What is GDPR?
GDPR began in Europe and has since expanded worldwide, affecting everyone and everything connected to the internet. If you are online and exchange data with someone else, as of May 25th, 2018, GDPR directly affects you. Whether you are a business, institution, or just an individual, it does not matter—you are affected. If you like or even detest GDPR is besides the point, it is here to stay and you must accept it or face harsh consequences including the loss of very large sums of money and even your ability to conduct business or any form of activities on-line where the exchange of personal data is involved.
If you are a business or organization that collects any data from someone who resides in the European Union (EU) you are now required to follow guidelines by the General Data Protection Regulation (GDPR), even if you do not reside in the EU.
So why do we have GDPR in the first place? Who asked for it? Why does everyone in the world have to be subject to something a bunch of Europeans came up with? Isn’t colonialism more than enough?
The origins of why we even have the GDPR may have more to do with Americans while the Europeans came up with this as a way to offset. Over the years, several companies such as Best Buy (2018), Adidas (2018), Twitter (2018), Whole Foods (2018), Equifax (2017), and greatest of all, Yahoo (2013) were guilty of massive client confidentiality data breaches. These cases and dates highlighted, refer to companies that stored user data such as passwords, names, addresses, occupations, credit scores, purchases where there companies were negligent with the security of information they were entrusted with so the information was breached, stolen and distributed. In these cases, the companies did not take the minimum security precautions to ensure protection of user data.
Perhaps more (in)famously is the case of Facebook, Cambridge Analytica and the general US elections of 2016 which had nothing to do with a breach, rather deploying user data for other than their intended purpose. In a nutshell, Facebook user data was sold, or, passed on to Cambridge Analytica (CA) –the latter of which try to maintain plausible deniability—to study user behaviour. The Trump campaign paid CA millions in consulting fees to get this data. This information was then leveraged and exploited to influence voters’ decisions in the 2016 US elections through targeted ads.
These described breaches, sadly, are just the tip of the proverbial iceberg and the sale of personal Facebook data to third party to manipulate people’s voting decision prompted the European Union to place minimum requirements on security of user data and what this data is used for, outside of explicitly described terms and conditions.
While GDPR is a new and evolving policy, there are some core concepts that will be intact throughout all incarnations, and that relates to security and ethical treatment of personal information, which is considered a human right. GDPR is a comprehensive marriage of technical and policy-driven rules as neither can function without aiding the other. There is also a distinction between privacy and security, the former being what an organizations does around data protection and the latter on how data is collected and stored.
From the technical side, GDPR requires minimum standards with regards to how data is retrieved and stored. For instance, client data must be encrypted (made obscure to outsiders) and pseudorandomized (made anonymous so outsiders cannot figure out who the data belongs to). What do we mean when we say ‘data’? This would be any information that can identify an individual. This includes names, home/ work address, contact information, education, medical and financial records would be some examples. What do we mean when we say policy driven? Policies would be rules with regards to how data is treated and how to apply technical details.
Penalties for not maintaining minimal security protections can be either two percent of gross income for an organization, or ten million Euros ,whichever is greater. For those organizations that abuse data or pass it along to an unauthorized third part can be penalized four percent or gross profit or 20 million Euros, which ever is greater. Additional levels of failure to comply with GDPR rules means the loss of the privilege of collecting any data. Please refer to Art. 83 GDPR – General conditions for imposing administrative fines.
Within GDPR documentation is a casting call of participants and designated roles for regulatory oversight. They include the following: Data Controller one who collects the personal data of clients. To collect, one must have a valid, legal business and notify the subject what type of data is required and for what purpose. Data Processor one who processes data on behalf of the data controller. Data Subject the individual whose data is collected and processed. Data Protection Authority one who safeguards the collected data. Data Protection Officer one who ensures compliance with GDPR regulations. The data controller and protection authorities are appointed by the company, organization and/or institutions and are subject to audit by governing bodies.
What is the purpose of GDPR? Why all the regulations? This is due to the ongoing data breaches of companies, government and institutions who did not make sufficient precautions with data security such as proper encryption of communications and storage. While some companies ensure basic encryption, some may have abused client trust and have sold personal data to third party marketing or entities even less scrupulous. Now the GDPR helps bring awareness to both service providers and users alike who would otherwise be unaware hat personal data of an EU citizen is not only protected, but also a fundamental right.
In the event of a data breach and a company or organization is compromised, they have 72 hours to publicly report the breach to regulators. Sometimes, either due to luck or diligence, the breaches are detected by internal staff. Failure to comply results in public shaming and penalties. That said, it is often the case that many companies and organizations are not aware of a breach until months after the fact and by a third party or the one who did the breach in the first place. Rarely is it that a company discovers the breach, they could continue to claim ignorance to buy further time if this fact was not already publicly disclosed. Please refer to Art. 33 GDPR – Notification of a personal data breach to the supervisory authority.
The GDPR is long, seemingly complicated, has many facets, and is an ongoing work in progress. Does it actually make us safe? The fact is, any person or group determined enough, can breach security. A case in point is the growing reliance on so called ‘cloud services’ meaning data processed outside of a local network such as Microsoft Office 365 or Adobe Creative Cloud which acquires and stores user information on other, often international networks. The further away data is stored from local networks, the more security risks occur. The user cannot see and audit where her data may go, so this introduces many security issues. This is just one case in point as to why something like the GDPR is so important.
But even in the case of a breach, there are policies in place to help mitigate damage, such as ‘data minimization’. This means that the data controller collects the least amount of data required to fulfill their tasks. At the very least GDPR ensures minimum standards for data and how it is used, are met, with oversight by a third party watchdog. Now literally, no one can afford can be sloppy, careless or reckless with data. Those who do not comply and report data collection are referred to as ‘shadow IT’.
Regulations, however, can only go so far. You, the ‘data subject’ still must exercise caution and sound judgment. Think about whom you are giving your personal information to and weigh the benefits. Do you have a contingency plan in place in case of a breach? Doing your own due diligence and being cautious can be the best protection of all.
So how does a Canadian business or organization make sure we are GDPR compliant? Well, you could go to the official GDPR website https://gdpr-info.eu and read the 80 page regulatory document as a web or PDF document. Smaller organizations may struggle with appointing additional regulatory bodies and may require staff to do a double shift to meet oversight staff requirements. To help ease and automate the process, security firms like Symantic provide automated software to streamline compliance. That’s right, Symantic, known for anti-virus software and now with a framework to ensure you are compliant via their online assessment and additional digital tools to help you manage. https://www.symantec.com/campaigns/data-privacy