Read Time: 20 Minutes
After months and months of anticipation, the May 25 deadline has passed and the GDPR is finally in effect. Companies around the world are being held to strict new standards for protecting the data of EU citizens. So what now? How well-prepared are most companies, and what about organizations who still aren’t compliant?
In Episode 8 of Cyber Security Sauna, we get the rundown from F-Secure’s Erik Andersen, who’s spent the past few years helping organizations prepare for GDPR, and Hannes Saarinen, Privacy Officer at F-Secure.
Erik, based on what you’ve seen with your work in preparing companies for GDPR, how well prepared are organizations for the new regulation?
Erik: To answer that question I think it makes sense to break the preparedness down into three different areas, one of the areas being maintaining the legal basis for actually processing personal data. And then there’s the other set of requirements around proving protection of data, so with GDPR organizations have to prove that they have adequate protection around the personal data that they are processing. And the final new requirements, at least in many countries, are the requirements around managing breaches. So now companies and organizations have to notify the supervisory authorities within 72 hours, ideally, if they have experienced a breach. And alone to be capable of detecting when you have a breach is something that many organizations are not very good at currently. So these are the three areas of preparedness that an organization should look at.
So the work is by no means done. It’s in a way just starting.
Erik: Absolutely. And from what I’ve seen in the organizations I’ve been working with is that most focus has been on establishing and maintaining the legal basis. So documenting the data processing activities within an organization and making sure that data processing agreements are in place with third parties, getting consent and legal basis for even processing the data, updating policies, informing data subjects, citizens about their rights, and appointing DPOs. Those kinds of activities, I would say most companies have been doing pretty well in that area.
This all seems like a lot of work. For big companies with a lot of resources, it seems like getting prepared for GDPR is more feasible. But what about small companies without teams of lawyers and people like that? How difficult is it for them to get ready?
Erik: Well, that really depends on the nature of the data processing activities. It can range from anything from being a data controller yourself, or from processing data on behalf of other companies, or it can be developing products and services that are sold to other companies and used for processing data. So in the latter case, they would need to have the right privacy technology built into their products and have the options for setting the products so that they maintain privacy by default. So there is no simple answer to is this harder for smaller companies than it is for larger companies. It really depends on the nature of the data processing activities.
Hannes, there’s said to be a lot of ambiguity about GDPR from a legal point of view. Is this just laypeople who don’t understand well enough, or is it really quite ambiguous?
Hannes: It is ambiguous, and well, as far as law goes, it’s rather clear what you have to do and what are the penalties and so forth. It gets ambiguous when you try to apply it to the real world. GDPR was created sort of against Facebook, what is Facebook doing. And then you have a couple of other known use cases, like what are the banks typically doing when they’re profiling the customers and so forth. But immediately when you cross outside of those use cases the lawmakers have been thinking of, suddenly you found that you have data subject rights which don’t make any sense, you have technically impossible requirements you have to do. And that is what is causing a huge amount of problems, when all of the players now try to apply all of the rules to their activity, which doesn’t really fit together with all of these. So overall I would say that there is so much ambiguity because there is so much data all over the place nowadays. Let’s say the detailedness of the regulation is working against the fact that the data is all over the place, which means there are a zillion use cases out there.
Right. Overall, how good a fit to the actual realities of companies is the GDPR?
Hannes: Well, as long as the companies know to abide with the spirit of the law and really do their best, then it’s a good enough fit. But in this case, the authorities are not really helping. The statements we are getting from the authorities, especially from the Working Party 29, the collection of the European Data Protection Ombudsman, is giving opinions which are very strict, and they are very precise on what is not permitted. But there are very little examples of the kinds of methods which would be okay. Which means that when you are a smaller company or a medium size company with limited resources, and you’re reading “hey, what would be okay based on this ruling?” then all you see is risks. And it ends in the resolution that you have to make the risk assessments totally yourself. But at the end of the day that’s the only way you can go forth, because the worst thing is not to do anything.
