A tsunami of reports, research & updates about the General Data Protection Regulation1 (GDPR) compliance before and post May deadline still seems insufficient to handle the compliance efforts with this regulation.
One of the latest that hit my inbox just few weeks ago sounds like this: A new research report made by TrustArc, benchmarks the GDPR compliance status post May 25th deadline of 600 US, UK and other EU companies. “…It provides information as to their GDPR compliance approaches, top compliance challenges and post-deadline needs, among other issues. Some of the key takeaways, are:
▶ Only 20% of companies have fully completed their GDPR implementations;
▶ Companies are most compliant with updating policies and procedures and cookie consent management, and least compliant with vendor risk management and international data transfer;
▶ 50% of the companies will seek a GDPR compliance validation from an independent firm2.”
The fact that a company can be compliant with updating policies and procedures but less compliant with vendor risk management and international data transfer doesn’t sound totally right. Yes, the policies are part of the GDPR road map compliance, but they should, at their best, mirror and reflect among others how the vendor risk is managed all the way through international data transfer. And yet, businesses had two years of transition period in order to implement the GDPR within their processes.
But it was not a matter of time and even a matter of not being familiar at all with data protection laws. The real issue with this regulation is that for the first time we’re facing on a large scale the missing culture within businesses and in the public sector as regarding to the way they treat and protect personal data. And how important is the security of the information assets in our digital world. And all this come out in the middle of a new wave of digital transformations such as AI, IoT, Blockchain and cryptocurrencies. Technologies that feed themselves with our data among other.
We all know, and with GDPR we should know, that our identity, based upon our personal data, is directly related to everything we use and do from:
▶ Financial & legal services
▶ Property ownership (physical and intellectual property)
▶ Travel, to
▶ Security features and measures – some of them already based on personal data (mostly on biometric data such as fingerprint, face and voice recognition, heart beatings to mention few).
Thus, the way these data elements are being used and the services that all these technologies are promising to offer are very important to the economy and to the well- being of our society. And here is where GDPR places itself.
There might be different ways to see and interpret GDPR, in the means of real applications and implications. But a few basic considerations must be made which are unlikely to change for many years to come:
First, besides the mere legal meaning of General3 and Regulation4, the subject matter of GDPR is personal data and protection and within its articles we find in more detailed terms who, how, what, where, and when. The main areas being:
▶ Data subject rights;
▶ Processors, third parties and International data transfer;
▶ Higher sanctions -thought to be as a more cost-effective way of reducing the abuse of this right!
Second, the central reason of its implementation is to incorporate fundamental rights into EU legislative process. Specifically, the right of protection of personal data which is stated in Article 8 of the Charter of Fundamental Rights of European Union5. GDPR is far from perfect and with respect of its efficiency, it requires ten years practice in order to prove itself. And might be subject to changes, and, as often happens with any legal act, is open to interpretation. However, one thing will not change, at least for a long time and this is the fundamental right of protection of personal data.
Third, it aims to restore the trust in the digital and in the businesses, to promote innovation, enhance cyber security, and steer both the culture and the practical ways of evolving of our digital life and its security. Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national (and international) imperatives such as privacy, transparency and technology. Having regard to the Cyber 2025 Model proposed by Windows, it can be said that GDPR places itself in the Peak scenario, which has as one of key characteristics: clear, effective government policies and standards6.
Fourth, GDPR is becoming a de facto standard around the world. Think only of the tech companies that treat customer data and have to be obeyed by any multinational that operates in Europe. But not only. It is leading the way to other countries outside the EU. The latest one being California which passed a sweeping consumer privacy law that might force significant changes on companies that deal in personal data – and especially those operating in the digital space. While the law, which is set to come into effect at the start of 2020, technically applies only to California residents, it will most likely have much broader implications. Most major companies that deal in consumer data, from retailers to cellular network providers to internet companies, have some Californian customers. That will leave those companies with two main options: either reform their global data protection and data rights infrastructures to comply with California’s law, or institute a patchwork data regime in which Californians are treated one way and everyone else another. That last option can be more expensive for companies and could disgruntle non-Californian customers should they be given fewer data privacy options by the service provider. Indeed, similar questions about Americans’ data rights arose during Mark Zuckerberg’s congressional testimony in regard to Facebook’s compliance with EU GDPR.
But, where to focus, being both personal data and cyber security among with developing cutting edge technologies the main topic of our agendas? Compliance in general is a burden and bares real cost to the entire society. And GDPR is not an exemption. As a matter of fact, any applied compliance within an organisation requires three essential things:
▶ Compliance Culture
▶ Ongoing Monitoring
▶ Team Efforts
Compliance culture: In recent news we read: “The Information Commissioner’s Office (ICO) has fined Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, £140,000 for illegally collecting and selling personal information belonging to more than one million people7. ” There is everything but a compliance culture in this example. And yet, controversial behaviours from both companies and customers are part of the today debate. Here it’s a quote from Chris Rouland, founder and CEO of Bastille – “I see an opportunity to pay a premium for retaining my own data, or at least guaranteeing that my data is de-attributed from me,” he said, adding that he’d happily pay his fitness wearable provider another $1.99 (£1.33) a month not to sell his data somewhere else8. As Geoff Mulgan – Chief Executive Officer at Nesta puts it in one his lectures at University College: ‘Most people feel quite anxious when they discover just how much information they are leaving behind, and yet there’s a huge advantage to be gained from this collecting of data, the sharing of data, the cross-mining of data to offer people services in better ways, to reduce crime and so on. My guess is in the next 10 years we will need almost a new social contract around that data. For the moment we just had a legal basis of that contract – the GDPR.
