One year ago, the EU General Data Protection Regulation (GDPR) came into effect, fundamentally changing the way businesses handle data. The GDPR forced companies to scramble to comply or face penalties. A year later, what has the GDPR’s impact been and how are businesses handling it? Where should companies go from here? Joining the show for episode 24 of Cyber Security Sauna are F-Secure’s Hannes Saarinen, privacy officer, and Eric Andersen, who works with companies on GDPR compliance. We last spoke with them in May of 2018, and they’re back to give us a GDPR update.
Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!
Janne: Welcome back to the show, guys.
Hannes: Thank you, Janne. It’s always a pleasure to be here.
Erik: Thank you.
What has been the impact of GDPR so far? Does it seem like it’s achieving what it set out to do, protecting the personal data of EU citizens?
Erik: In protecting and ensuring the rights of the citizens, my personal experience is from the privacy notices I get asking for my consent in general as a consumer and as a private person. I would say that it has been quite successful. I find them to be overall relevant and correct, sometimes maybe even a bit overdoing the notices and information. But I would say from that point of view, it has been a success.
I also feel that companies really have started worrying about protecting personal data. The awareness has been immense. Everybody’s talking about how do they protect data within organizations. And I see many organizations still investing in improving data protection and data subject rights management. So I would say yes, for that part it has been a success. There is also a big focus on the big data controllers, which certainly has helped with the awareness. So the incidents with Google and Facebook and other big players. The British Airways incident last autumn is also something that has gotten a lot of attention and helps keep the awareness.
Well, absolutely. What about you Hannes, are you seeing the kinds of things you wanted to see?
Hannes: Yes, and we definitely can see the difference in what was not happening in 2018 spring and what is now happening as of today. As Eric pointed out, there is the amount of GDPR spam, which tells how little the companies were telling their customers what kind of data they are actually collecting. And the second point is the security data leakages, how many of those are happening and how companies are scrambling to react. So that tells about the capabilities to detect those.
Erik: Another aspect of the GDPR was actually to create a new deal on data to establish a foundation from where you could create more value out of personal data by sharing even more. And I think that’s still yet to see if GDPR will be successful from that point of view. So will people start becoming more safe, and will we see that citizens will get a more fair deal on the use of their data? If that also happens, I think we have all in all a good success.
Speaking of value, how do you see companies doing today? Are they just struggling to meet the basic requirements? Or are they getting into the spirit of it and and being compliant on a fluent level, really getting everything out of GDPR?
Hannes: Well, not yet. That would be the short response. By and large companies are still just finishing their GDPR projects, and they are just in the middle of doing the transitioning of the ongoing privacy programs from the project mode. And you can see it from our business to business collaboration, how some of the companies are still working on very basic stuff and some of them have already slowly started going to third party auditing, international transfers, more complex and elaborative data subject rights enablement. So the trip is not yet over.
Erik: Yeah, I agree with that. I would say that a lot of effort has been put into meeting the formal requirements, the data subject rights to be informed, to give consent, to establish data processing agreements, to make the record of processing activities, appointing a DPO for example. Those kinds of requirements, most companies are pretty good with those. And on the awareness level, I also think it has improved a lot.
I see mostly on the technical level that we have many challenges still. We have seen quite a few severe breaches of personal data that could have been avoided with a decent effort. So it’s in mass attacks and random attacks where we know the vulnerabilities and the attack methods are really basic. Those type of attacks could easily have been avoided. So that’s a technical issue that hasn’t quite gotten the attention it should have. And I also think one of the challenges is that many systems, in particular legacy systems, they’re not designed for privacy and they’re not easily configured to minimize data access. And this will take maybe a generation or two of systems before we get those parts in place.
Hannes: To give you a silver lining on the technical side, the organizations in privacy have been measuring the difficulty level of how difficult it is to actually translate these requirements into technology, and all of those meters are mostly pointing downwards. Meaning that even with the relative insufficiency of the privacy pros, nonetheless the companies are actually solving these things which were initially considered very difficult and very hard to implement. So even if we are not yet on the “This is easy” side of things, nonetheless this is going to be easier going forward.
Erik: Yeah, that’s a good point.
Speaking of last time, Erik, you mentioned that the requirement to provide adequate product protection of personal data was causing confusion and you said that companies don’t always know how much protection is enough. They don’t have an adequate understanding of the risk and threat to their business and their threat intelligence is quite low. Have you seen any improvements in this in the past year, with companies knowing their threats and risks better?
