We’ve been writing about the GDPR for the past few months now and with the GDPR recently passed into law, we thought it was worth bringing together a panel to discuss its implications.
In this episode of the Inside Out Security Show, we discuss how the GDPR will impact businesses, Brexit, first steps you should take in order to protect EU consumer data and much more.
Go from beginning to end, or feel free to bounce around.
Cindy: Hi and welcome to another edition of the Inside Out Security show. I’m Cindy Ng, a writer for Varonis’s Inside Out Security blog. And as always, I’m joined by security experts Mike Buckbee, Rob Sobers, and Kilian Englert. Hey, Kilian.
Kilian: Hi Cindy.
Cindy: Hey Rob.
Rob: Hey Cindy, how is it going?
Cindy: Good. And hey, Mike.
Mike: Hey Cindy, you made me go last this week. That’s all right.
Cindy: This week, we also have two special guests, also security experts. Andy Green, who is based in New York, and Dietrich Benjies who is based in the UK. And they’re here to join us to share their insights on the latest General Data Protection Regulation that was just passed with an aim to protect consumer data that will impact not only businesses in the EU, Britain and the US and the rest of the world. So Hi Andy.
Andy: Hey Cindy.
Cindy: Hey Dietrich.
Dietrich: Hi Cindy.
What is the EU General Data Protection Regulation?
Cindy: So, let’s start with the facts. First, what is GDPR and what are its goals?
Andy: In one sentence? Can I get two?
Cindy: You get two and a half.
Andy: Okay, two and a half.
So it stands for General Data Protection Regulation. It’s a successor to the EU’s current data security directive which is called the Data Protection Directive, DPD. And it really…I mean if you are under the rules now, the GDPR will not be a major change but it does add a few key major additions. And one of those is…well there is a stronger rules on, let’s say right to access your data. You really have … almost like a bill of rights.
One of them is that you can see your data, which is maybe not something in the US we are experienced with.
Also, another new thing is you have a right of portability, which is something that Facebook probably hates. In other words, you can download the [personal] data. If I were, I assume this would happen in the UK or the EU, that if you are a Facebook customer you will be able to download everything that Facebook has and have it in some sort of portable format.
And I guess that [if you have another] social media service, you can then upload that data to that social media service and say goodbye to Facebook, which is kind of not something they’re very happy about.
… You have almost like a consumer data rights under the new rule. I don’t know if anyone has any comments on some of these things but I think that’s…that, I think, is like a big deal.
Dietrich: I’m sorry Mike. Were you going to go next? I chimed in so I suppose I’ll carry on-
Cindy: Go ahead, Dietrich.
Dietrich: So I think in terms of your attendance, it’s the European Union recognizing that data is…the European citizens recognize their data as important and historically, recently and historically, there has been many cases where it hasn’t been demonstrated to be appropriately controlled.
And as it’s a commodity, the information on them is a commodity traded on the open market to a degree that there has just been an increasing demand to have greater safeguards on their data. And those greater safeguards on European citizen data gives them greater confidence in the market, in the electronic market that the world economic market has become.
So that the two pillars, which we’ll get to, or the two tenants are Privacy by Design and accountability by design … we’ll get to a lot of things but that’s synopsis on it.
Mike: I was curious about to what extent this was targeting enterprises or is it targeting, say like you brought up Facebook, which I consider an application, like a web application service. Was there an intent behind this, that it’s targeting more one or the other?
Andy: Yeah. It’s definitely, I would say consumers. I mean it’s really very consumer-oriented.
Dietrich: Mike do you mean in terms of it’s targeting the consumers? Yes, it’s consumer data. It’s related to but do you mean in terms of the types of businesses where it’s most applicable? Is that what you mean Mike?
Mike: Well, you know, there is a decision-making framework that, so now with GDPR as the Data protection Directive to need to make decisions, that I’m building an application, I’m going to need to have new privacy features. We talked about Privacy by Design which has its own sort of tenets. Or I’m building out the policies for my company which has satellite offices all over the world and some of them happen to be in the EU. Just trying to look at the impact and look at how this should change my decision making on the business.
Dietrich: Well, it’d be cynical. I’d say if you want to avoid it totally and entirely, just don’t sell to an EU citizen.
Rob: Yeah, I think, to answer your question, Mike, the Facebooks of the world and these global web services are going to have to worry about it if they are collecting data. And we all know Facebook not only collects the data that you give them but it also ascertains data through your actions.
