So, the California Consumer Privacy Act (CCPA) went into effect – and, the world didn’t burn. Companies have many issues to contend with, but one in particular has presented challenges to businesses that sell personal information. "Do not sell my personal information" requests (or opt-out requests), and confusion around what these really are, have many business leaders scratching their heads.
What is the CCPA Do Not Sell Requirement?
The CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information. Specifically, California residents have the right to direct businesses to stop selling their personal information.
Businesses that sell personal information and do not qualify for an exemption for the opt-out right must take several different actions to comply with the CCPA.
More specific instructions are as follows:
1. A business must provide notice to consumers that it sells consumers’ personal information to third parties and that consumers have the right to opt-out of such sales.
2. The business’s website must post a “do not sell my personal information” link that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information.
3. The business must provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.
4. Users must be able to submit opt-out requests without having to create an account.
6. The business must respect the consumer’s decision for at least 12 months. After this time, the business can ask the consumer to authorize the sale of personal information.
7. The business must train individuals responsible for handling customer rights inquiries and processing consumer rights requests.
Like many rules with the CCPA, this individual rule may seem easy to comprehend, but it poses a lot of challenges for businesses and consumers alike. These challenges include knowing exactly what personal information your business collects and sells, knowing what information belongs to which consumer, navigating and targeting information that lives in decentralized systems, and having a system in place to process opt-out requests.
Does My Business Need to Comply with CCPA Do Not Sell?
Not every business is impacted by the CCPA, but any business that collects and sells the personal information of California residents (including those without a physical presence in the state) needs to have a process to comply with the “do not sell my personal information right.”
If your business generates over US$25 million in revenue, collects information of more than 50,000 California residents a year, or derives 50% or more of its annual revenue from selling the personal information of California residents, then the CCPA will impact your business.
What Does “Sell” Mean?
According to the CCPA, selling is: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Because the CCPA does not clearly define “valuable consideration,” this leaves some gray area for businesses to interpret.
How Can Your Business Comply with the CCPA “Do Not Sell” Rule?
New and evolving digital marketing properties and practices pose unique compliance challenges to businesses with respect to the “do not sell” requirements. In particular, businesses need to do the following:
- Determine exactly what personal information they are collecting about each of their consumers and whether they are sharing or selling that personal information, or a part thereof, to third parties.
- Clearly notify consumers of their right to direct businesses to stop selling their personal information and inform them how to do so.
- Provide ways for consumers to direct businesses to not sell their personal information, including posting a “Do Not Sell My Personal Information” link on their websites. For example, the proposed CCPA regulations issued by the California Attorney General (AG) require, at a minimum, an interactive webform for submitting requests. Other acceptable methods include, among others, an email address and a toll-free phone number.
- Establish procedures for responding to and fulfilling opt-out requests, as well as training personnel who handle such requests. For instance, businesses may consider automating the opt-out request process.
- Maintain records of opt-out processes and details on the fulfillment or rejection of opt-out requests to demonstrate CCPA compliance and accountability.
What If I Need to Sell Personal Information?
If you’re a publisher or a blog that relies on ad support, this section of the law applies to you. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it. Being more transparent about your selling practices may lead to fewer consumers who exercise their opt-out rights.
Author’s note: For more CCPA resources from OneTrust, visit www.onetrust.com/ccpa-compliance.
Data privacy and security is more important than ever before. Despite existing policies, the number of data breaches is on the rise and unencrypted personal information is getting into the wrong hands.
In 2016, the EU adopted the General Data Protection Regulation (GDPR) to combat the problem of data security. Since then, other data protection laws have gone into effect and businesses all over the world have adopted stricter standards for collecting and storing data. It seems logical to assume the US government would be equally concerned with data privacy, but a recent problem with its drone surveillance program says otherwise.
Drone Surveillance Requires Privacy Compliance
The US government has been using drones for surveillance for quite some time.Pogo.com reported on a research study that found at least 910 state and local public safety agencies have purchased drones – 599 being law enforcement agencies.
Knowing the privacy implications of drone surveillance, you would think government agencies would be on top of data privacy and security regulations, but that’s not the case. In 2018, we learned that the US Customs and Border Protection (CBP) officials were using drones to collect data (images and videos) without considering privacy implications.
An audit conducted by the Office of Inspector General revealed that CBP officials failed to perform a privacy threshold analysis for the Intelligence, Surveillance, and Reconnaissance Systems used to collect data because they were “unaware of the requirement.” A privacy assessment would have determined whether the systems contained data requiring safeguards under privacy laws, regulations and Department of Homeland Security policy.