Erik: Not so much on the threat intelligence part, but more on the understanding where they have data, that has improved a lot. So many organizations have been doing data stream analysis, data flow analysis. So now they actually know what data resides in the different systems and on the different networks and what can be accessed from different endpoints and so on. So that part has improved a lot.
The threat intelligence is still, I would say, a challenge. I do see there is a perception that if you buy, for example, a monitoring service or a detection service, then you also buy the threat intelligence because the detection service provider, they should know about the threats. But that’s an oversimplification. So I would say my experience, and from the organizations that I work with, it is still something that needs to improve. Understanding the threats and using that to focus the protection where it’s most important.
What about my personal favorite requirement that companies have detection capabilities? How are companies doing with this, are they getting the right technologies and people in place to be able to do this?
Erik: To an extent, yes. I think there is still a way to go there. Quite a few of the existing detection and log management systems that are used by organizations are not really very effective in preventing data breaches. So it’s too late if you get an alert that someone has accessed your data in an application for example, then the damage is already done. So companies need to think more about how do they prevent breaches before they become data breaches. And that’s changing the focus more to monitoring what happens in the infrastructure so that you can prevent the attacker from actually reaching your systems and breaking into your systems where the data resides.
No, absolutely. There’s also a deadline to reporting breaches and if you don’t have detection capabilities that’s gonna catch you off guard. So how are companies dealing with the notification deadline?
Erik: My experience is that they actually deal quite well with it, but it’s really hard to tell how to get the information to…You need to know when they should have learned about a breach. It is often not a simple task. But I would say in general, the notification requirements are quite well understood. Organizations know that they don’t have to do a full investigation within the 72 hours. So it’s enough to make an notification based on what you know at the point where you became aware of the breach, and then keep updating the breach notification as you become more informed about what has happened. So I haven’t seen any big challenges with that from my personal experience.
Hannes: And if we take a bit more societal approach to the 72 hours, I mean, it was created by the lawmakers in a situation where no one was telling anyone that “We actually have a breach,” which also meant that none of the individuals whose data was affected, they were unable to react. So looking at this beyond the compliance aspect, whether you give a breach notification in 50 hours or in 80 hours, it doesn’t really matter because it means that nonetheless, that information is now out there in a reasonable time so people can actually react. So regardless of how well the companies are really meeting the 72-hour requirement and forgetting the potential company liabilities on failing that, nonetheless the fact is society is benefiting by and large by the fact that now we have these breach notifications.
Erik: Yes. And there is another effect of having to notify the authorities, and that is that once you have done that, there is an expectation that you will investigate the breach. So you make sure that way that organizations are actually responding to the breaches, because they have to, now that they have given the notification. So it’s not just the notification in itself, it is what it starts. The actions, the responses that they create within the organizations. Those are where we benefit most.
Hannes: That’s a very good point, Eric. This is one of the nice examples of GDPR, where it’s not a list of isolated requirements, but it actually leads to this circle which the companies, when running this circle, they will end up necessarily improving their whole privacy and security framework.
But a part of the notification deadline is that me as a user of these services, I get a notification that my information was breached so that I know to take mitigating measures, change my passwords, maybe get like a credit block or something like that in place.
Hannes: But keep in mind that that’s only in case there is a high risk breach, so to speak. So the priority logic of the notifications is step one, notify the data protection authority and step two, if the risk is of high impact then it’s notified to you as an individual. So it means you don’t necessarily always get the notification on that. Obviously if the company’s operating diligently, they will provide that notification. And what I’m hoping here that now as people start to see that there are also data breaches in Europe, not only in the USA, because the notification requirement is also here, it also means that when breaches become more commonplace, it no longer creates this embarrassment factor to the company who is notifying their customers.
A DLA Piper survey says that there were 59,000 personal data breaches that have been reported to the EU since the GDPR went into effect, but only 91 received any sort of penalties. So now that we’re getting all these reports in from these companies, why so few penalties?
Hannes: Well, there are two major reasons for this. One, we have to remember that even if it may seem like it, a breach does not equal failure of GDPR. And as we as information security professionals know, it’s completely possible that you have put in place sufficient security measures and nonetheless you are breached simply because the attacker is using even more advanced technologies than was what was feasible for you to use for protection.
