Understanding the Complexities of GDRP Security Regulations
By Thomas B. Cross @techtionary
The EU-European Union General Data Protection Regulation (GDPR)
This is an analysis and recommendations on GDPR Data Subject Rights
and the key rules for complying with the regulations and my own commentary on these key points for your own analysis. The GDPR has been in the works with the Trilogue
in 2015 and by May 25, 2018 companies and their service providers are expected to have inplace all the necessary responses to these rules. In my opinion, it is doubtful that any company will actually be fully-compliant now, later or ever. Having written and taught on internet security since 1999, I have found a few critical issues regarding internet security and privacy. First of all, the majority of all computer crime comes from disgruntled employees and dishonest employees. Using internal and external mantraps or honeypots is no panacea. Second, a firewall or cloud won’t protect you from network slowdowns, spam, libelous postings, offensive emails, recreational surf abuse, ill-trained user errors (phishing, ransomware, terrorism, etc.) or any other legal liability. Third, hackers have more time, are more focused acting with audacity and guile prey like sharks don’t care what business you are in and their goal is to completely destroy you.
||Note_ Companies can still share they just have to tell you but know much they do is uncertain.
There is an increasing amount of information available on the “bipolar” disorder of balancing security with privacy. It seems bipolar for a number of reasons: most people are fiercely protective of their privacy but don’t want to have to deal with security roadblocks; management wants and needs to protect customer privacy and without the exorbitant costs. In addition, the line must be drawn between where security for company information ends and security for customer information begins. This is one of those issues where there are no “right answers,” just practical uses based on organizational needs and management commitment. Many of the “people issues” are driven by policy and by the needs of management, with the results (good or bad) blamed on them.
Privacy/Security Policy “Police Force”
With that in mind, this is a policy presentation rather than a definitive security-privacy plan. We have found that, from an extensive review of the current writings on SOX, GPDR, HIPAA and other regulatory/judicial findings as well as interviews with leading security experts, there should be four key players “holding the chair up,” in any good security arrangement: authors, actualizers, auditors, and analyzers.
First, Authors are the senior/executive management leaders providing strategic direction in the form of all-encompassing ideology. Second, Actualizers include anyone and everyone who touches data, applications, systems, managers, archivists and anyone else. Third, Auditors may have the simplest role, that of checking on how well actualizers follow authors’ policies. Fourth, the Analyzer reviews and checks the auditors to determine if the auditors are practicing their processes and documentation uniformly and universally across the enterprise. In addition, given increasing levels of compliance and regulatory oversight, the Analyzers provide an additional independent layer of audit, review and analysis. This additional layer of review is becoming more and more necessary because the processing of balancing security and privacy is getting more, not less complex.
Now if you think that GDPR is going to bring the world to their senses, you know more than I do. Meanwhile, I will go through the main key points of GPDR with recommendations for action on your part as even though you have nothing to do with Europe, their approach is beneficial to understanding what you should be doing over here.
Note the Rule is from GDPR documents and Recommendations is my brief analysis of the Rule.
Rule – Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Recommendations – Without any penalty and severe penalty, no one does or will do anything. Even with post road signs and the risk of harm or death, driver will test the limit of the ability. “Undue delay” is a fantasy as sophisticated hacker remain dormant for months or years, gathering customer data or what they are looking for before rising to attack. Without delay works if the tools are in place to detect and deter hackers, start having this in mind. In my opinion, companies should have their own separate penalties for service providers to make sure they are protected. Due to the significant financial impact of internal or external security breach on the company, certification and re-certification for all employees should be mandatory. This should also include other means such as monetary rewards to employees for reporting real or potential security attempts of any kind. In addition, employees should also be warned of termination for collaboration, “cover ups” and other privacy/security breaches.
Right to Access
Rule – Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Rule – Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Recommendations – Like the “Dead Sea Scrolls” that were found thousands of years later, you should really assume that nothing will be really deleted or forgotten. The Facebook scandal also found that their developers had copies of data and were required to delete these files, but Facebook did not make sure they really did. Hence, there are likely thousands of copies of that data in place you will never know and the holders will never tell you. To that end, this is a nice idea but in reality, you need to have really valid audit and auditors who audit the auditors to have a prayer that your data will be really deleted.
Rule – GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Recommendations – This may sound the alarm yet again but what the GDPR doesn’t really do is provide some really specific means for this kind of activity to be provided or prevented from happening. For data portability to work either the provider, company and user must know in advance how such portability will work in advance before transfer, during and conclusion or the transfer of data. In addition, certified verification that legacy data and archives have been deleted is also important.
Privacy by Design
Rule – Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Recommendations – this is the only Rule so far that makes any reasonable sense in that it is the design of the plan that makes any plan, rule, even or result occur. I have outlined above my four Policy Roles above. This would be, in my opinion, a starting place as your situation, providers, partners, users and business model will impact your efforts.
Data Protection Officers
Rule – Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:
– Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
– May be a staff member or external service provider.
– Contact details must be provided to the relevant DPA
– Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
– Must report directly to the highest level of management
– Must not carry out any other tasks that could results in a conflict of interest.
Recommendations – Having a “buck stops here” approach brings attention to the issues and rules raised in the GDPR. However, there is a real need to have some form of certification for such Data Protection Officers with testing like lawyers, accountants and other professionals to make sure they know the GDPR issues today and have ongoing requirements to stay certified. In addition, the certification organizations need to have their own “police force” (mentioned above) to audit and audit again to confirm compliance. I personal don’t have a “trust but verify” approach. I have a “don’t trust and then verify” approach similar to my firewalls rules, don’t allow access until you know they are safe.
– As with any set of rules and regulations such as GDPR, security experts and privacy advocates need maintain and sustain their voice in addressing these issues. However, like in the last scene of the great sci-fi movie “The Day the Earth Stood Still,
“the test of any such higher authority (security) is, of course, the police force that supports it.” It’s great to have policies but if there is no police force to enforce them and evaluate that enforcement there is no true security or privacy for all, if at all.