GDPR-One-year-Later

The EU GDPR and the national equivalents have been enforced now for year today. What happened since the 25th of may 2018 ? How did organizations deal with the GDPR? How far are they compliant? How many data breaches were reported by the Supervisory Authority? Could a natural person exercise his or her rights? What should we expect in the coming years of the GDPR? A view of Peter Lofström, CIPP/E information & privacy security advisor, InformationSecure.nl

Up to the 25th of may 2018

We have seen many publications in the media up to the 25th of may 2018 on the GDPR and the Dutch national equivalent the AVG(Algemene Verordening Gegevensbescherming). Certainly the Facebook hearing in Congress and EU Parliament related to the Cambridge Analytica 2016 Presidential Elections scandal has given high profile international attention approaching the 25th of May. Local Dutch Data Breaches were also in the news but on a far less scale of breaches and media attention. Some examples of data breaches which caught the media attention in the Netherlands in 2017 and 2018 were:

– 21000 customers data VakantieVeilingen(holiday deals website) in the hands of a 3rd party

– 67 customers of Aegon(financial services) get mortgages overviews of other persons

– Newsletter city of Utrecht used as spam for bitcoin.

– Privacy data of 176000 Dutch citizens leaked in Uber Data breach

– Bitmove data breach in park Apenheul(family attraction park) leaking privacy data

– Biblioned Drenthe looses USB stick with privacy data of 22000 students.

– Erasmus Medical Centre Rotterdam leaks medical records of 46 patients via mail.

– Dutch Genealogy Association leaks privacy data of 3000 members

We have to keep in mind that before the GDPR already the Directive was in place and used by national authorities in the EU countries to develop their own version of the directive or in the Netherlands called the Wbp (Wet Bescherming Persoonsgegevens). The highest administrative penalty being around 800K euros. The Regulation however is meant to be EU wide adopted and enforced with minor national adjustments such as for example the children’s age of parental consent being sometimes at 13 or 16 years old. This Regulation was to be an improvement of the Directive. Whereas the Directive was not that explicit and outspoken on the rights and freedoms of natural persons the Regulation fully underlined the rights and freedoms by the several possibilities it gives to the natural persons.    

After the 25th of May 2018

Local Supervisory Authority(AP) in the Netherlands: hardly no media presence of the Chairman, a big disappointment.

You would think that a CEO or Chairman of the board of the Supervisory Authority would be fully in the news and have full media attention up to the 25th of may and beyond. None of this has been the case in the Netherlands. To me this signals a wrong statement. You could even get the impression that the Supervisory Authority doesn’t take the GDPR seriously enough. This is a bad signal to everyone in the country dealing with the GDPR and trying to implement the law in all organizations processing substantial amounts of personal data. Why is this a bad signal? Well the Dutch culture has a subtle way of saying we like to make rules and laws but we are flexible and even tolerant in enforcing them. Meaning laws are good but we do not always enforce them to the letter but more in the spirit of the law. A grey area you see. We still are in some way a tolerant country. Even if the law is at stake. We also have a Dutch saying: the soup is not as hot as it is delivered on the table.(not the exact translation which would be meaningless to people not being Dutch) This Dutch way of thinking comes back in implementation of the law. People are not convinced that after the 25th of May anything will happen. Unfortunately or fortunately they were right. So they do not take it too serious and thus the implementation of the GDPR was left without priority or urgency. The Supervisory Authority itself is playing, in my opinion, a wrong role in this by not showing any relevant appearance in the mainstream media. My point is that if you have the authority you should take this serious and use the media and the Chairman’s role as a representative of the authority and law to guide a nation towards the GDPR. The non-appearance of the Chairman and any other representatives of the Supervisory Authority in the media is certainly a point of attention. One could ask why the chairman of a supposed independent Supervisory Authority could have ties to a political party. Why not have a Chairman from one of the former captains of industry in the Netherlands without any political ties and fully respected? This seems an idealistic view. I think the way the UK ICO has been present in the media is an example for the Netherlands. In more than one way the UK takes rules and regulations far more serious than The Netherlands in general.

