you went above and beyond? Again, no, so what the hell is the point of the risk assessment in PCI?
    o
  4. Only QSAs that started out as security consultants [not the other way around] have the skill-set to provide any help at all. If they were experts in ISO 27001, CoBIT, NIST etc., then yes, they can help you both define and implement ‘appropriate security’. If all they did was pass the QSA exam, the only guarantee you have is that they can read.
    o
  5. The PCI DSS can never keep pace with the threat landscape – It’s already way behind, and with its complete inability to change significantly, the DSS can never represent appropriate security. If the DSS did change significantly, both the card brands and the SSC would be lynched. Millions of organisations have spent BILLIONS on PCI, they will simply refuse to start all over again. GDPR on the other hand has no defined controls, it’s up to YOU to show that your controls meet the measured risk.

In the end, the only way PCI can help with GDPR is to use the assigned budget to do security properly. You will never reach GDPR ‘compliance‘ using PCI, but you will achieve both PCI and GDPR compliance on the way to real security.

[If you liked this article, please share! Want more like it, subscribe!]