Data protection and the GDPR: the expert debate
Data protection and the GDPR: What are experts saying about it?
SEO, legal, and academic experts are right up in the GDPR. And it’s scary stuff.
That’s right. When it comes to data security, the protection of the data your customers have handed over to you (even when they haven’t realized that’s what they’re doing), it’s not only SEO experts who are analyzing and discussing the General Data Protection Regulation (GDPR). There are a whole bunch of lawyers, too, and academics. But first, let’s refresh ourselves about the whole shebang.
The GDPR is the General Data Protection Regulation of the European Union, enacted by the European Parliament and due to come into force in May 2018. It is an attempt to address the fact that essentially, the first set of EU data protection regulations were drawn up in 1995, before the internet became its current behemoth, and before smartphones, for heaven’s sake. By the time the law is enacted on May 25, 2018, it will have been an update 23 years awaiting.
The world is now far, far, more interconnected and globalized than it was when GDPR 1.0 was formulated and enacted in 1995. There is an urgent need to make the regulation of personal data held by companies and state organizations more robust and citizen-friendly. France acted (belatedly) as a unitary state. In October 2016 France passed into law the Digital Republic Bill. That bill put a lot of zeroes on the potential fines for organizations lax on their security. It was a significant ‘tightening’, and one that’ll be buttressed by the GDPR next year, rather than superseded.
France turns out to have been the first European nation to ‘get its act together’, so to speak. The Germans didn’t pass new law until April 2017, and that ‘Bundesdatenschutzgesetz’ explicitly anticipates the GDPR’s enactment and provisions. Incidentally, who’d enjoy the European Union’s official language being German after Brexit?
Right now, it’s a complete free-for-all in many ways, with companies from Google and Facebook on down mining, swapping, and selling our data for all its worth. One of the key provisions of the U.K.’s upcoming legislation, and the GDPR, is the right of the ‘data subject’ (you and me, in other words) to simply know what data the big companies hold on them.
Yes, I said ‘our’ data. Right now, it’s as if ‘our’ data belongs to the internet behemoths (and to whomsoever they sell our information on). The GDPR recognizes that our data is ‘ours’, for example by enshrining out right to take our data elsewhere (yes, that’s right, simply take that data and give it to another company, and have it deleted by the former company), but even to have it deleted in toto. So there’s nothing left of your data on the company’s systems. Nada. Zilch. A big, fat, round, delicious, donut-shaped ZERO.
Who among us knows all the organizations (‘data controllers’ in the legal jargon) that hold data about us? Email addresses, personal data such as age, address, marital status, health records, movement records via GPRS, call and email records, tax and financial records, and all the rest. They’re all held by someone, and that someone will have many, many more responsibilities in looking after our data than ever before come next May.
Just so we’re clear, the U.K. has committed to align its forthcoming data protection legislation with the EU’s GDPR. Er, they have to, in fact, since the U.K.’s formal departure
from the EU can’t happen until well after next May. The United States position is less clear. What is clear is that U.S. executives are taking the GDPR very seriously, with significant budgeting already allocated in budgets of multinationals going forward. The smart companies, which would include Microsoft, have been big on the GDPR in staff development and are furiously building its protocols into their systems. IBM has released papers on it.
The requirements of the GDPR are pretty onerous, of that there’s no doubt. ‘Data subjects’ (you and I) have the right to ‘be forgotten’ (order the permanent deletion of all the data held on us by a company or organization with which we’d like to sever ties). We also have the right to ‘transport’ our data (order a company or organization to pass on all data held on us to another organization with whom we’d now like to have dealings). We can also request that ‘data controllers’ tell us what data they hold on us and how they propose to use, or monetize, that data.
Encrypt and pseudonymize
It’s likely that many companies and organizations will go for something of a dual approach like this: They may pseudonymize the data they pass to ‘data processors’ to mine (there’s software capable of doing this), while relying on rapidly improving encryption technology for any data that includes personal information. Whether sitting idle on company servers, or being transmitted, it’s likely it’ll all be encrypted.
However, this doesn’t plug all the potential leaks. Password security has, for example, been at the center of a number of recent hacks. In large organizations it’s extremely difficult to ensure all the thousands of network users operate the kind of password protocols required to keep invaders at bay.
Is blockchain the future?
One method of protecting your data is to encrypt and distribute it equally in a network, so that everyone has a copy. Expect a burst of activity in the sector of encryption in the coming years (in fact, see below: it’s already happening). Some companies are now using blockchain technology to encrypt large quantities of sensitive company data, and also to provide legally waterproof time-stamping and verifiability. There’s more on this below.
What the lawyers say
British law firm Blake Morgan has a well-presented PDF on the GDPR and its key implications. They have to get their facts right (unlike some less attentive commentators), so let’s see what they have to say.