And I think that’s what Andy was talking about is that it’s not just the ability to click a button and say give me my profile data back now so I can take it with me. It’s like I put that data in but I think what the GDPR is aiming to do is give you back the data that they’ve gathered on you from other sources. So tell me everything you know about me because I want to know what you know about me. And that’s, I think, a very important thing. And I really hope that the US goes in that direction.
But outside of those web services, think about like any bank that serves an EU customer. So any bank, any healthcare organization, so other businesses outside of these big global web services certainly do have to worry about it, especially if you look in your customer database or any kind of…if you are a retailer, your transaction database, and you have information that belongs to EU citizens then this is something that you should at least be thinking through.
Who will be tasked to implement GDPR?
Cindy: So who needs to really pay close attention to the law so that you are executing all the requirements properly?
Dietrich: Who needs to pay attention to it in terms of those organizations and scope? It’s pretty well spelled out that the organizations who deal with, who transfer, who process big things on processing and doing this information associated to European citizens.
So if I backtrack a bit, it was where we are starting with the portability of the data, the information that we have, that organizations have on individuals and those subject access request, right to erasure, kind of the first and foremost is the protection element. Making sure that the data is protected, that we are not…organizations aren’t putting us at risk by the fact that they are holding our data and making that overexposed.
Kilian: To kind of address the question more technically speaking, I think … everybody involved in the process needs to pay attention to it. From the people designing the app, Mike, if you want to launch your business, you need to realize that there are…boundaries are kind of made up anymore with technology.
So right from the beginning, we’ll talk about Privacy by Design. But that needs to be the first step, all the way up to the CEO of the company or the board realizing that this is a global marketplace. So they want to get the most amount of customers, so they have to take it seriously.
Andy: Yeah, I was going to say that they do have a heart at the EU … and they do make an exception … there is some language for making exceptions for smaller businesses or businesses that are not sort of collecting data on, what they say, like on a really large scale–whatever that means!
What you are saying is all true but I think they do say that they will sort of scale some of the interpretations for smaller businesses so the enforcement is not as rough. And there may even be an exclusion, I forget, for under 250 employee companies.
But I think you are right. This is really meant for the, especially with the fines, it’s really meant to get to C-Level and higher executive’s attention.
What’s the first step you need to take to take when implementing GDPR?
Cindy: So if you are a higher up or someone responsible for implementing GDPR, what’s the first step you need to look for and so you don’t miss any deadlines, so that you are planning ahead?
Andy: I think we had to talk about this the other day. I’ve actually talked about it with Dietrich. Some of this is really, I’d say, like common IT sense and that if you are following any kind of IT best practices and there are a bunch of them or some standards, you are probably like 60 or 70% there, I think.
I mean if you are, let’s say you are handling credit card transactions and you are trying to deal with PCI DSS or you are following some of the– forget what they call — the SANS Top 20 … So maybe I’ll say it’s sort of like putting laws around some common sense ideas. But I realize the executives don’t see it that way.
Kilian: Yeah. I think the first thing you have to do is figure out if you have that data, to begin with, or where it’s at. I mean the common knowledge is you probably do. If you do some type of commerce or interact with anybody really, you are going to store some information. But kind of nailing it down where it’s at or where it might be is I think the key first step.
Dietrich: And in terms of deadlines, I suppose to answer your question very directly, the deadline is May 25th, 2018, is when it comes into full force. That is the, I wouldn’t say it’s fast approaching. We still have 23 months.
Dietrich: I’ve got a clock on my laptop right there. Deadline to GDPR.
Data Breach Notification
Cindy: So there is also a data breach notification. What does that process entail? Like how do you get fined and how do you know that personal data has been lost or breached? What’s defined as personal data? Because there is a difference between leaking like company ID, company IP versus leaking personal data.
Andy: Actually I happen to have the definition right in front of me. So it’s any information related to a person. And in particular, it can be…so it says an “identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier”.
So it’s really, I guess what we would call in the US, PII [personally identifiable information], but it’s broad. It’s not just a strict list of social security number or specific account numbers. Those are examples of the types of identifiers. So it’s very broad but it has to relate back to a person and they do consider the online identifiers as “relatable to a person”.
Brexit and GDPR
Cindy: And kind of I can’t help but ask Dietrich, will Brexiters be exempt from GDPR?
Dietrich: No. Not at all.
So, first off, yes. A week ago today, we cast our votes. And then a week ago tomorrow it was found out that yes, in fact, we are leaving the European Union. So the reality of that is we haven’t invoked article 50. So article 50 is that yes, we are definitely doing it. We are doing it and then we have 24 months for them to get the heck out of the European Union.
