GDPR compliance ‘squeeze’ may come from customers
While the upcoming General Data Protection Regulation (GDPR) is without doubt the biggest shakeup of data protection regulation for many years, it is much needed.
That was an opening point from Aoife Sexton, lawyer and privacy expert, founder of Frontier Privacy, at the third in the TechFire series on the regulation. The event focused on ongoing compliance and the competitive advantage it can bring.
Sexton said that the last such update was from 1995, and by way of illustration as to how far back that was in terms of the world of information technology, she pointed out that Mark Zuckerberg was 11 at the time.
She said the law is designed to produce a single, uniform set of data protection rules across the EU. However, as principles based legislation, which is technology neutral, it is short on detail.
Users must be educated as to the consequences of non-compliance and why the regulations are necessary, said Sarah Armstrong-Smith, engineer and management consultant, Fujitsu. Highlighting the fact that compliance is about more than technology, Armstrong-Smith said that people must know their contribution to the efforts, and its value too.
In no doubt as to the value of compliance, Armstrong-Smith said that GDPR is not only an obligation but an opportunity.
“With compliance comes competitive advantage, as organisations can better utilise the data at their disposal, gain critical insights, and build trusted relationships,” she said. “Effective integration and collaboration will enable privacy by design to become privacy by nature.”
Simon Nixon, director, Product Management, Veritas, neatly summarised GDPR obligations with three points.
GDPR in a nutshell:
- Get to grips with what you have and where it’s stored
- Data subjects have to be found to be forgotten
- What you keep you must protect
Elaborating, he reiterated a point from previously that once located and assessed, data should be minimised to reduce risks and to ensure compliance. If data is no longer needed, no longer accessed or no longer justified, get rid of it and reduce the burden.
John Handley, senior programme manager, security governance and risk management, Symantec, used a series of scenarios to work out some of the security implications for organisations.
With regard to protecting personal data against loss, mitigating risks to data subjects and minimising risk in case of a breach, Handley explored various possibilities.
Among the recommendations were to use the time before the deadline wisely, engage the board and moreover, understand your data so that you can more readily identify risks. Better understanding leads to better measures and easier compliance. Handley emphasised what had been mentioned previously that GDPR is not necessarily a technology issue, but it was worth identifying where technology can provide assistance in achieving compliance.
The panel discussion was lively, with many questions and comments, across various aspects.
The first question from the floor asked if starting GDPR compliance efforts in January was feasible.
Veritas’ Nixon said that he had seen this a lot across various sectors, with organisations being at different stages of readiness and those who had simply not begun.
His advice was unequivocal: start now.
He emphasised that what should be done immediately is the data discovery. Nixon said that until you understand what data you have, it is impossible to say how long it will take to become compliant.
Frontier Privacy’s Sexton also weighed in, saying that SMEs had not got their heads around this at all, and she reminded that there is no lead in period.
Sexton said that those who come in for the harshest treatment from the regulator will be those who have done nothing. Get started, she argued, show you have a plan and show you have intent. Even if you haven’t got there by May of next year, at least you can show you are trying.
The squeeze, she added, may not come from the regulator, it may come from your own customers, or those you work with in terms of being unwilling to deal with an organisation that has is not compliant.
Another attendee asked about certification for GDPR compliance.
TechPro’s Hearns added here that some organisations appear to be offering certification in GDPR whereas in actual fact they are offering training courses that have been certified for the presentation of such information, not the information itself.
Sexton acknowledged that there is a real need for such services. She said vague language in the regulation, particularly around security, means that many are scrambling for information and want that assurance of certification.
“GDPR does allow for certification, seals and accreditation, but in listening to the regulator speak, we are not there yet,” said Sexton.
She added, the idea is that the certification would be run through the regulatory bodies, but Helen Dixon (Irish data protection commissioner) has said that we are some way off that yet.
An Post’s corporate compliance manager, Tom Hulton, said that already, requests for proposals (RFP) are including elements of data protection, though some that are unenforceable.
People need to think about how to achieve what is required, he said, but at the same time be realistic. Despite vague language, if you are as explicit as you can be, especially for security, that should be enough until more clarity is available, he said.
A question from the floor asked about the demonstrability of compliance, but on the customer side. It was asked if companies will have to publish their architecture for how they keep people safe to demonstrate compliance ? The need was likened to that of demonstrating green credentials.
Fujitsu’s Armstrong-Smith said, from a service provider’s perspective, it is already happening to a certain extent.
She said we, as a service provider, might have different tiers of service described and what each consists of. She said this allows companies who use the services to show their own architecture in light of the services used.
It is up to the service provider to point out what you get at the different price points, but down to the client to determine which level of service is appropriate to their needs and obligations, and they can then use that to demonstrate their level of protection, she said.
From the perspective of an organisation becoming compliant, An Post’s Hulton said that it is something they have been thinking about but not something they have a solution for yet.
One of the things that will probably happen here, he reasoned, is that a third party certifier comes in and audits you, rather than lots of different ones. That will be an added cost, but you have to demonstrate your ability to meet the regulation.
It is a challenge, but you’ll have to do it, he asserted.
Another important point was raised regarding existing certifications, such as PCI DSS 3.2. The question was if such measures meet GDPR requirements.
Sexton was clear in her answer.
You cannot show GDPR compliance by showing ISO 27001 compliance or PCI DSS compliance or whatever, she argued. GDPR is a much wider subject matter, and one element of it is the obligation to keep secure, and obviously PCI compliance is an important pillar. But it goes much wider than that, and goes back to how you collected the data in the first place, not just credit card data. All of those things help, but in and of themselves, or of themselves alone, they will not be sufficient.
The inevitable topic of Brexit was the subject of another question, and what impact a hard Brexit might have for on GDPR here, where British companies currently have access to Irish consumer data.
Armstrong-Smith said simply, she did not think it would have any effect at all.
There is already a data protection bill out in the UK, where the ICO is intending to adopt GDPR, she said.
“There’s already been quite a lot in the press, and the ICO has always been very stringent on data protection, but in the last couple of months there have been very strong indications that it will be adopted.
“So I don’t think that Brexit will make any difference and that is how the message that is being portrayed in the UK right now,” she said.
Sexton too reckoned the effect would be similar.
Once Brexit kicks in, Britain will be considered a third country under European rules, she said. So what we are looking at are issues around transfer. At the moment, you are not allowed to transfer person data outside of the EEA unless you have a lawful basis, and there are a number of different ones, be it model clauses, Privacy Shield or consent, said Sexton.
“That is the challenge. They are aware of it and trying to cover it under the current discussions around Brexit.”
The European Commission has the ability to look at a country and put it on a white list, it decides that the law in that country is adequate to allow the transfer of data from an EEA country to it, said Sexton. If the EC determines that Britain could go on the white list, then that would allow for the free flow of data from the EEA to Britain without the need to put in place an additional legal tool. But we don’t know if Britain will get an adequacy ruling, politics may come into play.
There is quite a draconian law in Britain on legal surveillance which the EC has said is not compliant with European law, and that might be used as a tool, said Sexton.
“So, we don’t know.”
But, any British company doing business into the EEA will have to be GDPR compliant, said Sexton.