First, they rightly quote this from the U.K.’s Information Commissioner, Liz Denham: ‘The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data—much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.’ It’s a pretty good summation of one strand of the argument in favor of extended data protection regulation. It focuses on the potential of the digital economy for growth, and acknowledges that maximizing that growth depends on public confidence in the security of the data they give Facebook and their ilk.
However, it does not state the simple fact that this data is ours. It is about us: our shopping habits, our health Googles, and our credit card details, for heaven’s sake (as well as much, much more). So the people we trust to look after this should damned well look after it properly. And they’re signally failing to do so. Local councils have been fined. Companies have been fined. The Chinese government and other state actors, known to be hostile to western interests including those of the United States, are certainly responsible for some of the biggest data breaches.
Blake Morgan point out that companies which act as ‘data controllers’ (they have control over data held on us) have to demonstrate that they are fulfilling the GDPR’s precepts. Are you raising an eyebrow at that? If not, why not? It means that data controllers have to keep records of what they’re doing to protect our data. That in turn is not as easy as it sounds (and it doesn’t sound all that easy in any case). Does your company use its own, or someone else’s servers? Do you use data processing services that are not in-house? How about the records of your customer transactions, who holds those?
Blake Morgan’s guide says your company should be thoroughly reviewing its processes by doing the following.
- Think about your record-keeping. What records do you keep of your decision-making and processing activities? Are they properly recorded in the kind of detail that the GDPR requires? For example, if you hold significant amounts of data on EU citizens (because they buy your books and you’re Amazon), you’ll need to show that you have conducted a thorough review of your data security protocols.
- This in turn means that you’ll need to revisit the contracts you have with processors (if the data you collect is held outwith your organization). Are they clear on the level of record-keeping required by the GDPR?
- Any large new project you’re up into should come with a data protection impact assessment. These are not just a nice adornment; they’re actually required by the GDPR where the data you’re processing (such as credit card details) is high-risk.
What the data science geeks say
Lawyers aren’t the only ones salivating at the prospect of this new work stream. The GDPR is already spawning an entire new industry of consultants and software solutions to help companies get compliant. Guy Marson, who’s M.D. of data science and marketing services company Profusion, says the regulation will ‘touch nearly every company’. He adds: ‘It impacts the management of data and the communication with customers and other businesses. It practically makes data management infrastructure a legal requirement and radically changes how companies market themselves, particularly via email.’
Ross Brewer, vice president and managing director at security intelligence and analytics company LogRhythm, highlights the time constraints the regulation puts on data controllers to notify them of data breaches (72 hours). He also points out that simply having up-to-date firewalls and anti-virus software will not be enough:
As a result of EU GDPR, we will see monitoring, detection and response becoming a much more fundamental component of a company’s cyber security strategy. Indeed, businesses will require a more coordinated and efficient approach to threat detection that goes far beyond simply deploying firewalls or anti-virus.
Steve Martin actually embodies the precepts of the GDPR, because he’s data protection officer at consumer and business data company Equifax. The company holds oodles of sensitive information about individuals, particularly since it handles a lot of credit checks. Big operations such as Equifax are required to appoint data protection officers to monitor the company’s systems and stay on top of new developments. He said: ‘GDPR, love it or hate it, is the EU’s attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers. No more obscure service agreements that we all accept with a single click and never read.’ He’s right. It’s about time the consumer got some protection here.
What the cryptographers say
Let’s get back to blockchain. One of a few companies purveying blockchain technology to keep clients’ data safe from theft and tampering, Acronis has found a clever way to leverage blockchain.
Their Notary software affords users some useful capabilities. These range from time-stamping and verification to ‘chain-of-evidence’ protocols. At a large network level, it means documents can be traced throughout a network with each alteration time-stamped and verified. It’s waterproof evidence for people such as GDPR regulators, who will require such information in a lot of cases. The time-stamped date on which a company receives a document might be crucial evidence in a dispute over data protection.
For individuals, Acronis Notary can also be very useful. Say you’re a composer or writer and for copyright purposes you want to stamp the date and authorship on a piece of work you’ve done. Using Acronis Notary will ensure that you’re the one being awarded damages in court, not the guy who plagiarized you.
Here’s an example from Acronis’s site:
Bill is a lawyer, and he needs to prove to a judge and jury that a file in his possession can be proven to have been in existence on a certain date/time. Using Acronis Notary, Bill can tie the file in his possession to data on an Ethereum blockchain, which mathematically proves the existence of the file.
What the academics say
Just to be clear, the SANS Institute report I’m about to cite comes from a for-profit data security and cybersecurity training company, but it’s a good piece of work nonetheless. They sum up by saying
The GDPR extends the historical EU expectation that personal data be kept secure and holds an organization accountable for data security. It also does the following: Defines measures data holders must take to protect data; emphasizes enforcement expectations; enables large fines to be levied; and imposes broad disclosure requirements for data security breaches.