Right, so people are not maybe entirely clear on what is involved here. Maybe that’s something we should talk about, what are some of the the biggest misconceptions and myths around GDPR that you guys have seen and that you’d like to correct here?
Erik: What I’ve seen to have caused a lot of confusion and uncertainty on how to comply with that part of the requirements, is this requirement that you have to provide an adequate protection of personal data. So how much protection is enough? In order to find that adequate level of protection, you need to have a pretty good understanding of the risks of breaches. And that in turn requires a good understanding of the threats, which we actually see in many companies that the level of threat intelligence is quite low. So they really don’t have the capabilities to assess the risk and to determine what is the adequate level of protection around the data that they are processing.
Hannes, any misunderstandings about GDPR that you’ve come across?
Hannes: I’m surprised at how often used legal grounds the consent still remains to be, and that’s also seen in all of those GDPR-induced spam all of the people are getting nowadays, when everyone is asking you to renew your consent. While actually one of the best things which were evolving in the GDPR during its implementation and lawmaking process was that the consent was no longer the central form of getting legal grounds for processing personal data, but you had the legislative interest, for example. Or contract performance. All of these which are much more suitable, not so restricted, and make life much easier for everyone. And hence I see the prevalence of consent being relied on as simply causing grey hairs to everyone. You might actually compare consent to if you go to a supermarket and you buy a can of Coca-Cola. You want that something has been done so that the Coca-Cola doesn’t contain anything awfully poisonous to you, basically that there is something, a legal basis for the law or a legitimate interest or whatever you want, instead of making consent, that “when I purchase this can of Coca-Cola, I consent that it may be hazardous to me.”
Right, so are you saying that all these companies that are sending me emails right now maybe don’t have to be doing that, and at the same time, sending me that email asking for my consent doesn’t release them of any other responsibilities?
Hannes: Yep. And the worst that can happen to such companies is that if they establish that, “Hey, we are processing your personal data based on your consent, if you don’t renew your consent we have to delete the data,” and surprise, you have just managed to cut your lead marketing registry by half.
Erik, anything you think hasn’t been covered widely enough in the discussion or media?
Erik: One of the things I’ve seen that hasn’t been covered very well and where I see a big misconception is around the requirements for data protection impact assessments. Even though there is quite good guidance from the Article 29 Working Party that clearly sets out criteria for when it’s necessary to do a DPIA, many companies still have the conception that it’s only when they introduce new technologies into their data processing that they would actually need to conduct a DPIA. So I would expect that there’s a lot of DPIAs that haven’t been done yet, that we will see in the future that those DPIAs need to be done.
Hannes: To continue on this other item which has escaped popular scope, is the crowdsourcing of the data subject rights which has happened. So there is a lot of attention around the fact that now the authorities have the right to sort of impose penalties directly on companies, but the fact that the data subject rights are so heavily enforced, it basically means that you have a crowdsourced compliance operations happening by the actual data subjects. So think about the typical tempest in a teapot in the social media era, and when someone figures out, “Hey, this company was doing something really bad, let’s all harass them by asking them to delete our data.” If a company has been lax in implementing their data subject rights processes, they are really going to have a problem in implementing an influx of data subject rights requests.
Maybe it’s about all these misconceptions, intentional or not, but GDPR has already had some unintended consequences. For example, some companies outside the EU have shut down their European operations because they feel it’s easier just to not have data on European customers rather than try to comply with the GDPR. What’s your reaction on that?
Hannes: Well, the old data protection directive is a European export product, and even if it’s European of origin, now you have privacy laws in over 100 countries, most of them taking the same logic as the European approach. And with Europe increasing the requirements, I would presume that the other countries will follow suit. So if you discontinue doing business in Europe because of GDPR, you get a temporary escape, but it’s not going to last forever.
And at the other end of the scale, companies like Facebook recently announced that they’re going to be upping their game to GDPR level globally.