The starting of that clock isn’t likely to happen for some time. For one David Cameron, who is currently our prime minister is stepping down…has stepped down. We have to wait. He said, “I’m not going to invoke. I’m going to let somebody else handle not only that process of invoking article 50 but in addition to that, negotiating the trade policies and all the things associated with the exit.”
In addition to all the things associated with the exit is the adoption or exclusion of a lot of the European directives, GDPR being one. So we could just sit there and not only, so if you take that time scale that will come into play if article 50, and there is some questions on the legality of the referendum, which I won’t go into in detail but there is a lot of debate going on in the moment that we voted leave if it’s actually something that will happen.
If it happens, and let’s say it will, the time scale of that activity is likely to be well after GDPR is in effect. And if GDPR does come…sorry, and even if we leave and the likelihood as in democratic country in which we live, we have cast a vote that we will leave, we could still take on GDPR as our own.
We have our own Data Protection Act here in the UK. We could just bump it up with GDPR at a stroke of a pen. And that’s quite likely considering we are debating in negotiation. We will negotiate for, hopefully, as freer trade as we can do within the European Union and I’m sure that will be…it would make sense that that would be a dependent clause.
Andy: And I was going to say, it looks like if you’re…since the UK has to trade with the EU, the EU countries are going to put in higher standards for e-commerce transactions.
Dietrich: Yeah. They are out biggest trading partner. I believe and don’t quote me on this but I could be wrong. I think it’s 54, 54% of our exports go to the EU. And likewise, we are one of the biggest trading partners for France, for Germany, etc.
Cindy: So, the US, we trade with the EU and the…
Dietrich: Do you? (sarcasm)
Cindy: I’m really talking about territorial scope. And I’m curious if I start a business or Mike starts a business, we talked about this earlier, how will I…what’s the law in terms of me needing to protect an EU consumer’s personal data? That’s a little controversial. Go ahead Dietrich.
Dietrich: Can I give you some examples on this?
In the last 48 hours, I have purchased a flight from Southwest Airlines, United Airlines, I’m a European citizen. I have purchased a backpack from some random site that’s being shipped to my father.
Look, I hope I’m not debt dipping myself in tax loss but anyway, you know what I mean. As a European citizen, I’m going to be in the States for three weeks as of next week. So I’m a European citizen who is going to be transacting, who is going to be purchasing stuff over there. So, considering the freedom of movement that exists, the small world in which we live where European citizens regularly travel to the US, regularly buy from sites online, I can’t see how the border is going to make any difference.
Most, if not, I’d say the vast majority of organizations in the US will deal with European citizens and therefore at least for that subset of data related to European citizens, they will be…they’ll have to put in controls if they want to carry on trading with European citizens.
Cindy: Go ahead, Mike.
Andy: Yeah. I think that was, that came out of, I forget, it may have been the Data Protection Directive but you’ve got to gain consent from the consumer and they apply it to cookies, accepting cookies. So you do see that on a lot of the EU sites, that’s right.
Mike: It just seems very odd because there is no…it doesn’t seem like it will improve things. It just seems like, yeah, we are getting cookies off you so here is this giant banner that gets in the way.
Andy: Will they ever click no?
Mike: Well, what’s interesting is that I don’t think I’ve ever actually seen like, “Yeah, no, don’t collect my cookies.” It just says like, “Hey, we are doing this so accept it or leave.” You are on my website now, so probably with a French accent.
Tension between Innovation and Security
Cindy: So in terms of, we talked about the cookie law, we’re talking about the GDPR.
If you are a CEO and you know that there is a potential risk of anything really, and let’s say data breach, if something happens, they’re often asking, “okay, higher ups, can we work through this? Will our companies survive?”
It sounds like people don’t like to be strong-armed into following certain laws. Like if I’m an entrepreneur, I’m going to come up with an idea. And the last thing I would want is like, oh, I have to follow privacy by design. It’s annoying.
Rob: Yeah. I mean it’s a push and pull between innovation and security. You see this with all sorts of things. You know, Snapchat is famous for its explosive growth, hundreds of millions of active users a day. And in the beginning, they didn’t pay attention to security and privacy. They kind of consciously put that on the back burner because they knew it would slow their growth.
And it wouldn’t have mattered as much if they never became a giant company like they are today. But then it came back to bite them, like they’ve had multiple situations where they’ve had data breaches that they’ve had to deal with and I’m sure devote a lot of resources to recovering from, not only on the technical side of things but also on the legal and PR side. So it is a push and pull but we see it in varying degrees everywhere.
