The recent events around both the INM data breach and the Facebook, Cambridge Analytica debacle have distinct elements in common — poor data handling.
In the former case, back-up tapes were removed from an organisation and in the latter, data was passed beyond the control of the data controller and used for purposes beyond their original scope of collection.
While the former case has far more serious implications, as the work of investigative journalists and their sources may potentially be at risk, the latter is also worrying, as we have now learned that almost 45,000 Irish citizens’ data could have been accessed.
“Data controllers must ensure that even if a service provider is GDPR compliant, it is also within a permissible jurisdiction”
Each case highlights a critical element of data protection that will be under even more scrutiny come 25 May, and the GDPR deadline. The data controller, the organisation that has overall responsibility for personally identifiable data collected, is responsible for the entire lifecycle of the data collected, from informing the data subjects as to what they are collecting and why, through its storage, categorisation, usage, and ultimately disposal.
That means if a data controller has an arrangement with a third party for off-site back-up storage, the controller has an obligation to ensure that provider meets all requirements of regulations to which the controller is subject — especially as regards jurisdiction. That means that data controllers must ensure that even if a service provider is GDPR compliant, it is also within a permissible jurisdiction.
The Isle of Man, where INM data is thought to have been ‘interrogated’, is an oddity in this regard. Though regarded as a “safe destination”, the Isle of Man is not part of the EU, nor is it an associate member of the Union, and lies outside the European Economic Area (EEA). However, along with Andorra, Argentina, the Faroe Islands, Guernsey, Israel, Jersey, New Zealand, Switzerland and Uruguay, the Isle of Man is designated as a safe destination for data.
Its own Information Commissioner has extensive information on GDPR and how it applies to companies there, especially in the context of dealing with EU organisations, but even so, any Irish organisation should be cautious and ensure that all obligations are met for operations, before any transfer of data is undertaken.
In the case of the Facebook and Cambridge Analytica debacle, the consequences for individuals might be less, but the implications for our general use of social media are significant. If users think their data will not be safe with a company, they may be unwilling to provide it, or may actually withdraw entirely from such platforms. This would have significant knock-on effects for advertisers, sponsors and commercial users of the platforms as users either effectively clam up or just leave.
When the EU had got an overall shape and direction for the GDPR, it began to speak of its ambitions for the regulations to become a standard for data protection around the world.
That has been echoed by our own Data Protection Commissioner, Helen Dixon, who has said that companies that distinguish their products and services by data privacy standards will start to win.
It has been suggested that if Facebook was to adopt GDPR standards, not only for EU citizen data, but for all users, it would go some way toward restoring faith in its services.
However, Reuters has reported that while CEO Zuckerberg has recognised the value of GDPR ‘in spirit’, he has stopped short of a commitment to roll it out globally.
This kind of equivocation has done nothing to reassure those who have questioned social media platforms and their ability to protect users, and ensure that data is safe.
As more focus comes on data rights, protections and user rights, it has become clear that many data controllers, from social media platforms to media organisations, and even government agencies, have been lax both in terms of data management, but also data usage. Usage scope in particular has been a key issue at the heart of objections to the Public Services Card (PSC) here. Scope creep and data sharing between agencies without explicit user awareness or consent has been highlighted by many campaigners and commentators as indicators for concern — and rightly so.
However, if good practice and compliance with regulation are observed, then the vast majority of these issues can be addressed and dealt with.
It is where ulterior motives, or taking advantage of loop holes for gain, come into the picture that rights and obligations seem to become secondary to profit and power.
That said, a look this very morning at the number of GDPR events still scheduled before the deadline shows that compliance, especially among smaller (thought not necessarily small) organisations remains disgracefully low.
While we will, in the May edition of TechPro, be addressing GDPR, it will be to explore, post compliance, if there is truth to the assertion, as DPC Dixon has said, that those organisations who distinguish themselves by their data privacy and protection standards will win. Or will it be a target for hackers and hacktivists to test?
Time will tell.