Erik: If I may add to that, I think that some of the reactions that we have seen maybe mainly from US companies around that they don’t feel it’s fair, it’s not a fair regulation. But I think they are missing out on a very important point about personal data, and that is that, it is not their data. Some of these organizations and companies, they have been working in sort of a wild west era, and they have considered everything they find, every data they find to be their own and they have regarded it to be their right to use it as they see fit. So they simply don’t get the point that it’s not their data. And I think another interesting point to this is that one of the main advocates for what we are seeing now in the EU to get a new deal on data so to speak, was actually Sandy Pentland, a professor at MIT, who early realized that in order to fully use the value of personal data, we have to have a better deal, we have to have workable guarantees that ensure citizens control over their privacy. So these mainly US companies who now withdraw their data with some quite negative reactions, my interpretation of that is that they don’t get the point of GDPR, that it’s not their data.
That’s a very good point. What about any other unintended consequences of GDPR? Is there anything else you guys think might happen that wasn’t part of the plan to begin with?
Hannes: One of the items is the legal grounds. It’s very painful for small organizations, housing committees, what have you, which have no legal expertise at their disposal, to figure out how these alien concepts apply to their processing of small amounts of personal data, which has been an everyday activity this far. So the GDPR is not only punishing the big ones, it’s also causing quite a lot of havoc on the small ones, which is obviously good for general awareness and general protection of your personal data, but in some cases it’s really causing concerns.
Another unintended consequence is that GDPR wants to make all of the data processing much more transparent to the user. And yes, that’s happening. But at the same time, the GDPR articles require so many items being explained to a layman, or the data subject if you will, that we are going to have very very long privacy policies, which again leads to this problem that no one is going to read them. Privacy policies have been rather long, verbose documents to begin with, and now they are being populated with very legalese text on top of that. So it’s not actually going to be much easier for the data subject to get any hold of what is actually happening.
What’s going to happen down that rabbit hole? How long can these contracts and end user license agreements get before something has to give? I’m not reading them as it is.
Hannes: Actually I think what we are seeing at the moment is the fact that this is stage one of the companies’ GDPR compliance. It is already mentioned in GDPR and by the data protection authorities that the notices should be layered and to the point and explainable to a layman. But at the moment as companies are simply struggling to get something in shape, they don’t have time to do it so nicely. So it’s the same as with the requirements for privacy by design and by default. There are items that even if a company is GDRP compliant by now, you also still have these second level aspirations there, that how you can be compliant in a fluent manner and not merely sort of somehow meeting the requirements.
One of the things under GDPR is that companies will have just 72 hours to disclose a breach once they learn of it. How realistic is this for most companies?
Erik: There are two important stages in that. The first is to realize that you have a breach, and GDPR says that you have to establish reasonable detection mechanisms so that you will detect when there is a breach.
So you can’t hide behind the fact that you didn’t know there was a breach.
Erik: Yeah, exactly. So you could avoid the 72-hour rule by just saying, “Well, we never realized we had a breach.” That of course is not the intention of the regulation and that article around breach notification. So organizations have to have detection capabilities, which range from automatic detection capabilities, so raising alerts and alarms when unexpected activity goes on in the network. But also in the behavior and the procedures in the organization, when for example a laptop is stolen or an archive is being stolen, or lost or forgotten in a place where it wasn’t protected. So employees have to understand and be able to recognize when there is a breach of personal data protection.
The other part, responding within 72 hours, I think there that one of the challenges is, when an organization has detected breach, to find out whether this is actually a breach of personal data protection, or is it just another security incident that doesn’t have any effect on personal data protection. So was there personal data involved in the breach, to what extent, who has been affected by that or potentially could be affected, and being able to investigate that requires some capabilities in the organizations that many don’t have at the moment.
So I’m guessing that’s going to be one of the first steps in those 72 hours after a breach, is figuring out whether this is personal data or something else.
Erik: Yes, this breach, does it have any implications on personal data protection? And once that is clarified, what is then the proper response and who should the organization respond to? If for example the organization processes data about citizens from several European countries, they must decide what authority in what country would they notify about the breach. So what would be the right country to notify about that breach? And what would they actually put in the notification?