The drone surveillance program also failed at managing IT security controls that put the actual drones at risk.
Lack of Awareness is Problematic
The stories coming from officials are in conflict. One official claims nobody told him a privacy assessment was required. Another official told the team a privacy analysis was unnecessary since the drone surveillance system didn’t store personally identifiable information.
While it might be true that officials were unaware of the privacy requirements for collecting data, the inadequate oversight is inexcusable.
Somebody should have initiated a communication from the top down, informing the entire team of the privacy safeguard requirements. Unfortunately, the entire project lacked responsibility and accountability. There was no management in place. Nobody was deemed responsible for funding and maintenance.
The main problem, pointed out by CSO Online, is that the drone surveillance systems were never added to CBP’s IT inventory, which created the privacy oversight. Program officials admitted:
“These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively. As a result, ISR Systems and mission operations were at increased risk of compromise by trusted insiders and external sources.”
If the government can’t be counted on to protect the privacy of data collected without our consent, that’s not going to sit well with the public.
Dropping the ball on data privacy is out of character for the CBP. The CBP is normally on top of its game and does not let anything slip through the cracks. It sets up extremely detailed processes for everything it manages. For example, CBP takes extreme precautions when letting travelers in and out of the US.
Official-esta.com describes the complex ESTA approval process, noting that: “when you apply for an ESTA online, the system instantaneously crosschecks the biographic information supplied by applicants against multiple databases, including the TSDB (Terrorist Screening Database), records of lost and stolen passports, the SLTD (INTERPOL’S Stolen and Lost Travel Documents database), any previous Visa Waiver Program refusals, visa revocations, expedited removals, as well as records from Public Health departments, including the CDCP (Centers for Disease Control and Preventions) to check for individuals suffering from a communicable disease which constitutes a threat to public health.”
It seems strange that the same attention to detail was not applied to the drone surveillance program.
Government Officials Need Education
It’s possible that the CBP officials involved in the drone surveillance program were just misinformed or not informed at all. This situation highlights the importance of strict oversight wherever data privacy is concerned. Hopefully, the lesson has been learned and new protocols are in place to ensure the oversight shortcomings don’t happen again.
Since 25 May, 2018, the General Data Protection Regulation (GDPR) has been providing unified rules for data processing, requiring wider protection for the rights and interests of data subjects, and establishing important guidelines around the flow of information in the European Union. One year later, the first “anniversary” of the GDPR offered an exceptional opportunity to assess past achievement and to set goals for the future that were summarized in the communication from the European Commission to the European Parliament titled “Data protection rules as a trust-enabler in the EU and beyond – taking stock.” The report shows that, despite being described as a giant leap to the unknown, measures taken by the relevant stakeholders ensure the success of the new regulation.
The document focuses on legal framework, data protection governance systems, data subjects, controllers and international flow of personal data. Generally, the Commission concludes that the application of the GDPR should be considered successful in many areas, because many objectives set by the European legislators have been achieved. This success extends beyond the borders of Europe since the regulation has a global impact. On the other hand, as pointed out by the Commission, there are still aspects of the GDPR that need further action from the stakeholders.
Besides being a legal act, the GDPR is an instrument fostering a European “data protection culture.” Application of and compliance with the GDPR requires actions from all actors involved, such as legislators, supervisory authorities, data subjects and controllers. Adoption of the relevant measures were intended to change their cultures and behaviors. So those stakeholders were invited to contribute to the process of establishing the practices surrounding GDPR through public commenting or working with various authorities such as the European Data Protection Board.
For instance, parliaments and other regulatory bodies carried out the revision of the current legal framework, and, as a result, several laws have been adopted, amended or repealed. Most supervisory authorities have successfully adopted the necessary measures to effectively exercise their competences provided by the GDPR. Furthermore, the European Data Protection Board, as a platform of cooperation for these authorities, and the European Court of Justice, traditionally interpreting European law, provide guidance in order to achieve a more harmonized practice.
Meanwhile, data subjects and controllers have become more aware of the rules regarding data processing. Individuals are more mindful of controlling their personal data; thus, they exercise the rights provided by the GDPR more effectively than ever. On the other hand, controllers had to revise their activities, and to make the necessary modifications in order to comply with the new provisions.
The regulation provides unified rules for the proper flow of information within, from and into the European Economic Area. Instruments such as adequacy decisions or standard contractual clauses have been successfully applied in the past as well as under the GDPR. On the other hand, new institutions – e.g. certifications or codes of conduct – have been regulated to further ease trans-border transfer of personal data and to provide wide protection to data subjects. Furthermore, from the US through the Middle East to the Far East, many countries have adopted measures in order to harmonize their data privacy legislations with the GDPR, sometimes adapting to the new regime of data protection, sometimes even copying certain solutions or institutions. Thus, the impact of the regulation may be felt beyond the borders of the EU.