My own experience with the GDPR

From a professional and private point of view I did a lot with the GDPR or AVG in the Netherlands. Privately I could say that during parties with friends privacy became a new buzzword. Which is fine. It helped raising the awareness of us all when we talk about privacy and breaches of privacy in the news. Privacy was and still is an issue within all major companies as I heard from friends working for different companies.

In my work as GDPR & Information Security Consultant I was confronted with a general lack of urgency up to the 25th of May 2018. This lack of urgency really frustrated the quick implementation of the GDPR. The reason for this is obvious: the GDPR is not a core business. Most companies only see it as a legal issue. This is only a small part of the story as we can see further on. The GDPR was seen as an extension of the then current Directive nothing more. This assumption is completely wrong. The GDPR is a game changer since the differences with the Directive are major on transparency, fines and rights of natural persons for example. Also the harmonic nature of applying a Regulation Europe wide is unique.   

Companies do as little as possible to comply.

My experience with small and medium sized companies is that they do the minimum to comply to the GDPR which in itself can be posing a future risk in case of a data breach or data breaches. They are 1. not enough aware of the consequences or neglecting them 2. do not set their priority to full compliancy only partly compliancy seems to be an option 3. do not have the manpower to make the company compliant 4. mostly think that they will not have data breaches at all. 5. or worse: don’t tell anyone of a data breach occurring. This latter is a strong assumption but is emphasized by the 2018 report of the Dutch Supervisory Authority(AP) which stated that the number of data breaches reported from companies in general where relatively low although the amount of companies is far bigger than public services, healthcare and financial institutions which reported the most data breaches over 2018. This is in total contradiction with the lack of priority and urgency as I have experienced in companies. And that worries me. Also the Dutch Supervisory Authority(AP) has mentioned in their 2018 Report to further investigate on companies reporting behaviour on data breaches.

Trying to put the burden on the natural person.

In order to try to avoid any questions related to right of subjects some companies might try to put a high threshold for a natural person to exercise his or her Right to Access. For example: as project-manager GDPR I was working with a company to implement the GDPR or the national equivalent of it called the AVG. The general attitude was to prevent work coming out of this new law. To some extent this makes sense but from a natural persons point of view, whether an employee or a customer, this was a highly questionable way of thinking. What was the case? The threshold which they wanted to put on for example on subject access rights was that anyone with a question would need to identify themselves in person at the head office premises. So ex-employees, customers would need to come in person to the head office location with their passport or other ID. This would scare them off was the idea. An absurd idea and completely against the transparency and trust which the GDPR stands for. The risk that a person simply could log a complaint about this to the Supervisory Authority made that the company changed the initial attitude and implemented an on-line subject access request form. As most major companies do.   

Another burden on the natural persons rights and freedoms was the fact that the number of questions and the way they were asked could also be considered as a threshold. In developing a Subject Access Request form for a company many detailed questions were asked based on the GDPR. Which in itself is fine but were all those questions needed? And could a natural person understand these questions? Questions like when did you gave your personal data, do you have a contract with us, are you a (former)customer or (former) employee, what is the nature of the request, what was the name of your manager, the name of your account manager, what is your employee number in case of a (former) employee, what is your contract number(s) in case of a (former)customer, etc. Etc. The number and types of questions being posed was too much. How could a former employee or customer know all names and contract or employee identity numbers? I see this approach again a putting an unnecessary threshold towards the person involved. Some organizations leave most of these questions and simply ask for identification and the nature of the request. Which is a much lower threshold to the natural person to exercise his/her rights. One could have a long list of questions but keep in mind that any organization has to comply to the GDPR too.          