The second reason is simply that the data protection authorities, they don’t have the bandwidth to prosecute. So they have such a huge amount of personal data breaches out of which they have to figure out which of these are relevant? In which of these cases has the controller or processor been negligent in securing personal data? And once they pick out those who are, they decide, okay, here we see wrongdoings. In that case they have the issue that it takes a huge amount of manpower to actually do a full-blown prosecution case. If they want to go against the big fish like the US multinationals, then they will really need to tie a substantial amount of resources to pulling it off. And that’s apart from going after the little fish.
You made a good point about how sometimes you can do everything right and still fall victim to one of these cyber attacks. But frankly a lot of the attacks we’re seeing, a lot of the breaches we’re seeing, that is not the case. And to me it seems like 91 out of 59,000 is kind of a low number. So is it more about the bandwidth thing? Do you think the authorities were surprised by the number of breaches that are happening?
Erik: I can speak mostly for the Danish authorities, but I would say that the 59,000 breaches, they include many breaches, from – I have heard about examples of losing a document that was printed out to the printer, and things like that. So it is really ranging from quite small breaches to very big breaches. And I know for a fact in here in Denmark that for example the municipalities, they have been sending in a lot of notifications. They have reported many breaches that are in the very low end of severity, I would say. So it would be interesting to know what the nature of those 59,000 personal data breaches are.
I also know in Denmark that there is not enough bandwidth to process all these. So the fact that only 91 have received penalties, that doesn’t mean that only 91 will receive penalties. And as we get more and more cases resolved, the penalties will come faster, because then we have some examples that we can base the penalties on. Then there is a practice that can be used for issuing penalties.
Hannes: Yeah, that’s a very good point Eric. So we have to remember that the authorities are also creating the whole procedure of penalizing the companies, and also the note you made on minor penalties. Let’s remember that the fines are not the only instrument the DPAs, the data protection authorities, have at their disposal. They are going to send out warnings, reprimands, maybe comment publicly or actually even worse than the fines, simply forbid the company to process any more data. So we shouldn’t only look at the fines when measuring the impact.
But you were saying we haven’t seen the full fallout of all the incidents that have been reported so far. Do you think we should be expecting to see a lot more fines or other forms of enforcement in 2019?
Hannes: We will be seeing more. Let’s remember that for example, let’s take the Finnish data protection authority. They only got the actual law, which gave them the power to impose all of these fines, in addition to their previous capabilities, it came in force on the first of January. So they only have been fully empowered for less than five months now.
Last time you mentioned that most of the countries were not ready for GDPR. Like you were saying Hannes, we just got legislation in Finland in January. Also not having enough data protection authority personnel in place, these kinds of things. How are EU member states doing in this regard?
Hannes: Quite well. The only one who is lacking in regards to this companion law which the countries need to impose, is the Czech Republic. They have it still somewhere stuck in their parliamentary processes, but all of the other EU countries now have this companion law, which is also the law that gives the empowerment rights to the data protection authorities.
In terms of manpower management of the same authorities, I will draw here to the most often speculated international incident at the moment, Brexit, which myself and probably the whole privacy community are watching which worrying eyes. Because the fact is that the information commissioner’s office, the UK DPA, is the best equipped database production authority with the most manpower with the best publications coming out. So at least the people in the privacy space very much hope that the Brexit doesn’t happen because it would be a severe sort of lack of resources and good documentations and guidance on that side. And actually, even if occasionally we as companies complain about overt regulation, nonetheless we want there to be tech savvy regulators or authorities in place telling us how to do these things, and the ICO is kind of a golden standard at the moment.
Erik: Yeah, I would say that on the legal side and the formal requirements, supervising those, the data supervisory authorities have really improved and have much more manpower now, but the technical skills to understand the risks and the threats, assessing the data protection, there is still a long way to go for quite a few of the supervisory authorities, with ICO being an exemption. Based on the guidance that they have provided, it has been high quality. But I don’t see the same in other countries. So we still have a gap within the supervisory authorities on the technical side.
So what about companies outside the EU? How have they been handling the new regulation? Is GDPR positively impacting the privacy of people outside the jurisdiction?
Hannes: I would say yes, because the companies, all of the multinational companies, in most cases they want to have global practices. In many cases it doesn’t make sense for them to do a European-specific procedure, since we are nonetheless rather a big market, and then do something else entirely for everyone else. I know the US companies doing business in the EU, they have had quite a few GDPR readiness projects on their plates, and they really have been spending money to get compliant. That isn’t to say that they all would be compliant, but they at least have been doing a bona fide effort to that effect.
And this where we as Europeans can be pretty proud. I mean, privacy and GDPR specifically, it’s a European export product. It’s the model for a lot of the other hundred and plus privacy laws around the world at the moment. In that way we are kind of impacting how the personal data is being perceived and processed throughout the globe.
