Giving control over their personal data back to people, and simplifying and unifying regulations within the European Union are the two primary objectives of the General Data Protection Regulation (GDPR), which comes into force on May 25, 2018.
“We want to set the global standard,” Věra Jourová, the European commissioner for justice, said in an interview. “Privacy is a high priority for us.”
But EU member states might not share the commissioner’s sense of priority. Three months before the introduction of the new, wide-ranging data protection rules only two EU member states — Germany and Austria — have passed all the necessary legislation needed to bring national laws into step with the new EU-wide regulations.
Children of the fog
Michele Daryanani, a cyber thought-leader, who has helped a fair number of companies both within and outside the European Union to prepare for GDPR, says that for every company that has an in-house GDPR programme, an equal amount of companies that he speaks to do not. “Sadly, there is a lot of misinformation on what GDPR is and what it is not. Just recently I spoke to a chief information security officer for a multinational who was under the impression that GDPR ‘banned’ cloud services,” he says.
“Businesses are already aware of the regulations but they are not yet prepared enough on whether and how it directly affects them,” says Istvan Lam, co-founder and CEO at Tresorit, an end-to-end encrypted cloud company. “For example, GDPR applies to companies that manage personal data but the definition of that is very broad and includes things from email addresses to medical records or IP addresses. Often, companies think that the new regulations don’t affect to them.”
And statistics prove that. A survey carried out in Q4 2017 by the UK government found that 80 per cent of large firms and some 66 per cent of medium-sized businesses were aware of GDPR. In contrast, just 31 per cent of micro firms (two to nine staff) and 49 per cent of small businesses (10-49 staff) had heard of the new rules. Of those that were aware of GDPR, 27 per cent had made changes to the way they operate. And again, larger firms were more likely to have done so, with 55 per cent having taken some form of action.
According to another survey commissioned by email service provider Mailjet, the average GDPR-readiness score was 4.1 out of 10, with the banking and insurance sector scoring the highest (4.4) and construction and real estate scoring the lowest (3.2). The survey also revealed a lack of responsibility by startups in terms of personal data protection. Only 29 per cent of startups polled encrypt the personal data they collect, and only 34 per cent said they had a data breach notification plan in place.
“It is practically impossible, it is too expensive and time consuming, and requires the help of specialised advisors,” Professor Paolo Balboni, founding partner at ICT Legal Consulting and the chairman of the European Privacy Association, tells Emerging Europe. “Hence it is not feasible for SMEs to convincingly comply and therefore they will suffer a de facto competitive disadvantage to big companies. This is a very serious side effect of the GDPR.”
Data protection is a must
John Clelland, managing director, founding partner and owner of Proteus-Cyber, a provider of integrated risk management software that has developed a product called GDPReady, says that in 2017, there were 143 million breaches. For example, Uber concealed a hack that affected 57 million customers and drivers.
“Attaining the highest levels of data privacy and security is accomplishable by startups and small to medium-sized businesses, not just the big guys,” says Pierre Puchois, chief technology officer at Mailjet.
“If somebody designs a product, technology or service, then it needs to be the most privacy-friendly product,” says Jan Philipp Albrecht, a member of the European Parliament who also serves as rapporteur for GDPR. “And when you are starting to use it, then the privacy-friendly setting – privacy by default – is on, and you have to decide if you want to give your data, if you want to change the setting to a less privacy-friendly setting.”
According to Eurobarometer, more than 90 per cent of Europeans say they want the same data protection rights across all EU countries and eight out of 10 people feel they do not have complete control of their personal data.
“Our digital future can only be built on trust. Everyone’s privacy has to be protected,” says Andrus Ansip, European commissioner for digital single market and the Commission’s vice president. “[GDPR] is a major step forward and we are committed to making it a success for everyone.”
Mr Daryanani explains that GDPR aims to address a gap between our basic human rights, and the legal implementation of these rights. “We need to understand that GDPR isn’t a “fundamental change” in ethics or morality which is at the end of the day what the legal system attempts to enforce but a refinement and a harmonisation of multiple implementations of European legislation. Ensuring that an organisation’s systems, processes and staff are aligned to individual privacy will help reduce these risks. Going forward, these may even form a differentiator — I know I would prefer to buy from an organisation that takes my privacy seriously,” he adds.