On the other hand, there are certain areas where the objectives of the GDPR have yet to be achieved. For instance, supervisory authorities should exploit all opportunities provided by the new regulation, especially in the field of cooperation. In a unified European area of data protection, the interactions and cooperation between these institutions, such as joint investigations or mutual assistance procedures, are inevitable but have not yet taken hold. The sanctioning system introduced by the GDPR, especially the system of fines, needs to be further harmonized. Since last fall, there is a growing number of cases in which supervisory authorities imposed so-called “GDPR fines.” Contrary to the intent of the GDPR, the amounts of these fines significantly vary among the member states. Therefore, efforts should be taken to ensure that violations of the GDPR will result in the same sanctions everywhere across the member states, otherwise so-called “forum shopping” might occur. Furthermore, international flow of personal data should be further considered. Certification schemes or codes of conduct may serve as useful instrument for facilitating trans-border data flows. Yet, the application of these tools on a national as well as European level lags other provisions of the GDPR. Finally, legal harmonization of GDPR and the adoption of new laws needs to be continued, such with the ePrivacy Regulation, which requires further revision of the legislative framework.
One might ask whether the GDPR is a success? Although it has only been applied a little more than a year, the GDPR has already made a great impact on almost all aspects of our lives, activating different stakeholders and providing wider protection to data subjects. Thus, as an instrument fostering a European “data protection culture,” the regulation is highly successful. On the other hand, deficiencies defined by the Commission in the communication may and – hopefully will be – resolved in the near future. And since the document is only the first one in the line of reports on the implementation of the GDPR, count on the progress of further harmonization being continuously monitored.
Much has been written in recent weeks about the widely publicized privacy concerns with FaceApp, the app that uses artificial intelligence (AI) and augmented reality algorithms to take the images FaceApp users upload and allow the users to change them in a wide variety of ways. Just a few of the very real risks and concerns, which exist in most other apps beyond FaceApp, include:
1. The nation-state connection (in this case, Russia)
2. Unabashed, unlimited third-party sharing of your personal data
4. Your data will exist forever … in possibly many different places
5. Data from the apps are being used for surveillance
6. Data from the apps are used for profiling
7. Apps are being used in ways that bully and/or inflict mental anguish
8. Using the images for authentication to your accounts
9. Your image can easily be used in deep fake videos
10. Look-alike apps are spreading malware
I could go on, but this should provide you with a good idea of the range of risks involved. Here is an important key point not within this list that has not been highlighted in the three or four dozen articles I’ve read on the topic: the FaceApp uproar highlights a long-time problem that is getting even worse in the way that privacy policies are written.
Evolution of Privacy Policies to Anti-Privacy Policies
I’ve been delivering privacy management classes since 2002. One of the topics I’ve emphasized is the importance of organizations actually doing what they say they will do in their website privacy policies, and not using misleading and vague language to actually limit the privacy protections and increase sharing with third parties. (Privacy policies are also often referenced as privacy notices; for the purposes of this article, consider them to be one and the same.) Organizations should not use privacy policies as a way to remove privacy protections from individuals. The US Federal Trade Commission (FTC) actually published a substantive report detailing these problems in May, 2000, entitled, “Privacy Online: Fair Information Practices in the Electronic Marketplace a Report to Congress.” The advice within this report is as valid today as it was back then; in many ways even more so.
A key point made within that FTC report emphasized the need to provide clarity for collections, uses and disclosures of, and choices related to, personal data. In particular there were three significant problem areas for the findings of the FTC’s research of website privacy policies that highlighted:
1) using of contradictory language;
2) offering unclear descriptions of how consumers can exercise choice; and
3) including statements indicating the possibility of changes to the policy at any time.
From 2000 to around 2010, I saw many websites that actually tried to address these issues. This was a fairly hot topic at information security and privacy conferences then, during which time I delivered keynotes and classes specific to addressing privacy within privacy policies, and then implementing the supporting controls within the organization to meet compliance with those privacy policies.