Have there been any unintended consequences of GDPR? Things that have happened that weren’t part of the original purpose?
Hannes: If you want me to emphasize one thing which probably was an unintended consequence, it’s a bit too strict compliance activities like the Whois database, which someone decided that, “Okay, this is against the letter of the GDPR. We have to limit access to the Whois database.” But at the same time evaluating the whole usage of the Whois database based on the privacy implications of the people who are listed there, and forgetting the societal benefits you have from the fact that you have this kind of internet directory in existence. So this is also something you sometimes see in the corporations or other entities applying GDPR, that you only look at the privacy side of things and then you forget the other aspects which might actually justify doing a bit more.
About the sort of guidance and interpretation of the regulation. Has there been any changes in that? Is anything looking different than we thought it was gonna look?
Hannes: Not probably different, but I mean the data protection authorities, they have taken the benefit of being empowered in giving more guidance. So we have quite a bit of guidance. What is an unpleasant surprise is that much of this guidance is also very conservative and very strict. So if you want to be fully compliant with all of the guidance you have, in some cases, you really have to put a lot of effort into making something happen by the book.
Erik: Yeah, I would agree with that. I also think that of course regulators and supervisory authorities, it’s understandable that they want to play it safe. They don’t want to be the ones loosening up. So it is understandable that guidance that comes from a supervisory authority will be strict. That is as expected. I think even though it is strict, it is still helpful because it removes some uncertainties. It makes it easier to understand what to do. And I think there have been a lot of good contributions from supervisory authorities, from simple guidance, suggestions, examples, and even tools. The French supervisory authority, for example, they have created an open source tool for doing DPIAs. And there are many templates now that you can download, examples of data processing agreements and how do you describe the data protection environment, and so on. So I would say all in all, there is a lot of guidance now to find on the supervisory authority websites.
Hannes: I have to say that while I disagree with some of the guidance provided out there, but nonetheless, you have a point there, Eric, that now that you have the guidance, it’s also removing this excuse from some of the entities of saying that this is way too complex. There is no way we can comply this even if it’s only one law more. But nonetheless, there is no more excuse for companies not to comply, because there is quite a lot of guidance on, let’s say, not on all topics but on quite a few topics now.
There’s the guidance from authorities, but there’s also this whole industry of sort of consulting and advice giving on how to be GDPR compliant. What do you guys think about the GDPR certifications that have been popping up? Are those meaningful?
Erik: Yes, I think they are meaningful and I also think they are quite good quality. It was not so good in the first year, but that has improved a lot. And I think overall, it’s a very decent collection of material that you need to master. It’s a good mix of business understanding, process understanding, understanding legal requirements and practices. A lot of focus on practices. How do you manage consent, how do you manage privacy in a company and what are the technical measures and organizational measures that you can take to manage the risk. I think it’s a quite good set of certifications we have now. And I’m mainly thinking of the CIPP and CIPM and CIPT for EU.
Hannes: So Eric, are you speaking of personal certifications?
Hannes: Yeah, they might be beneficial for especially educating new privacy pros. If we think of the certifications on a corporate aspect, then my attitude is sort of negative on those at the moment. I mean, we already know that the GDPR has a model in place where the European data protection board, or European Commission, don’t recall which, is able to later produce new European-wide certifications which are not yet in existence, which also means that any certification you are going to get prior to that, and you are getting kind of the ICO privacy additions and all kinds of certifications by the consultancy houses, all of those certifications existing prior to the official European Union certification framework are going to be badly inflated when we actually finally get that one.
So you may want to run these certifications for the purposes of having at least some paper for the moment to show that “Hey, I’m doing my stuff nicely.” Or you may do it as a practice round, because most likely it will not be totally in vain when we finally have the European level certification in place. But the impact of the corporate level of certifications is, I would say, minor at this point in time.
Erik: Yeah, I think you’re right on that. And you mentioned earlier that the GDPR is now an example that the rest of the world is looking at adopting the principles in their own privacy regulation and I think on the certification side, maybe we could do the same in EU, just the other way around. Europe has traditionally managed the development of standards either by authorities or by the ISO standards organizations and so on. Whereas in the US for example, there is a tradition for developing standards in industries. And we actually have an example of that for the payment card industry, which is essentially a standard for protecting personal credit card data. There is also the whole healthcare industry and the HIPAA, where we could actually adopt some of the certification schemes from there. And similarly when looking at other countries outside of the EU, there are some industry-developed frameworks and standards that with minor changes and tailoring to GDPR, they could be a first step towards getting more industry standards and certifications.