Ongoing monitoring: – “A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company9. What if a Data Protection Impact Assessment (DPIA) was made before, what if the investigation of what you already have would have helped to make the post investigation and hence the response plan less painful, more cost effective, more reliable and receptive? The ongoing monitoring of the systems and processes as a normal practice of the cyber resilience it is not an option anymore under GDPR. It’s mandatory. The players involved still underestimate the importance of both cyber security and personal data. Sooner or later the waves of regulations will make the cyber security – which until now is looked as a mean to protect valuable assets and based upon principles – as a right and asset in its own. Or at least, in the near future we can except a more detailed and rule based cyber security strategy.
Team Efforts: – the fact is that even the big fails. Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside. The type of infection “is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks10”.
So far, personal data as a digital asset and cyber security is still not going hand to hand. It is normal to ask why it’s missing the Information Commissioner’s Office from what it seems one of the most important alliance in UK cyber security strategy11? And though the invitation to participate was open to other organisations to join the alliance, the fact that the Data Protection Authority was missing on the first call speaks volumes. The truth is that the link between personal data as a digital asset and not only compliance burden under GDPR (or national privacy bills) and cyber security as a mean to protect those assets is dimly perceived even on top levels.
In conclusion, GDPR speaks to all of us. The challenges create opportunities. GDPR is inviting to develop creative ways to balance conflicting issues and guarantee the protection of personal data as a human right. If it is true, that is tremendous value to be unlocked in applying digital technology to new customises services and more in general to our lives, it is also true that with the nascent technologies that are emerging now, we can’t dismiss the serious ethical issues surrounding technologies such as artificial intelligence or genomics to mention few. If we’ve spent the last few decades learning how to move fast, over the next few decades we’re going to have to relearn how to go slow again. Or maybe the one way to move forward is to restore simplicity and efficiency.
And we cannot think in silos either. Everything is interconnected, so are the interests involved, the players, the regulations, the data and the security. We can not afford to go back but we have the responsibility to make right and responsible choices now, in order to shape a better future of our digital life. There is more in being compliant and it is not a kind of decision-making which requires only a cost-benefit analysis. Who hasn’t seen the personal data
as a real digital asset that needs to be protected or who has abused of it, now it’s the time of making things right.
So, think of GDPR not as a compliance burden, but as game changer, and to use it as aid to a more coherent and ethical progress in building new technologies and doing new businesses taking into consideration its core principles:
- ▶ security of personal data,
- ▶ responsibility and accountability on top of the businesses, but also on top of us as individuals
- ▶ its relationship with other core principles of our society and ever evolving of new technologies.
- Full text of GDPR available here.
- General means that it covers mostly everything related to its subject matter. But, it also means that is subject to the interpretation rule known in Latin as generalia specialibus non derogant – the provisions of a general statute must yield to those of a special one. Simply put, in case of conﬂict the special one prevails.
- Regulation means that it applies directly to all EU members without the need to be implemented into national laws.
- Article 8 – Protection of personal data . The journey to human rights is not an easy one and even today human rights have a diﬃcult life. Among others, there is a real inspiring and meaningful reading for who is interested to know about human rights: Lynn Hunt, Inventing human rights. A history., W. W. Norton & Company, New York-London 2007
- Cyberspace 2025: Today’s decisions, Tomorrow’s Terrain. Navigating the Future of Cybersecurity Policy, June 2014, available here.
- Emma’s Diary ﬁned £140,000 for selling personal information for political campaigning, available here. See also: ICO has put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year and is contacting data brokers, including Experian as part of its data analytics investigation. More info here; Form another perspective: Supreme Court rejects Telegram’s appeal over FSB’s demands to access users messages, available here.
- Danny Bradbury. How can privacy survive in the era of the internet of things?
- Reddit discloses a data breach, a hacker accessed user data, available here.
- Hundreds of apps removed from Google Play store because were carrying Windows malware.
- A grand Alliance of 17 leading UK organisations impacting cyber-security has been formed in response to a call by the UK government’s Department of Digital, Culture, Media and Sport (DCMS) to develop a national professional body for cyber-security.
Law education background with expertise in International and European Regulatory framework, programs and policies. Marjola has lived and worked in UK, Italy, Albania and has several years of experience in helping SMEs and Start -ups handling compliance and business matters with a smooth, innovative and profitable approach. She also has a strong understanding and interest in Ethics, Business and Social Impact of technology in the Information Technology era. Marjola is an Affiliate Member of International Compliance Association (ICA) UK and hold a Diploma in International Financial Crime Prevention and a Certificate in Understanding Cyber Security.