What happened around 2011 and after? A perfect anti-privacy storm involving increased use of search engine optimization (SEO) in ways that included communicating deceptive statements in websites and their privacy policies, and a huge jump in use by the general global population into a larger number of social media sites and blogging. This led to thousands of headlines over the past decade demonstrating increasing incorporation of non-friendly privacy practices. This was soon followed by apps that integrated with virtually every type of device, server, social media site and cloud service. To succeed in these areas, rank the highest in searches, gather the most personal data to subsequently monetize, get the most likes, and get the most online amplification through partnering and sharing data with as many other organizations as possible, marketing practices were used that incorporated creative (actually deceptive) modification of privacy policies. This in large part led to why so many of the current posted privacy policies tip toward being mostly anti-privacy in the manner in which they are written, often in ways that allow for as much data to be shared with as many other third parties as possible.
- Moving on to others outside of their “group of companies,” FaceApp indicates that they “also may share your information as well as information from tools like cookies, log files, and device identifiers and location data, with third-party organizations that help us provide the Service to you (“Service Providers”). Our Service Providers will be given access to your information as is reasonably necessary to provide the Service under reasonable confidentiality terms.” So, do you now know who FaceApp is sharing data with? No. Do you know the specific data that is being shared to unknown others? No.
- Moving on … they also state: “We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information.” Does this give you assurance? No. Why? Because the way this is written they may be sending your personal data and so-called “anonymized data” to other parties, and that information may also be combined with other information that actually could re-identify you.
It is also worth noting that there was:
- Just a single sentence (“We use commercially reasonable safeguards to help keep the information collected through the Service secure and take reasonable steps (such as requesting a unique password) to verify your identity before granting you access to your account.”) describing security, and a disclaimer of any responsibility for even securing your information and preventing others from getting access to your data.
- No apparent information about how you can access and view all your data that they’ve collected or derived from what you provided to them.
While organizations may think that they have done everything needed to prepare for GDPR, they may not have thought about how they arrive at assurance over GDPR, especially considering that being prepared for GDPR is different from having GDPR as part of operations.
GDPR has now been in force for over a year, so would it be correct to assume that all organizations have taken the necessary steps to ensure compliance? Based on our work and feedback from others, it appears that this is not the case, and far from it. But the big question is will the magnitude of the recent fines imposed on British Airways (£186m) and Marriott (£99m) make stakeholders think again?
What does the Information Commissioners Office (ICO) expect of an organization?
That’s quite simple. The ICO expects that all organizations, no matter their size, are taking the protection of personal data seriously and that they are looking after the interests of the data subject. The ICO would expect all organizations to have compliance with the legislation at the core of operational activities. This means that in respect to personal data they are:
- Doing the right things;
- Doing them in the right way; and
- Doing them well.
Clearly both British Airways and Marriott failed to convince the Information Commissioner that they were doing the right things and had done all they could to protect the personal data of their customers, but why are the fines so big? Is it because the ICO is making examples and sending out a message to those organizations who approached GDPR as another compliance headache and did the bare minimum or, worse, ignored it completely? Possibly, but equally it could be because both companies failed at a fundamental level – they failed to safeguard their digital estate.
But it could have been much higher. BA’s fine was 1.5 percent of global turnover; it could have been up to 4 percent. It is also noteworthy that Marriott incurred the £99 million fine because it acquired another hotel chain in 2016 – and it was this hotel group, Starwood, that had lost customers' data through a cyber breach.
While many organizations have invested a great deal of time and energy to be compliant with the regulation, many have failed to recognize the business value.
Instead of viewing GDPR as another regulation you need to comply with, consider the potential business benefits. Why wouldn’t you want to ensure that your data is:
- Obtained fairly and lawfully
- Recorded accurately and reliably
- One version of the truth
- Held securely and confidentially
- Used effectively and ethically
- Shared appropriately and legally
Deliver Business Value … Comply with GDPR
GDPR is also about value and trust in data, a central element of information governance. Information governance encompasses, among other things, information security or, at a digital level, cybersecurity.
There are many organizations that were taken in with checklists and companies offering one-stop technological solutions, without taking the necessary steps to understand how personal data flows through the organization, as opposed to designing and implementing a framework that will fit with the culture and ways of working of your organization.
Then there are those organizations that complained “it’s not fair” and placed it on the “too difficult to do” pile.
On many occasions, senior stakeholders have told me that they could not see how GDPR affected them as they didn’t collect, store or process personal data – in all cases they had failed to grasp that employment data was personal data.
Absorbing GDPR into business as usual requires a holistic approach to information governance.
People, processes and technology – the guidance issued by Working Party 29, responsible for developing the regulation and the ICO, spelled it out: raise awareness, train, develop processes and procedures, tighten up on IT security.
How can doing the above build business value? It can be a differentiator, especially if you buy into the view that we are moving from the information age to where reputation is paramount.