Understanding the goal
“The key aspect is the philosophy to limit data collection to the extent where it’s absolutely necessary for the purpose of processing and the ‘privacy by design’ concept that has been our guiding light since day one,” Roman Flepp, head of marketing and sales at Threema, a proprietary encrypted instant messaging application, tells Emerging Europe.
Privacy by Design is an approach to systems engineering which takes privacy into account throughout the whole engineering process.
Matthias Pfau, the founder of the encrypted email service, says that a lot of companies handle a lot of our personal information, from our address, to payment information, to online browsing habits — lots of online services have access to our most private information. “With GDPR companies need to make sure that this personal data cannot be abused,” he says.
“Businesses may find they have more data than they need,” Proteus-Cyber’s Mr Clelland says. “They may be collecting 20 pieces of data, but actually, to deliver the service, only need 10. The important thing is not to start from the data – begin with the business and the people who run it.”
“We believe GDPR will drive the adoption of better security practices, such as using end-to-end encryption for storing sensitive user data, shifting to private email solutions, hiring data security specialists and so on,” says Andy Yen, the founder and CEO at ProtonMail Communications. “The increased adoption of technologies that provide privacy and security by design will represent a key aspect of GDPR compliance and will help both consumers and businesses in the long run. Companies will be more careful and transparent about the amount of data they collect, meaning they will be less susceptible to cyber threats, and consumers will have more control over their data,” he says.
Changing the mindset
“We see GDPR as a chance for businesses to join the privacy movement,” Tutanota’s Mr Pfau says. ”We see by the influx of new users that the privacy movement is growing fast. More and more people are looking for ways to secure their email communication. With GDPR companies who do business in Europe will be obliged to secure their customers’ and employees’ data. At first sight, this might seem like a big hassle to most companies while in fact it is a huge opportunity: By protecting their customers’ data, companies will gain a competitive edge because already today more and more people realise that their data is valuable and that it must be protected,” he adds.
Tresorit’s Mr Lam says that GDPR is highly complex, so businesses need to start preparing now, at least by identifying their top priorities regarding compliance. “To achieve GDPR compliance, businesses have to take technical measures to ensure the security of this data and prevent any leaks or exposure. One of those measures recommended by the GDPR is encryption. Encryption makes personal data unreadable for unauthorised people and thus helps to mitigate the risks in case of a data breach or a leak,” he says.
“Does the business encrypt the data? Is it stored on a mobile device? Is it secured at rest? Is it encrypted at rest? Is it encrypted in transit? How do they back up the data?,” Proteus-Cyber’s Mr Clelland asks. “All these questions relate to Article 30. If you haven’t done this mapping, everything else will be compromised. The right way is to have a multi-phased plan. Step one is to establish your data register, in keeping with Article 30, which focusses on records of processing activities. You need to be sure of the information and processes that you hold. We have a process mapping and collaborative approach that enables us to get Article 30 reports within one to two months, sometimes even faster,” he adds.
In other words, organisations will have to secure all communication channels with customers. Emailing, file sharing, messaging and voice calls should be protected by the same high standards.
“Any tool that takes ‘privacy by design’ seriously and only collects as little personal data as technically possible is commendable. True end-to-end encryption with a transparent and secure key management is a safe bet but for privacy, metadata restraint is equally important,” says Threema’s Mr Flepp.
Prevention over inspection
Mr Daryanani says that organisations that consider personal data their property rather than the property of the individual will face some challenges — both in terms of time and cost.
“If we look at fines from a risk perspective, you compare the fine vs the cost of implementation of the safeguards. If the fine is substantially less than the cost of the safeguards, a risk management approach will suggest paying the fine over implementing the safeguards. Fines of 4 per cent [of the global annual turnover for the preceding financial year] are only the cap — fines will be proportional to the digression. If an organisation is endemically and systematically flaunting the law, then the full fine may be applied,” he says.