“Are you ready for GDPR?”. “GPDR, 6 steps you *must* take”. “Do you want to go to prison and never see your kids again?”
As CTO of a software company, I get a variation of one of these emails every single day, and I strongly suspect I am not alone. The first thing I am going to do when GDPR comes in (28th May), I’m having every single one of the companies who is spamming me thrown into jail. Or can I? What is the hype all about, and how much should you worry?
Yes it affects you. Even Americans, so read on.
GDPR, for readers outside of the EU, is the General Data Protection Regulation, which passed through the EU Parliament almost two years ago, and it is meant to harmonise, or possibly re-harmonise, data protection legislation across the EU. And, of course, it affects anyone from outside the EU who trades in EU.
Overhaul
The last major overhaul of data protection legislation was in 1995, under the Data Protection Directive, which sought to control how organisations used personal data, like telephone numbers, addresses etc. This meant that EU citizens were able to access what data was held on them by organisations (in the UK for a modest fee of £10), and to put in place a regulatory framework of what could be done with that data, e.g. could it be sold to third parties.
Since then, the world has changed, with the explosion of the Internet and cloud services: and here is the hidden danger of GDPR. If you are using cloud services, you need to know where your data is being held. Actually, you should always have known that, but when GDPR kicks in, the potential fines for non-compliance are huge, up to 4% of annual global turnover or €20 Million (whichever is greater). As The Register pointed out last year, 2016’s fines levied by the UK regulator (the Information Commissioner) would have risen 79 times.
Some companies, like Salesforce, have taken a very non-technical approach to some of their GDPR issues. Rather than ensuring that data is properly siloed and encrypted by geography, they have cut people off certain services, such as Salesforce IQ.
But what should you actually be doing to support your GDPR effort that you are not doing already?
Extra-territorial
Well, if you previously did business involving EU citizens and held their data, it was ambiguous as to whether you were affected by the EU Data Protection Directive. Well, as of May, that ambiguity goes, so if you are processing the personal data of an EU citizen, you must appoint a representative in the EU, and abide by the terms of GDPR.
Consent
It used to be easy to obfuscate your terms and conditions to obtain people’s consent to harvest and misuse their data. No more: consent must be clear and unambiguous. That has lead to some pretty interesting discussions. Twice this week, I have heard people say that data which has been obtained for “quality and training” purposes cannot be used for machine learning, because “you have to ask for specific consent for ‘machine learning’”. I think the world has gone mad. One of the ways we improve quality (and training) will be through the use of neural networks.
Hype and hysteria.
What a Difference Three Days Makes: 72 Little Hours.
If you think that there has been a data breach that is likely to “result in a risk for the rights and freedoms of individuals”, you have 72 hours to notify the breach and let your customers know. It will be interesting to see how the courts and regulators interpret this. You can see how a breach that leaks passwords is important, but what about names and addresses, data which is easy to obtain in any event?
Denial of Service Attack Access Rights
With GDPR comes new and shiny access rights. The biggest shift? You can get the personal data held on you for free, so the bar for the human DOS attack becomes much lower. What am I talking about?
Well, in my world, for example, we help people capture and monitor phone calls. Imagine if 10,000 people all at once contacted a large bank and said they had called into a call centre over a period of three weeks, two months ago.
And they want
Data Erasure
Or the “Right to be Forgotten”, another new right. You can ask any organisation to delete your data, and they must comply.
Or they want
Data Portability
The right to have all their data provided in a ‘commonly used and machine-readable format’
Sounds easy, right?
Not really.
First off, you only have a month to get the data back, or in exceptional circumstance three months (if, as the UK regulator puts it, “requests are complex or numerous”)
And then you have to identify it.
Voice is the hidden problem in any organisation. If you store it, even just voicemails, you must be able to label and retrieve it. You might think it is as easy as matching up a phone number. Not so. At any time, 5 people in my house could use the same landline. In my office, up to 25 people share the same external number. If I have a conference call, there could be all sorts of people on it. How the hell do I work out who is who? And if I Skype a telephone number? Quite often there is no Caller ID at all.
And what if 10,000 people asked the same question at the same time?
There are simple steps, obviously, like trying to capture the names and details of people who call in and store it against the voice record. In some cases that will work, but not for my conference call, or my casual enquiry to the bank (especially if I don’t want to give my name). In highly regulated environments like trading floors, every call is recorded, but at the moment, the metadata is frequently in a mess, and calls are just labelled with the name of the institution that called, or worse, nothing at all.
What I would do?
Set up a biometric database of people who call in (what people call a voiceprint). They are not fool proof, especially for authentication as the BBC demonstrated last year, by hacking HSBC, but they serve as a useful backstop to try to find people who may be trying very hard, and somewhat maliciously, not to be found.
What else?
GDPR does not end there. You need to ensure that your data storage is designed with privacy in mind, so ensuring proper access controls over data, and encrypting data at rest and in transit. People must be trained to understand the importance of data protection, and you need to have clear and defined policies in place.
Hype or not?
GDPR undoubtedly throws up new hurdles for businesses, but the real extent of that will only be found out as authorities start to enforce the regulations. Will they really use the maximum fines? And will it help? We have seen a steep rise in compliance for major banks in the wake of the massive fines levied by regulators in the wake of LIBOR, FX and other scandals. But those were multi-billion-dollar fines. The largest ever fine in the UK to date is a mere £400,000 ($560,000).