In the marketplace, competition is fierce and choice is not restricted by geography. We no longer just rely on the shops on the high-street or local businesses to fulfill our needs.
Could it be that in the not-too-distant future we will be looking at a “data trust index” when making our decisions over which internet business we want to interact with? So, will a business whose reputation is damaged because it cannot be trusted with our data be overlooked the next time we go shopping?
In GDPR terms, even those organizations that embraced the challenge are only at the beginning of their journey. Organizations collect data for a whole host of purposes and from a range of sources.
The simple question is why we spend time and resources collecting, processing and storing this data? The simple answer should always be because it is necessary to assist in achieving business objectives. If this is the case, then the data collected must have value and be worthy of being safeguarded. If something has no value, why do would we acquire it?
For the last year or two, the focus has been on GDPR, but in reality, many progressive organizations have been using GDPR as a way to improve their overall approach to information governance.
Looking forward, it is how we incorporate GDPR into information governance that will lead to a certain level of GDPR maturity. There is also a real prospect that protecting personal data may fall as part of annual audit requirements.
But it’s not just about our organization; it’s also about organizations with which we share our data. If we do not manage our third-party data-processing relationships appropriately, our reputation could be impacted upon by their negligence. Even if there is a breach in a third party’s data security, we are still accountable; therefore, it is our responsibility to make sure that the third parties we work with are looking after the data we share.
GDPR does not reflect a whole new philosophy with regard to personal data; rather, it builds upon the basic application of good information governance practices, albeit with a greater emphasis on transparency than an auditor might be accustomed.
Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise:
- GDPR centers on the quality and accuracy of the data collected – a core tenant of information governance is reliability of information.
- GDPR focuses on the security of data. In information governance, we also consider security data and look at the processes we’ve got in place for data loss management. We don’t want to lose data, but if we do, we need systems in place to inform us that a breach happened.
- In GDPR, we need to ensure that personal data is accessible. In information governance, we also need to be able to access data – this is the way we leverage value out of information.
What can you, to reduce your risk of a fine? Here are some key points of consideration:
- Complete a data audit, develop a Record of Processing Activities and conduct a risk assessment of the data collected, processed, stored and shared.
- Know who all our third-party suppliers are, and any of their suppliers who handle our personal data, and make sure that they have the appropriate processes in place and they are working effectively.
- Draw up privacy notices and have them readily available.You don’t have to get the data subject to sign them; just ensure that the data subject is aware where the notice can be found.
- Add cookie statements on websites.
- Develop processes and template letters that underpin the way to address individuals’ rights when they make a subject access request.
- Raise awareness across the organization, train staff how to deal with personal data and assess their understanding.
- Review contracts with suppliers and customers and, where appropriate, put Data Processing Agreements in place.
- Review information security arrangements to ensure that all sensitive and personal data stored and processed is appropriately protected both at rest and in transit.
• Provide data subjects with their personal data in electronic form, which facilitates portability.
- When making changes to the systems used to collect, store and process data, develop a process to undertake a data privacy impact assessment to ensure a full understanding of how actions and activities may impact the rights and freedoms of the data subject.
- Review all business processes that touch on personal data to ensure GDPR compliance is embedding into “Business as Usual” and becoming an integral part of daily operations.
- Be able to demonstrate that GDPR-related processes are operating effectively and consistently.
Don’t let your organization be the next one hitting the headlines for receiving a large fine from the ICO. The fine is only the start of your worries – reputational and brand damage could cost much more!
Don’t Panic, Help Is At Hand
There are a number of sources of information to help us, including:
ISACA’s GDPR Resources: https://www.isaca.org/info/gdpr/index.html
ISACA’s Cybersecurity Resources: https://cybersecurity.isaca.org/info/cyber-aware/index.html
ICO’s 12 Steps: https://ico.org.uk/media/for-organisations/documents/2014918/dp-act-12-steps-infographic.pdf
NCSC’s Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/
NCSC’s 10 Steps to Cybersecurity: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
NCSC Board Tool Kit: https://www.ncsc.gov.uk/collection/board-toolkit
For many months, infosec and privacy colleagues alike have been telling me that the FUD (fear, uncertainty and doubt) about the terrifying levels of EU fines under the European Union General Data Privacy Regulation (GDPR) have disappeared from the boardrooms and executive management meetings.
In many organizations, the sentiment from senior management was that GDPR was another Y2K; it looked terrifying on paper but – meh – it probably did not matter that much after all.
As the statistics from the first 12 months of GDPR rolled-in, these managerial beliefs that the regulation was all hype and no action were reinforced.