To put the burden on the natural person in excercizing his or her rights by imposing thresholds is simply irresponsible behaviour and not good for the image of trust of a company.   

The future of the GDPR: what really is missing in this Regulation.

During my work with the GDPR in practice I became aware that the Regulation is not a finished law and that there are so called points to reconsider. Further development of the Regulation is very likely to happen. I noticed some weaknesses in the regulation from a natural persons point of view like could a natural person really exercise his or her rights, the controller versus processor, rights of deceased persons, vital interests versus privacy rights, religious organizations not directly subject to enforcement, lack of certification amongst others. I will explain these points below.    

Your rights as a natural person: can you really exercise your rights?

Right to access, Right to erase, Right to rectify, Right to be informed, Right to Data Portability etc . Nice rights don’t you think? Well they are. But here is the catch: if a natural person would ask for her or his information under the Right to Access for example how could one guarantee that the company giving the information is giving all the information and not withholding any information? There is simply no guarantee that a company can withhold for example enriched information about you. So while you think you gave the company only your name, address, phone etc. they used this information to gain access to much more information about you. That information will not always be given to you.

So the only information you have rights on is the information you gave freely and with consent. Not information which they found on you. And that is not what the GDPR was all about.

The dilemma posed before could also play out when a natural subject would exercise the Right to Erase. What guarantee is there from the law point of view that an organization really erases all data? None. The GDPR doesn’t state that the organization should provide you with any prove of complete erasure. This is a weak point which could lead to undermining of the rights and freedoms of a natural persons

So if you exercise your rights you have to make sure to ask the right questions. A suggestion would be to ask the organization all information which could possibly identify you. Not just the information you gave to them. The same is the case when you exercise the right to erase. The question or demand would be to erase all identifiable data not just the data which was given by the individual and give proof to you of all the databases, directories and other fixed or mobile storage assets which they erased. A simple: we erased everything of you statement is not sufficient.

An interesting case related to the Right to access is the recent case of Facebook simply not giving all the information in a subject access request procedure. Facebook uses the GDPR art. 12 stating that a controller should provide the information with regards to the Right to Access using clear and plain language. Facebook states that technical information related to the natural person could not be provided in clear and plain language so it has no obligation to provide this information. The person could not understand the technical information. This case is still open and people have filed a complaint against Facebook on this matter as we speak. My question on this is: is it up to Facebook or any other organization to decide if a natural person can or can not understand the information they have about them? You can predict my answer.

The Processor versus Controller: the difference has no meaning to a natural person in exercising his or her rights. The difference poses an obstacle to the natural persons rights and freedoms and is an easy way out for companies.

To explain the title of this paragraph I like to mention an anecdote. I filed a complaint to the Dutch Data Protection Authority on a Data Broker. This Data Broker claimed on it’s company website to have data of millions of people in the Benelux. So I asked them what kind of Data they had about me. They would not give an answer other than saying that they got the privacy data from other companies and that I should ask them to give me the information I needed. This caused me to file a complaint to AP (Autoriteit Persoonsgegevens). Their reply , after several weeks, was as follows: they contacted the Data Broker and asked them about their Data Processing activities. They concluded that their Data Processing activities were lawful and legitimate according to the GDPR and that the Data Broker had no obligation to respond to my subject access request. I should find out which company possibly gave them , if any, data related to my person. I felt left alone by the Supervisory Authority on procedural grounds. The main problem I have with this is the following: how could I exercise my rights if I did not know the controller of my data? Is it not the essence of the Regulation that a natural person should always be able to exercise his/her rights? In my humble opinion the difference between controller and processor is not in the interest of the natural persons rights and freedoms and will in certain cases, like the one I mentioned before, obstruct their rights and freedoms. The difference between the two should be lifted and a natural person should be able to exercise his/her rights also when a processor is in scope.    

Why only the natural persons rights? The deceased have rights too.