So what should companies be doing at this point? I mean, both companies that already comfortably GDPR compliant and those who are still trying to get there?
Erik: If they are GDPR compliant, they should focus on doing it more fluently and efficient. If they’re not yet compliant, if they still have issues, they should certainly prioritize those, get the gaps closed and then later on they can focus on improving. So I would say it really depends, but for all organizations, share experiences, share tools, use the industry organizations if there is some help to get there. I have seen in many industries that the industry organizations have actually taken this quite seriously and have created good guidance and templates and so on that can be used by their members. So this is also an area to look at. Everything is maturing now. Also the tools in the market to help manage compliance, they are also becoming better all the time.
Hannes: Yeah, I have to echo Eric here. 2019 is going to be more major on the GDPR side of things. So let’s remember that the previous legislation, the European Union Data Protection directive that was in force for 20 years, we are now on year one of GDPR. So we still have a long ways to go before we are taking it as businesses usual. But companies are obviously going there.
All right. Well it’s always the big breaches and the big fines that catch the attention and headlines of the world. This year we saw Google being hit with a 50 million euro fine. What do we think about that incident?
Hannes: That Google fine, it’s a very interesting topic. The rationale CNIL, the French data protection authority, gave out with the fine was that Google was not transparent in how it was processing personal data and it didn’t have an opt-in. It didn’t have valid consent for collecting that data. Now, this is interesting also because how much does Google’s data processing really differ from the cookie practices of most companies? Many companies are still in this stage of denial saying that we really don’t have to do any major changes to cookie practices because it’s only under the framework of e-privacy regulation and even if de facto, data processing their cookies is already impacted for the most part by GDPR as well, then at the moment there is this conflict of legislation which would make it slightly more difficult to actually create feasible cookie practices. So Google was fined, especially on the front where many companies are wanting at the moment. And that’s why the Google case is such a good precedent, because it’s kind of a wakeup call for the companies who don’t yet have their cookie management in place.
The argument has been made that by limiting how data can be collected and used, we’re putting ourselves at a disadvantage in the AI race, where you need immense amounts of data to train the artificial intelligence. What do you guys think about that?
Hannes: By default the GDPR is technology neutral and if you already have as a rationale to process certain data, then it’s rather trivial to make the necessary sort of tweaks that you can also use the same data for machine learning. Now that being said, if we compare ourselves, for example, to the culture in China and the USA for example, where there are very few limitations on how you can collect the data, yes, by default the GDPR is putting, from that point of view, Europe in a disadvantage. But as pointed out by the lawmakers in this context, if we limit our privacy protections too much in the name of economic advantage, potential economic advantage in the realm of AI, then it’s kind of a race to the bottom. How low should you put the threshold in that case to make sure that we are on equal grounds with equal freedoms to process whoever’s personal data, as the companies who have almost no legislation on that side.
Erik: Yeah, I would add to that. I certainly agree with you that this could be a restriction, but it’s not intended by GDPR to restrict AI as such. The point GDPR wants to make is that you have to understand the risk when you do collect large amounts of data and you do AI, what are the implications for the data subjects? Can we see the risks that data subjects are exposed to? And based on that, is it then a good way to go? I would say that you can maybe even compare this a little bit to the way we create medicine today. So we have very strict requirements on testing and documenting that we have done testing of medicine before we actually put it to the markets. And that doesn’t limit the development of medicine as such. Or maybe it limits some kinds of medicine, but not the kind of medicine that a normal data subject would want to have.
I would also like to emphasize that the whole purpose of GDPR is not to limit the use of personal data. It is actually to do it in a controlled manner that society and the citizens and business environment can be happy with. So it provides a good foundation, transparency, and it provides the data subjects with the right to opt out if they don’t feel safe or comfortable with the way their data is being used. And with that, there is a much better basis for using personal data. And I really hope that we will see that in the future, people will become more safe, that the data processing, the data protection will be more secure, so that we can get the full value out of personal data. So we can provide better health care, we can provide better services all over, whether they are societal services or whether they are delivered by a private organization.
Thank you guys for taking us through year one of GDPR, and thank you for being on the show.
Hannes: Thank you. It’s always a pleasure.
Erik: Yeah. Thank you.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter through F-Secure @CyberSauna. Thanks for listening.