- 206,326 cases (complaints and breach notifications) reported to the European regulators
- 52 percent of cases closed with minimal action
- Only 11 out of 31 countries had so far issued fines
- The total amount of GDPR fines at that time: €55,955,871
- … and €50m of that was to Google
There was a near-universal sigh of managerial relief and, in many organizations, privacy and data security efforts slid down the agenda … until this Monday.
On Monday, the ICO (the UK lead supervisory authority for regulating GDPR) issued its intention to fine British Airways £183.391m (around US$230m) for losing around 500,000 customers details in a card-skimming scam from an attack that commenced in June 2018.
That was then followed on Tuesday by an announcement from the same regulator of its intention to fine Marriott International £99.2m (around US$124m) for losing around 30 million EU customer details in the breach they failed to discover until 2018.
By Wednesday, any sensible organization has moved effective privacy and security right back up at the top of its risk radar. One key reason security should be there: Both of these events were effectively about the failure to adequately protect personal data against cyber-attack.
As one of the people impacted in one of those breaches – and as an infosec professional who has to constantly battle for resources – my opinion is that this just might be a second watershed moment for our sector.
The first watershed was after WannaCry and NotPetya hit, and the majority of organizations began to realize that they needed to actually take cybersecurity more seriously.
This could be the second watershed if the intention to impose substantial fines is followed through.
Let me explain this point a little further.
It is an unpalatable truth that most sensible commercial decisions are made on the basis of risk. If you have a small chance of a small fine for the mismanagement of privacy information, then most organizations will aim to manage that risk on a shoestring. They want to be seen as doing the right thing – but why spend tens of millions of any currency fixing something that probably will never cost you more than a small percentage of that budget? That was the perception of GDPR until Monday.
After the intention to impose substantial GDPR fines was announced early this week, that perception has changed. Any organization that was considering putting GDPR or cybersecurity on a modest budget is re-evaluating that choice.
Whether this is a tipping point for setting in motion better investment in cybersecurity and data privacy still relies on a few things – and the first of those will be whether the intention to impose substantial penalties materializes into reality.
Will the fines really be applied? Will they be paid? Will more mega-fines follow?
The answers to each of these questions could have just as much impact on the privacy and security sector as WannaCry and NotPetya did.
The increasing amount of cybersecurity incidents cause a serious negative impact on enterprises, prompting legislators around the world to explore new policies and regulations. Certainly, the GDPR was one of the most popular topics in the last year (the report of the European Commission shows that in May 2018 Google inquiries for the GDPR were more popular than those related to Beyoncé and Kim Kardashian). Having finalized the initial GDPR implementation stage, companies have been proceeding to deal with the practical challenges related to the new requirements. One of them is reporting personal data breaches to a supervisory authority and notifying data subjects.
However, the GDPR is not the only binding act setting forth the obligation of notifying certain parties about breaches and incidents. Some countries followed the privacy protection “wave” and introduced their own data protection acts requiring similar breach notifications. There are also other acts, which do not focus only on personal data matters, but cover also notification procedures regarding breaches and incidents (for example, NIS Directive, PSD 2, and ePrivacy Directive as well as country-level acts and guidelines implementing the directives). The wide array of applicable rules (which is especially important for international businesses) might cause organizational problems and misunderstanding regarding the actions to be undertaken in case of a probable incident. Further, the terminology used in different situations varies. Some acts refer to breaches, some to incidents, and in each particular case, the meaning of the term used should be assessed within the context of the corresponding act.
In order to understand which steps should be taken in order to ensure proper incident or breach reporting in the EU, it is recommended to take into consideration the following aspects and summarize them for further use:
1. Requirements applicable to the company. Companies may be subject to certain legal obligations depending on different factors. For example, the applicability may vary when taking into consideration the territory where the company is incorporated or carries out its business activities, the character of the provided services or produced goods, and the clients or partners impacted by the company. For example, GDPR applies also to non-EU companies offering goods or services to the data subjects located in the EU, while the NIS Directive applies to network and information systems within the EU. As the EU Directives are usually implemented on a country level, the companies shall check their obligations against their country’s legislation. Additionally, it is recommended not to forget about acts such as criminal or administrative laws. In some countries, such documents also cover certain types of incidents that might impose reporting obligations.
2. Classification of the event. When it is clear which acts are binding on the company, it is necessary to understand which cases “trigger” the obligation to report the incident – namely, the types of information, systems, people that are impacted, and on which scale, and which level of risk the event falls under and whether this requires disclosure. For example, personal data and financial information systems operated by digital services providers or critical infrastructure might be impacted, but not necessarily require reporting in all cases.