Look what Uber is doing as they expand into different markets and they have to deal with all of the individual regulations in each state that they expand to, each country. And they would love to just close a blind eye and focus on improving their technology and recruiting new drivers and making their businesses a success.
But the fact of the matter is — and the EU is way out in front of everybody else on this — is that somebody has to look out for the customers. Because we just see it over and over again where in the US, it’s almost like flipping. Like we see these massive breaches where people’s healthcare information is exposed on the public web or their credit card numbers get leaked or God knows what kind of information. And it just doesn’t ever feel like there is enough teeth to make organizations really assess their situation.
Like every time I apply– and I don’t do this very often, thank God!–apply for a mortgage in the US, the process, it scares me. You have to email sensitive information to your mortgage broker in plain text. They are asking for PDFs, scans of your bank account. And where that information goes, you’re just not that confident in a lot of these companies that they are actually looking at information and putting it in sensitive secure depositories, monitoring who has access to it. It’s just…without this regulation, it would be…without regulations like GDPr, it would be way worse and there would be no one looking after us.
Kilian: You actually kind of beat me to the point I was going to make there Rob by couple of sentences. But, you know, fine. The businesses don’t like being strong-armed but the consumers don’t like having their entire lives aired out on the Internet.
And I think you are 100% right there. It is a pain in the butt in some cases for innovation, but we keep going back to it or I will but Privacy by Design. You don’t have to make an and/or decision. If you start with that mind to begin with you can achieve both things. You can still achieve massive growth and avoid some of the problems instead of trying to patch up the holes later on.
Dietrich: One thing in terms of the strong arm, in terms of the regulatory fatigue that organizations get, I have been dealing with organizations for some time and it seems that regulations are at points that the external world makes organizations focus on the only things they will focus on.
And this is important. It’s important for us. I mean I kind of like…I don’t kind of like. I quite like the intent of the regulation. It’s down to protect me. It’s not something that’s esoteric. It’s something that’s quite explicit to protect more information. And if it requires a regulation for them to take heed and pay note and to get over the fact that regardless if they have been ignoring data breaches in the past, to do so in the future may cost them more than it had, then that’s probably a good thing.
Andy: I was just going to say that one of the, like the one word they use in a lot of the law is just it has to do with Privacy by Design. It’s just minimize. I think if you just show that you’re aware of what you are collecting and trying to minimize it and minimizing what you collect, put a time limit on the data that you do collect, the personal data, in other words, if you’ve collected it and processed it and you no longer have a need for it, then get rid of it.
It seems common sense and I think they want the companies to be thinking along these lines of, as I say, just minimize. And that shouldn’t be too much of a burden, I think. I don’t know. I mean I think as Rob was saying, some of these web companies are just going crazy, collecting everything, and it comes out to sort of bite them in the end.
Mike: And this is me being cynical but I wonder if this is going to be a new attack vector. If there is like an easy way to get all your information out of Facebook, then that’s the attack vector and you just steal everyone’s information through the export feature.
I don’t know if anyone else saw there is a thing that you could hijack someone’s Facebook account by sending in a faxed version of your passport. That was a means by which they would reset your password if you couldn’t do anything else and you lost access to it. They are like, “Well, this whole rigamarole, but fax in your passport,” and so people were doing that as a…I think its good intentions. I just wonder about the actual implementation, like how much of a difference it will actually make.
Rob: Yeah, and I think you are right Mike that the execution is everything in this. With these regulations, we see it with failing PCI audits. PCI auditors that are checking boxes. And having worked for a software company that, in a previous job, that did retail software and was heavily dependent on collecting credit card information from certain devices and terminals and keyboard swipes and all sorts of things and gone through a PCI audit, knowing that there were holes that weren’t done by the auditors, it’s all about the execution. It’s all about following through on best practices for data security. And the regulation itself isn’t going to make you excellent at security.
Tips on Protecting Customer Data
Cindy: So if I’m trying to catch up… in terms… if I am not following PCI or if I am not following the SANS top 20, which is now renamed to something else like Critical Security Controls… so what are some of the things that I can start with in terms of protecting my customers’ data? Any tips?
Rob: Well I mean one thing and Andy kind of touched on this is don’t collect it if you don’t have to. I think that’s the number one thing. I mean certain services out there actually make it easy for you not to touch your customers’ data. For instance, Stripe, which is a pretty popular payment provider now, if you are collecting payment information on the web from customers, you should never know their credit card number. It should never hit your servers. If you’re using something that Stripe, it basically goes from the web form, off to Stripe and you get at most the last four digits and maybe the expiration number. But as a business, you never have to worry about that part of their profile, that sensitive data.