Many times I have seen medical questionnaires in hospitals and at doctors medical facilities where people where asked questions about their parents or other family members. Even about deceased ones. We also know the genealogy trees where the complete history of families are drawn up in trees. One could use the information of deceased family by using names and places of birth and other places where the deceased lived. It is like a so called inference or aggregation attack on an organizations database where lower level clearance staff gains indirect access to higher clearance information or aggregate lower security information into information of higher security level value. Indirect means identifiable after all. Well you get my point. Even from deceased family or relatives you can extract information via all kinds of medical, historical and other records which would point to a natural living person. Why is this outside the scope of the GDPR? This remains unclear to me.   

Vital interests versus privacy rights: the implicit consent in health care is not necessary and even paternalistic towards natural persons rights. You could see it even as a disrespect of the rights and freedoms of natural persons. My rights are not a trade for health care.    

Informed or implicit consent is what the health care providers(Hospitals, Clinics, Doctors, Pharmacies, Specialists) are using to give health care when someone is in need. So if you go to a doctor you implicitly give your consent to a doctor using all needed personal information at his or her will without questioning the reason of providing this information. Most people will say that this is good because people in some cases will not be able (in case of an accident and being wounded or mental problems) to give their consent on the use of their personal data each time they need health care. This is based on the implicit trust between client/patient and doctor or health care provider. As a person who needs health care in urgent and vital situations I could agree. But in many occasions there is no vital or urgent situation. In my opinion this is against the Rights and Freedoms of a natural person and this derogation mentioned in Art. 9 Special Categories of Data should be adjusted more in line with the rights and freedoms of natural persons. A solution would be that when choosing a doctor in the neighbourhood a health care privacy agreement is signed which contains the most important data processing activities. Ofcourse working with apps nowadays and giving consent in that way would also be a possibility but that is just a matter of form. A more explicit and transparant way of handling privacy data would help also to gain more trust between patient/client and doctor.    

Religious organizations: the Regulation is tolerant for these groups. Why?

As pointed out in the GDPR Art. 91.1 : “Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation….” The enforcement of the Regulation on Religious groups is somewhat blurry to say the least. They can use existing privacy rules but have to bring them in line with the Regulation. This effectively means that there is no hard deadline for these groups to comply to the Regulation as you would expect. The Regulation threats churches and religious organizations different. Art 91 is not the only derogation within the GDPR. Art. 85 thru Art.90 also show situations where derogation of the GDPR still exists. Reading several articles on these derogations suggests that the GDPR leaves these derogations open for further judicial development under national laws.     

Lack of Certification is not an advantage for compliancy.

Although I would tend to say that being compliant to the law is in anyone’s interest and simply a must, if you do not want to have fines or being jailed, there is no guarantee however in how far an organization is really compliant with regards to the GDPR. Even if an organizations says it is. During my practice of GDPR implementations in organizations I learned that organizations need guidance to implement the GDPR. A certification framework and process would be of great help to achieve that. It would give certainly management another incentive apart from just being compliant to the law. If a company could show its compliancy to the GDPR by a certificate similar to ISO27001 then this would be an added value and it would show trust to the outside world signalling your personal data is safe with us. Currently ISO has the 27018:2019 code of practice for protection of personal identifiable information in public clouds not covering non-cloud. Other organizations such as Nimity have a GDPR Framework which can be used to audit companies GDPR readiness. Auditing and accounting companies like KPMG and DEKRA have developed audits for GDPR compliancy. In my GDPR practice I have used the 27001 audit experience and framework to audit the most important principles of the GDPR: lawfulness, transparency, legitimacy, adequacy, rights of natural subjects, data retention, accuracy and safety of processing privacy data. These principles contain the bare minimum of what an organization should do. A lot more has to be done regarding transfer, data processing agreements, privacy by design and default amongst others.       

Transparency: a lot more has to be done. 