3. Reaction time. The next step is to address the deadline for reporting different types of breaches or incidents. The statutory requirements for the deadlines might vary from several hours to several days or months, depending on the type of event.
4. Reporting. The scope of notification obligation might also be different. Some acts require reporting to authorities, such as personal data protection supervisory authorities, authorities similar to CERT (computer emergency response team), financial and telecommunication regulators, or police. Additionally, the company might be subject to the obligation to notify other impacted parties (clients, employees, cooperation partners).
5. Contents. The final step is to identify the information that will be reported based on the applicable requirements. It also is possible to use special reporting forms or the official template (if available). However, this does not mean that the company cannot collect any additional information for internal incident response purposes.
A summary of the above-mentioned information should be communicated in a way that is understandable to the people responsible for incident reporting in the company. However, the aforementioned activities are only the beginning, and the next task is to ensure that the reporting process is organized correctly and is carried out in appropriate fashion.
It is often said that a good auditor is a good communicator, and this is particularly true when dealing with smaller organizations.
Small and medium-sized enterprises (SMEs) tend not to have the capacity to employ specialists in every role, instead relying upon generalists who fulfil many roles in the organization.
Unless the SME’s business is data processing or falls into one of the other categories that require a data protection officer (DPO), then the chances are that as auditors we will be speaking to the finance head or IT manager or HR manager about data protection.
ISACA’s new GDPR Audit Program for Small and Medium Enterprises is written not with the professional IT auditor in mind, but the auditee. Consequently, its language is simplified from that of the enterprise version.
One of the biggest issues I have found when dealing with SMEs is ensuring my conversations and questions are designed to fit the audience and are jargon-free. Only by adjusting the narrative to fit the audience can we hope to deliver an audit product that adds value. This is particularly important with GDPR in the SME space. Indeed, many SMEs still have not fully embraced the central theme of the GDPR – it’s all about the data subject, not the organization.
When auditing SMEs, it’s as much about education as compliance. GDPR is about how following some basic rules about good data governance, such as ensuring data quality, can add value, not just cost, to an SME. As auditors, we can help owners and managers to embrace this concept that we are adding value above and beyond what is derived from a compliance report.
It is also important to be aware that many SMEs will not have received the best advice leading up to GDPR. Many will have scoured the internet, talked with fellow business owners or at best attended a seminar or two – or, worse, been drawn into spending money on software solutions that are generic and not a good fit for their businesses.
In the hands of an experienced auditor, the audit program should be used as much to help devise a remediation plan as to arrive at an audit opinion. After all, the audit is designed to validate controls implemented to manage risk and to agree to a risk treatment plan.
A survey by Q2Q in November 2018 found that 41 percent of SMEs are still unsure about the rules and regulations surrounding GDPR. This, combined with 22 percent saying that emerging online risks are their biggest headache, present an opportunity for the auditor to use the program to offer genuine guidance to their SME clients.
One of the major issues that organizations and their auditors had with the previous Data Protection Act was that it was primarily viewed as an IT problem to be solved with technology. Complying with GDPR is about managing information risk and needs to consider a trio of risks: people, processes and technology. These risks must be considered across all facets of an organization.
Don’t look at your device when I ask you this question: How many apps do you have on your smartphone? Or, if you use your tablet more often, how many apps do you have on your tablet? Remember this number or write it down.
OK, now look at your device. How many apps do you actually have installed? Is that number higher than what you wrote down previously?
For most people, it would be. In many of my keynotes, and in most of my client key stakeholder meetings, I ask this question. I’ve seen around 90-95 percent of people severely underestimate the number of apps they have on their devices. For example, I’ve had people tell me they had maybe 15 or 20 apps installed, and after they checked, they found they actually had well over 100. But they were only using around 15 of them.
Keep this in mind: just because you are not actively using apps does not mean that those apps are not actively harvesting data from you.
Most people download apps willy-nilly. The mentality is often, if it is free, then, hey…let’s get it and see what it does! Oftentimes those never-used-but-still-installed apps are silently and often continuously taking data from the device and sending it to the app vendor, which then shares the data with unlimited numbers of other third, fourth, and beyond parties. Who are those third parties and beyond? What are they doing with your app data? How can those actions have negative impacts on those associated with the data?