When it comes into effect May 25, 2018, the GDPR can apply to a remarkably wide range of organizations that control or process data about EU residents. This includes many organizations without a physical presence in the EU. Under Article 3(2)(a), for example, the GDPR applies to each and every non-EU retailer in the world selling goods to data subjects in the EU and processing customers’ personal information.
Yes, that means YOU, Jeff Bezos. Sure. But it also means anyone down to wee little Etsy stores that sold a hand-sewn quilt to a Swiss woman and still sends her a newsletter.
Another point that the SANS paper makes, and which causes neocon anti-regulation freaks to froth at the mouth with incandescent fury, is that the EU is what you might call a ‘norm-generating’ institution. This capability, lauded by liberal international relations academics such as Anne-Marie Slaughter, is most certainly real (though in a circumscribed range of polities that do not include Russia and China’s huge populations). The SANS report sums up:
Moreover, the GDPR will likely have ramifications beyond Europe, given the EU’s role as a thought leader on data protection. The privacy principles articulated in the 1995 Data Directive have shaped law adopted in Asia-Pacific nations (e.g., the APEC Privacy Framework), Latin America and elsewhere. And the state of California recently adopted privacy rules for “smart” power grid security that reflect the influence and principles of the 1995 Data Directive.3.
IBM, also no strangers to the data security field, have a countdown clock on their site, which is currently at 158 days, 11 hours, 26 minutes, and 05 seconds before GDPR is ‘on line’.
Typically for a down-home ‘it’s not a problem, it’s an opportunity’ stateside megacorporation, IBM has this to say:
The GDPR (General Data Protection Regulation) seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.
Scary stuff, right? However, the company does acknowledge
Individuals are increasingly data-savvy and: understand how brands use their data for sales and marketing purposes, are aware of their rights with regard to their personal data, and are concerned about the well-publicized threat of cyber data theft.
Then, the kicker:
Most organisations are concerned about the potential significant financial penalties the Regulation can bring, but some forward-thinking companies are also planning how to turn GDPR into an opportunity in 2017.
Let’s not forget that the GDPR will have major implications on the conduct and methodology of scientific research across the EU, and the world. Ironically, trying to locate actual academic research on the GDPR in a search engine is a nightmare, because all you get is papers on the impact of the GDPR (and how worrying it is), rather than studies of the legislation itself. Let’s have another go….
Okay, Googling ‘academic research on data protection’ turned out to be a workaround. It threw up the Data Protection @ Centre for Socio-Legal Studies, affiliated to Oxford University’s Centre for Socio-Legal Studies (CSLS).
What do they say?
With the proliferation of increasingly intrusive mechanisms via which information of a personal nature is being processed, ensuring an appropriately framed and enforced Data Protection (DP) law has never been more important.
However, they take the view that the GDPR has a potential ‘thinning’ effect on the spectrum of personal freedom of expression, as well as journalistic freedoms. Not surprisingly, they also highlight the GDPR’s strictures on academic enquiry.
However, they identify a
…need to establish a broad special provision which reconciles on a principled basis the values of DP [data protection], including privacy, and freedom of expression/information as well as takes into account the size and structure of the data controller.
Which in normal language means: ‘all of us should have total control over our personal data, but be able to be completely free agents on the internet and social media, and if a company loses our data, it better not be a big one.’ Kinda.
A search on ‘Find White Papers’ throws up scads of ‘how-to’ and ‘we-can-sort-you-out’ studies by Mimecast and Secureworks and other players in the infosec game.
As it turns out, IEEE (Institute of Electrical and Electronics Engineers) conferences turn out to be where the action’s at. In other words, where the geeks hang out. If you want to enter that world, here’s the name of a paper presented at an IEEE conference in June this year (2017): ‘Bootstrapping a Blockchain Based Ecosystem for Big Data Exchange’. So, at least someone’s getting into the details of how to protect data (and transfer it when you need to, perhaps). Cheers, Jinchuan Chen and Yunzhie Hue, of the Institute of Software in Beijing.
What we say about data protection
Here at seorw.com, we reckon that companies need to think long and hard about how they’re going to comply with the GDPR, as well as other upcoming regulatory changes to our data landscape. Even SMEs need to do this. Or, they should appoint a data protection manager right now to oversee their company’s compliance (one that knows what they’re talking about). Another solution is to pay a reputable security consultant to audit your company’s data security. You might be surprised by what you find. Consult with experts, yes, but do your research and make sure they know what they’re talking about.
Pseudonymizing data will only get you so far: once it is rendered anonymous, that data loses much of its value. It’s good, for example, in the context of large-scale health data mining and other academic analyses, but for marketplace data controllers, it’s much less valuable. So I reckon that a mix of encryption, robust monitoring, and securer data storage protocols, will probably see companies holding sensitive data through. However, one thing is more certain than tomorrow’s sunrise: data protection is something to which you should be paying attention.
My recommendation? Take the time to read the material on this site about the GDPR. We’ll make sure we advise you of any important news on the issue in the coming months.