The issue I talked earlier in this article about, the Data Broker refusing to respond to my Subject Access Request(SAR), learned me that transparency in a controller-processor relation towards me as a natural person could be better. There is no guarantee that for example the controller has all processing activities in direct scope and that sub-processors of processors related to the controller have my personal data too. So how do we know that all processors and it’s sub-sub-sub processors are in scope and that in a privacy statement on the controllers website or in it’s privacy policy the processing and sub-processors are mentioned. One way is to transparently show all Data Processing Agreements between controllers and processors and sub processors.The whole so called chain of processing activities wide in the open. Probably no company would like to do that. An other way of transparency is to show the names of sub-processors and what they do with your personal data in the privacy statement and/or policy of the controller. That would be a minimal requirement to comply to transparency. But transparency is more. Transparency is also the basis of trust between controller and natural persons giving their personal data to the controller for what ever legitimate purpose and lawfulness of the data processing.

Permissions Registry

During my GDPR implementations in an organization I was confronted with the issue of withdrawing consent. No one ever thought about the registration of consent which people gave on accepting the processing of their data. Why does a registration of someone’s consent matter? Well the registration matters since people may also withdraw their consent in the processing of their data. Normally this is directly connected to contracts for products or services when someone’s is acquiring them. So you need for each customer a copy of a contract or agreement on the delivery of products or services. Instead of having to search into contracts or agreements, often paperwork since contracts are mostly signed, it would be easier to have a permissions table or list centrally stored so that the actual status of consent is always clear and easy to trace. Furthermore in practice people do not always have a contract with an organization. For example people asking information via websites or even leaving their business cards at an exhibition stand. For newsletters there is a opt-out. People can unsubscribe at any moment. But for a information request there is often no unsubscribe. In those cases and in complying to the GDPR it is needed that actual and correct information on the status of consent is present.         

Better tooling

Since the GDPR was accepted by European Parliament in May 2016 many applications and compliancy companies are developing tools. Most GDPR tools available on the market are mainly processing registries tooling and governance tooling. Although one could opt for putting all the processing activities into an excel spreadsheet this is not a very practical solution for those organizations with enormous amounts of processing activities and changes in processing activities. A Small and Medium Enterprise with a limited amount of processing activities could very well register these in a excel format registry. Larger organizations with many more processing activities are wiser to use inexpensive tooling for this available in the market. Nowadays the GDPR tooling becomes far more extended so that it can be used to register all GDPR related documentation like Data breaches, Subject Access Requests, Processing Activities, Retention records, Data Processing Agreements, Privacy policy, Technical and organizational measures, Transfers, etc. These tools are making live easier for organizations wanting to avoid a lot of work and rework. Also for governance, auditing and certification purposes good tooling could be proven useful and more efficient. Especially when processing activities change or adjust.           

The future of the GDPR is ahead of us

It is now the 25th of May 2019. One year after the start of the enforcement of the GDPR in the EEA.(European Economic Area) The GDPR or General Data Protection Regulation has had an impact on many organizations, especially the bigger ones. The news on data breaches will continue. Data breaches with bigger impact, size and frequency will lay ahead of us with the further development of technologies such as Artificial Intelligence, Big Data, Virtual Reality, 5G, Internet of Things and Self driven cars. Companies which are now mostly not fully compliant with the GDPR are now hiring more and more people to make them compliant to the GDPR. With future bigger developments ahead it is now the time to make your organization compliant before it becomes an even more complex and far more costly operation. We will see better GDPR tooling and auditing frameworks appear to make the implementation, maintenance and certification of the Regulation easier. This is absolutely needed in organizations whose core business is processing enormous amounts of personal data in order to provide services and products needed by the natural persons for which the GDPR was meant in the first place. Furthermore the derogations in the current version of the GDPR will change overtime with jurisprudence and it will adjust the GDPR to an even more solid law on the rights and freedoms of personal identifiable information. The GDPR has a promising future ahead.  

GDPR: One Year Later
Tagged on: