We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is a recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy advisory boards.
During this first part of the interview with her, we focused on the new General Data Protection Regulation (GDPR), which she says is the biggest overhaul in EU security and privacy rules in twenty years.
One important point FitzPatrick makes is that the GDPR is not only more restrictive than the existing Data Protection Directive —breach notification, impact assessment rules — but also has far broader coverage.
Cloud computing companies no matter where they are located will be under the GDPR if they are asked to process personal data of EU citizens by their corporate customers. The same goes for companies (or controllers in GDPR-speak) outside the EU who directly collect personal data — think of any US-based e-commerce or social networking company on the web.
Keep all this in mind as you listen to our in-depth discussion with this data privacy and security law professional.
- Follow the Inside Out Security Show panel on Twitter @infosec_podcast
- Add us to your favorite podcasting app:
Cindy Ng: Sheila FitzPatrick has over 20 years of experience running her own firm as a data protection attorney. She also serves as outside counsel for Netapp as their chief privacy officer, where she provides expertise in global data protection compliance, cyber security regulations, and legal issues associated with cloud computing and big data. In this series, Sheila will be sharing her expertise on GDPR, PCI compliance, and the data security landscape.
Andy Green: Yeah, Sheila. I’m very impressed by your bio and the fact that you’ve actually dealt with some of these PPA’s and EU data protection authorities that we’ve been writing about. I know there’s been, so the GPDR will go into effect in 2018, and I’m just wondering what sort of the biggest change for companies, I guess they’re calling them data controllers, in dealing with DPA’s under the law. Is there something that comes to mind first?
Sheila FitzPatrick: And thank you for the compliment by the way. I live and breathe data privacy. This is the stuff I love. GPR …I mean is certainly the biggest overhaul in 20 years, when it comes to the implication of new data privacy regulations. Much more restrictive than what we’ve seen in the past. And most companies are struggling because they thought what was previously in place was strict.
There’s a couple things that stick out when it comes GDPR, is when you look at the roles of the data controller verses the data processor, in the past many of the data processors, especially when you talk about third party outsourcing companies and any particular cloud providers, have pushed sole liability for data compliance down to their customers. Basically, saying you decide what you’re going to put in our environment, you have responsibility for the privacy and security aspects. We basically accept minimal responsibility. Usually, it’s around physical security.
The GDPR now is going to put very comprehensive and very well-defined regulations and obligations in place for data processors as well. Saying that they can no longer flow responsibility for privacy compliance down to their customers. And if they’re going to be… even if they… often times, cloud providers will say, “We will comply with the laws in countries where we have our processing centers.” And that’s not sufficient under the new laws. Because if they have a data processing center say in in UK, but they’re processing the data of a German citizen or a Canadian citizen or someone from Asia Pacific, Australia, New Zealand, they’re now going to have to comply with the laws in those countries as well. They can’t just push it down to their customers.
The other part of GDPR that is quite different and it’s one of the first times it’s really going to be put into place is that it doesn’t just apply to companies that have operations within the EU. It is basically any company regardless of where they’re located and regardless of whether or not they have a presence in the EU, if they have access to the personal data of any EU citizen they will have to comply with the regulations under the GDPR. And that’s a significant change. And then the third one being the sanction. And the sanction can be 20,000,000 euro or 4% of your global annual revenue, whichever is higher. That’s a substantial change as well.
Andy Green: Right, So that’s some big, big changes. So you’re referring to I think, what they call ‘territorial scope’? They don’t have to necessarily have an office or an establishment in the EU as long as they are collecting data? I mean we’re really referring to social media and to the web commerce, or e-commerce.
Sheila FitzPatrick: Absolutely, but it’s going to apply to any company. So even if for instance you say, “Well, we don’t have any, we’re just a US domestic company”, but if you have employees in your environment that hold EU citizenship, you will have to protect their data in accordance with GDPR. You can’t say, well they’re working the US, therefore US law applies. That’s not going to be the case if they know that the individual holds citizenship in the EU.
Andy Green: We’re talking about employees, or…?
Sheila FitzPatrick: Could be employees, absolutely. Employees…
Andy Green: Anybody?
Sheila FitzPatrick: Anybody.
Andy Green: Isn’t that interesting? I mean one question about this expanded territorial scope, is how are they going to enforce this against US companies? Or not just US, but any company that is doing business but doesn’t necessarily have an office or an establishment?
Sheila FitzPatrick: Well it can be… see what happens under GDPR is any individual can file a complaint with the ports in basically any jurisdiction. They can file it at the EU level. They can file with it within the countries where they hold their citizenship. They can file it now with US courts, although the US courts… and part of that is tied to the new privacy shield, which is a joke. I mean, I think that will be invalidated fairly quickly. With the whole Redress Act, it does allow EU citizens to file complaints with the US courts to protect their personal data in accordance with EU laws.
Andy Green: So, just to follow through, if I came from the UK into the US and was doing transactions, credit card transactions, my data would be protected under EU law?