One more aspect of this is when you outsource data processing you still have the 72-hour rule to comply with. In effect that means that if your data processor has a breach, they have to notify you as a controller immediately, because otherwise they will be eating up your 72-hour deadline.
Hannes: For the record, I disagree with that interpretation.
Let’s disagree on the record, then. Go right ahead.
Hannes: The Article 33 of the GDPR says that the processor has to notify without undo delay the controller of the likely breach. I’m reading the Article 33 in such manner that only when the controller has been notified without undo delay by the processor, only then does the 72-hour calculation start.
Erik: Yeah, but if you look at the Article 29 guidance on how to handle breach notification, they actually state that in principle the 72-hour clock starts from the minute the processor is aware of the breach.
Hannes: If I recall, that sentence has the words “in theory” or something like that.
Erik: In principle.
Hannes: Yeah, in principle.
So it’s no wonder it’s confusing to the layman, because it’s still confusing to us as experts. How does this process go from here? Do we see court rulings, or what will tell us how this is gonna work down the line?
Hannes: Most likely we’ll be seeing court rulings. Because especially the GDPR has a built-in penalty mechanism. I’m not only referring to 4%/20 million penalties, but also the fact that the data protection authorities, they are required to report centrally on who has been imposing how many penalties. You can easily imagine how it leads to a situation: “Hey! You haven’t been imposing any penalties this year. Why is that? Are you being lax here?”
There is going to be a race to the top.
Hannes: Yeah, there is going to be a race at least to stay in the middle ground imposing penalties. That being said, even if I’m criticizing the penalties quite often, they have the good point that no one would do anything on the prevalent misuse of personal data absent of those penalties. The penalties were the thing which were actually raising the boards of directors in all of the companies, so I consider the penalties as having a significant factor as a call to action vehicle. And they also have other impacts but that has been the most important use for the penalties.
Well let’s talk about those penalties a little bit. You quoted 20 million euros or 4% of the global revenue, these numbers have received a lot of media attention. What gets less play is that there are other repercussions in Article 58 as well – warnings, reprimands, orders, limitations or bans, withdrawing certifications, things like that. Do you think we are ever going to see the maximum fines at all, or are we in fact going to see them right out of the gate, just to show everyone that GDPR means business?
Hannes: I think we are not going to see them right out of the gate. I mean, most of the countries themselves are not ready for GDPR. There are not enough data protection authority personnel looking after these, there are no laws in place in all of the member states which would empower the same data protection authorities to penalize on these. But if you compare the maximum fine of 20 million, or 4%, to fines you can get on antitrust behavior, then this is peanuts in comparison, so I can very well see that we will go to the top in some major international cases.
Erik: I concur with Hannes on that we will probably not see a lot of cases with the big fines being issued, and one of the reasons is that we are still waiting to establish good practice around this, we are still waiting for code of conducts for different industries, certification schemes, and before we have that, there will be a lot of room for interpretation especially about what is proportional, what is reasonable to use the data for in certain cases, certain types of data processing, and what is the expected level of protection? But once we have the certification schemes, and once we have defined these code of conducts for different industries and different data processing activities, I think we will see an increasing use of fines because then you would have a more established grounds for issuing the fines.
What about companies who know that they’re still aren’t compliant today? Should they be scared? What’s your advice for them?
Hannes: Well the previous law has been in force for 20 years. So the company who knows that they’re not going to be compliant, then they are caught for the first year at least. I mean, it takes approximately one year for a company to get somehow their act together and become compliant, at minimum, so they can only wish that they get lucky during the next year. But a company shouldn’t think of this as a project which is ending, they should think of this as a project which is going to go on for at least a decade from here on. And hence that kind of company doesn’t have really any other feasible option, then to simply establish now their project management responsibilities and start working. And then they can hope that they are compliant by the fall of 2019.
All right, that’s all we have time for today. Thank you guys for joining and walking us through this GDPR mess.
Hannes: Thank you.
Erik: Thank you.