So to me, start with asking that question of what do we actually have to have. And if we don’t need it, get rid of it and let’s look at all of our data collection processes, whether it’s by paper form or web form or API, whatever the method is and decide what can we ax to just cut out the fat. Like we don’t want to have to hold your information if we don’t have to. Now, failing that, I know a lot of companies cannot do that, like Facebook’s business is knowing everything about everybody and the connections. And so in that situation, it’s a little bit different.
Cindy: It’s hard because what if I’m a company and I just what if I’m a hoarder? Like I hoard my…I live in New York, my studio is tiny, what if I like to hoard?
And it’s kind of like you are digitally hoarding stuff. And …. storage is cheap, why not get more? What would you say to a digital hoarder in terms of I might need this information later?
Rob: I would say stop. Stop doing that! There are data retention policies that prevent you from doing that that you can implement. It’s an organization culture thing, I think. Some organizations are great at data retention, others are hoarders. It’s just bad data protection.
Dietrich: Greater data retention and hoarders. We’d love to retain data. Most of the organizations we’ve talked to love to retain data. It’s nice having something to get in that stick which sits there and goes, just get rid of it. I talk to organizations now and I’ll go finally this is being implemented in such a way that we actually can go back to the business. Who doesn’t want the data deleted? It’s usually people in the business who says I may, at some time in the future, need that document that I created 15 years ago. Well not if it has anything related to an individual associated with it.
In that case, you can only keep it for as long as it is a demonstrable requirement to have that. So I think it’s something at that level, which should be welcomed by organizations, not unless they are really…I mean my wife’s a bit of a hoarder. If she was running a business, she would definitely have many petabytes of information. But related to individuals, it would give me the excuse to throw it out when she isn’t looking.
Andy: Right. I was going to add that the GDPR says, I mean yes, you can collect the data, you can keep it, but I think there is somewhere that says that you have to put a time stamp on it. You have to say, “This is the data I have and, okay,” if it’s five years or ten years, but put some reasonable time stamp on this data and then follow through. So sure, collect it. But make sure it has a shelf life on it.
Cindy: Any final thoughts before we wrap up? Silence, I love it.
Michael: I was on mute, so I was talking extremely loudly while no one heard me. I was going to say my final thought was that, we kind of started this with Andy saying that a lot of this was common sense IT things.
And I think that’s probably the biggest takeaway. The thing to do immediately is to, I think, just do an audit of all of your data. That’s just good practice anyway. If you don’t have that at hand, you should start doing that. Whatever the regulations are, whatever your situation, it’s very, very hard to think of a situation where that wouldn’t be to your advantage. So I think that’s the first thing and most immediate thing any company should do.
Dietrich: That’s a very good point and something that also, related to GDPR, is the point within GDPR in terms of the data breach impact disbursements. That’s also understanding what you have, making sure that you have the appropriate controls around it. So that’s just understanding, going through that audit directly helps you for GDPR.
Upcoming Webinars: July 21st English, July 28th German and French
Cindy: Rob, you mentioned there is a webinar on GDPR. When can people tune in?
Mike: Rob told me there was a barbecue at his house for the next GDPR meeting. Just come on over, we’ll talk European regulations, smoke some brisket.
Cindy: I need some help from people de-hoarding my studio. First, I need to go home and change all my passwords because I have a password problem. Now you all know I’m a hoarder.
Mike: This is just leading up to you having your own Lifetime television series I mean.
Cindy: That will be exciting.
Mike: I’d watch it.
Cindy: It will be Tiger Mom, 2.0.
Rob: So yeah, so we’re having a webinar on July 21st in English and we are having another one on July 28th in German. So for anybody that’s interested in the GDPR, we are also doing it on the 28th in French. So we are having multiple languages for you and they can go to varonis.com and just search for GDPR in the upper right-hand corner and you should be able to find the registration form.
Cindy: Thanks so much, Rob.
Dietrich: Whether you speak it or not. Yeah, fantastic.
Cindy: Thank you so much Mike, Rob, Kilian, Dietrich, and Andy. And thank you all our listeners and viewers for joining us today.
If you want to follow us on Twitter and see what we are up to, you can find us @varonis, V-A-R-O-N-I-S. And if you want to subscribe to this podcast, you can go to iTunes and search for the Inside Out Security show.
There is a video version of this on YouTube then you can subscribe to on the Varonis channel.
And thank you and we’ll see you next week. Bye guys.
Add us to your favorite podcasting app:
Follow the Inside Out Security Show panel on Twitter @infosec_podcast