Throughout my career, when doing my hundreds of assessments and risks analyses, I’ve often heard the following from those reading the reports, “Have these possibilities you’ve outlined actually happened? Has such misuse of data actually happened? Why is sharing data from devices a problem?” The overwhelming opinion was, "If nothing bad has happened yet, or we haven’t heard about bad things happening, then why worry? Probably nothing bad will happen." This often-stated denial of risks, and the lack of accountability that such opinions try to establish, are factors motivating app vendors and tech companies to share as much app data as possible, monetizing it along the way, and leading to a wide range of emerging invasions of privacy that don’t fall neatly under the definitions of “privacy breaches,” even though those involved certainly feel creeped-out and victimized, often in multiple ways.
Recent reports, including an intriguing one from the Wall Street Journal, are shining light on how so many app vendors are sharing data with Facebook, one of many social media and tech giants that is involved. For example, the report noted, “Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple’s iOS, made by California-based Azumio Inc., sent a user’s heart rate to Facebook immediately after it was recorded.” Do you think the app users knew this would happen? To what other businesses was their data sent? What about all the other apps being used? How many other organizations are they sending data to, unbeknown to the app users?
The types of data from apps that are being shared, and the insights they can give into people’s lives, are alarming, and go far beyond heart rate data. Apple and Alphabet Inc. (Google’s parent company) reportedly don’t require apps to disclose to the app users all the third parties that receive their personal data. So, in the HR Monitor example, the app users were likely not told that Facebook was going to get their data immediately as the data was collected. How many other third parties, and which ones, also got their data?
There are some huge problems that app creators and tech companies are generally not addressing in any meaningful or long-term way. Here are a few of them:
- They do not clearly describe all the data they are collecting, deriving, sharing, processing and storing that that can be linked to specific individuals. In other words, they are not defining the personal data involved with the apps.
- They do not specify the types of other data being associated with personal data, a combination that can result in very sensitive data.
- They do not list the third parties with whom they are sharing that data, nor how the app users can determine how those third parties are using their data.
App creators and distributors need to do a better job at communicating the answers to these important questions to all those using their apps. But app users also need to be more proactive. They need to be more vigilant with how they download, use, and remove apps from their devices. I provided advice to app users about this in a couple of recent news stories – you can check them out at USA Today and Nerdwallet.
Last May marked the beginning of the application of the General Data Protection Regulation (GDPR), which harmonized and unified the rules governing privacy in the European Union. Leading up to and following the adoption of the regulation, data protection has been in the focus of attention all around the world. Governments introduced new legislation, while supervisory authorities, the civil society, data controllers and processors publicly discussed rules, obligations and institutions set out in the GDPR, and campaigns have been launched to raise privacy awareness among data subjects and the public.
Despite all this, at the six-month mark after the compliance deadline took effect, only 30 percent of companies located in the EU could be considered GDPR compliant, a recent study showed.
Perhaps we should not be entirely surprised by that underwhelming statistic. GDPR compliance can be time-consuming and resource-intensive. It necessitates a strategic approach and a permanent focus on all activities related to data processing. Unfortunately, these characteristics might result in certain hazardous attitudes on the side of controllers and processors. Many of these actors are aware of the new rules introduced by the GDPR, yet they choose to ignore the relevant obligations, hoping to avoid inspections and further consequences. Others are reluctant to comply with the regulation and may consider other responsibilities as trumping privacy, for instance, assigning economic benefits more weight than protection of personal data. Finally, it is a common misconception that if the controller publishes its privacy notice or policy, its activities would be in line with all obligations deriving from GDPR.
Nonetheless, data subjects are becoming more conscious about their privacy and demand effective control over their personal data. Beside the heightened interest in the activities of controllers and processors, monitoring and enforcement mechanisms set out in the GDPR are operated by supervisory authorities around the European Union. Fines have been issued for non-compliance and, as a further consequence, the publicity of unlawful conduct further damages the reputation of controllers. Thus, the previously mentioned attitudes are harmful to the rights and freedoms of individuals; they violate provisions protecting privacy of data subjects, and may also lead to significant loss of income on the side of the controllers and processors.
Instead of demonstrating the previously mentioned attitudes, controllers and processors should realize that certain easy steps can promote GDPR readiness. First, they need to be self-aware concerning activities connected to the use of personal data. An updated record of processing activities and the designation of a data protection officer may be of great help in this respect. Application of data governance tools can also assist in setting the relevant internal policies. Furthermore, it is necessary to document every aspect of these activities, thus demonstrating compliance with the principle of accountability. Finally, controllers and processors should make their operations transparent to supervisory authorities and data subjects as well as to the general public, via data protection notices and other methods of providing information.
These are certainly not the overall conditions for GDPR compliance, but they facilitate controllers and processors in achieving it, and constitute valuable proof that an organization is willing to abide the rules of the regulation and respect the privacy of data subjects.