GDPR Will Be So Much Better, But at What Cost?

For a variety of reasons, I’m really looking forward to what’s in store for 2018.  I decided to finally cut the TV service cord; I’m consistently climbing on my new treadmill thanks to iFIT Coach technology; and my beverage of choice these days is just plain water.  It all amounts to just a greater degree of control over what’s going on in my life even if it requires a little more effort.  And even though I’m not an EU citizen, I know the upcoming General Data Protection Regulation (GDPR) is a harbinger of more control over who sees and processes my private data so maybe I’ll receive fewer breach disclosure notices too.

GDPR introduces several important new rights for EU citizens that are sure to be reflected worldwide in many upcoming regulatory revisions and new compliance requirements.  Reading it, most strike you as just good common sense, such as:

  1. Increased disclosures a data controller must make before collecting personal data. In addition to its identity, the controller must state the purposes for processing, any recipients of personal data, and how long the information will be stored.
  2. Disclosures must be intelligible and easily accessible, using clear and plain language that is tailored to the appropriate audience (even if they’re minors).
  3. Controllers must inform data subjects of the right to withdraw consent at any time, the right to request access, rectification or restriction of processing, and the right to lodge a complaint with a supervisory authority.
  4. In a significant departure from Directive 95/46/EC, the GDPR recognizes a “right to erasure.” This right expands the so-called right to be forgotten.
  5. Data subjects can object to processing for most reasons at any time and always for direct marketing purposes.

There are many more commonsensical provisions in this legislation becoming law in May 2018, so many that you wonder if people will really take the time to read and understand that to which they’re giving consent.  Think of the safety instructions that come with nearly every new purchase that no one reads or the legal disclaimers and terms & conditions to which you must agree before using a new software product.  It’s not bad information, just dreadfully boring stuff that takes too much time for consumers to review.

Then on the other side, consider the impact to businesses and governmental organizations that must provide these new capabilities in a timely and efficient manner at no cost to a data subject.  Here’s a shortlist of their new responsibilities:

  1. On demand ability to demonstrate organizational compliance with the regulation including steps taken to ensure no future breaks in the law.
  2. Data portability rights require controllers to provide personal data to data subjects in a commonly used format and to transfer it on request to another controller; furthermore, modalities (user interfaces and customer support services) must be provided to facilitate the exercise of data subject rights.
  3. Controllers are responsible for maintaining records of processing activities, and processors are responsible for maintaining records of all categories of personal data processing performed.
  4. For a personal data breach, controllers must notify the supervisory authority of the EU member state where the controller has its main or only establishment. If no physical EU location exists, the controller must identify a lead authority and create a relationship (though a physical EU presence is likely to be encouraged).
  5. Notice must be provided without undue delay and where feasible, not later than 72 hours after an organization has become “aware” of a personal data breach—unless a reasonable justification is provided. Personal data breaches likely to result in a high risk to the rights and freedoms of individuals must also be communicated to the affected data subjects.

There are many more requirements that will take considerable money, time and creativity to properly establish, and many businesses (especially in the U.S.) will be unprepared.  This will expose them to potential fines, but not all fines will be equally assessed.  There are differences regarding intentional violations versus merely negligent ones, and limits can be imposed considering the damaging nature, gravity and duration of any violation.

GDPR also calls for implementing Privacy by Design which calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition.  Article 32 and Recital 83 suggests one possible remedy, “In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”  SecurityFirst can help with that.

Here are some of the other most salient GDPR elements associated with data protection conditions for which SecurityFirst products address minus some of the more legal-like wording:

Article 25 – Data Protection by Design and Default

The GDPR makes it very clear that any private data collection and processing must be carefully planned and integrate the necessary safeguards into the actions.  Starting in May, it’s no longer acceptable to collect more data than is absolutely required, only those specifically authorized to access that data can do so, and that the processed data is stored no longer than required to meet the task at hand.

Article 32 – Security of Processing

Expanding upon Article 25, Article 32 adds additional requirements for ensuring the security of that minimal set of data acquired for a specified period of time.  It calls for the pseudonymisation and encryption of personal data along with the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems.  So while the data is in the hands of the controller and processor, these systems are protected.  It also requires the establishment of a process for regularly testing, assessing and evaluating the effectiveness of the storage and processing systems.  This should include source code and vulnerability scanning of applications and systems which are updated over time.

Article 33 – Notification of a personal data breach to the supervisory authority

This is the Article that gives security professionals the most concern.  The requirement here is to notify the appropriate EU supervisory authority within 72 hours of a personal data loss once the organization becomes aware of it.  And this notification must be a detailed account of what happened and who was affected including the nature of the personal data breach including where possible, the categories and approximate number of data subjects and approximate number of personal data records concerned.  It must also include an assessment of the likely consequences of the breach and a list of measures taken or proposed to mitigate the data loss.  The is a lot of work in a short amount of time, but if the controller and processor have followed Articles 25 & 32, it might not be necessary.  The loss of protected data requires no notifications.

Article 34 – Communication of a personal data breach to the data subject

There will be times when communicating a personal data breach to a supervisory authority makes sense just to be on the safe side of things, even if the lost data was protected.  These decisions will generally be made on the basis of the total sensitivity of the data.  Article 34 is a second step in the notification process that calls for reaching out to the affected data subjects when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.  Each subject must be notified using much of the same data as specified in Article 33 unless these actions would involve disproportionate effort, in which case, a public communication or similar measure will suffice.

Clearly, the key to limiting any organizational impact to a controller or processor, is careful and deliberate planning concerning the collection, distribution, processing, storage and deletion of sensitive personal data.  As mentioned previously, it’s pretty much common sense, but these actions cost money and organizations have been reluctant to allocate any funds in the past not directly contributing to revenue generating activities.  It too many years and a continent of irritated citizens to make GDPR a reality.

And so 2018 begins a new era providing people with a greater degree of control.  Control over who can collect and discover what about them.  Any of us who’ve been the victim of a data breach—or worse identity theft—will applaud these new measures and begin demanding similar legislation for non-EU citizens.  I just hope the dedication to my personal quest turns out to be more like a requirement than a directive, with heavy fines if I falter.


By Jay Bretzmann

Director Product Marketing, SecurityFirst

Helping drive acceptance of a bulletproof data encryption technology into market segments that need to add data protection to their portfolio of network securities technologies. You can’t outgrow nor out-spec this solution.