Sheila FitzPatrick: Well, if the company knows you’re an EU citizen. They’re not going to necessarily know. So, in some cases if they don’t know, they’re not going to held accountable. But if they absolutely do know then they will have to protect that data in accordance with UK or EU law. Well, not the UK… if Brexit goes through, the EU law won’t matter. The UK data protection act will take precedence.
Andy Green: Wow. You know it’s just really fascinating how the data protection and privacy now is just so important. Right, with the new GPDR? For everybody, not just the EU companies.
Sheila FitzPatrick: Yeah, and its always been important, it’s just the US has a totally different attitude. I mean the US has the least restrictive privacy laws in the world. So for individuals that have really never worked or lived outside of the US, the mindset is very much the US mindset, which is the business takes precedence. Where everywhere else in the world, the fundamental right to privacy takes precedence over everything.
Andy Green: We’re getting a lot of questions from our customers the new Breach Notification rule…
Sheila FitzPatrick: Ask me.
Andy Green: …in the GDPR. I was wondering if you could talk about… What are one the most important things you would do when you discover a breach? I mean if you could prioritize it in any way. How would you advise a customer about how to have a breach response program in a GDPR context?
Sheila FitzPatrick: Yeah. Well first and foremost you do need to have in place, before a breach even occurs, an incident response team that’s not made up of just the IT. Because normally organizations have an IT focus. You need to have a response team that includes IT, your chief privacy officer. And if the person… normally a CPO would sit in legal. If he doesn’t sit in legally, you want a legal representative in there as well. You need someone from PR, communications that can actually be the public-facing voice for the company. You need to have someone within Finance and Risk Management that sits on there.
So the first thing to do is to make sure you have that group in place that goes into action immediately. Secondly, you need to determine what data has potentially been breached, even if it hasn’t. Because under GDPR, it’s not… previously it’s been if there’s definitely been a breach that can harm an individual. The definition is if it’s likely to affect an individual. That’s totally different than if the individual could be harmed. So you need to determine okay, what data has been breached, and does it impact an individual?
So, as opposed to if company-related information was breached, there’s a different process you go through. Individual employee or customer data has been breached, the individual, is it likely to affect them? So that’s pretty much anything. That’s a very broad definition. If someone gets a hold of their email address, yes, that could affect them. Someone could email them who is not authorized to email them.
So, you have to launch into that investigation right away and then classify the data that has been any intrusion into the data, what that data is classified as.
Is it personal data?
Is it personal sensitive data?
And then rank it based on is it likely to affect an individual?
Is it likely to impact an individual? Is it likely to harm an individual?
So there could be three levels.
Based on that, what kind of notification? So if it’s likely to affect or impact an individual, you would have to let them know. If it’s likely to harm an individual, you absolutely have to let them know and the data protection authorities know.
Andy Green: And the DPA, right? So, if I’m a consumer, the threshold is… in other words, if the company’s holding my data, I’m not an employee, the threshold is likely to harm or likely to affect?
Sheila FitzPatrick: Likely to affect.
Andy Green: Affect. Okay. That’s a little more generous in terms of…
Sheila FitzPatrick: Right. Right. And that has changed, so it’s put more accountability on a company, because you know that a lot of companies have probably had breaches and have never reported them. So, because they go oh well, there was no Social Security Number, National Identification number, or financial data. It was just their name and their address and their home phone number or their cell phone. And the definition previously has been well, it can’t really harm them. We don’t need to let them know.
And then all of a sudden people’s names show up on these mailing lists. And they’re starting to get this unsolicited marketing. And they can’t determine whether or not… how did they get that? Was it based on a breach or is it based on trolling the Internet and gathering information and a broker selling that information? That’s the other thing. Brokers are going to be impacted by the new GDPR, because in order to sell their lists they have to have explicit consent of the individual to include their name on a list that they’re going to sell to companies.
Andy Green: Alright. Okay. So, it’s quite consumer friendly compared to what we have in the US.
Sheila FitzPatrick: Yes.
Andy Green: Is there sort of new rules about what they call sensitive data? And if you’re going to process certain classes of sensitive data, you need approval from the… I think at some point you might need approval from the DPA? You know what I’m referring to? I think it’s the…
Sheila FitzPatrick: Yes. Absolutely. I mean, that’s always been in place in most of the member states. So, if you look at the member states that have the more restrictive data privacy laws like Germany, France, Italy, Spain, Netherlands, they’ve always had the requirement that you have to register the data with the data protection authorities. And in order to collect and transfer outside of the country of origination any sensitive data, it did require approval.
The difference now is that any personal data that you collect on an individual, whether it’s an employee, whether it’s a customer, whether it’s a supplier, you have to obtain unambiguous and freely given explicit consent. Now this is any kind of data, and that includes sensitive data. Now the one difference with the new law is that there are just a few categories which are truly defined as sensitive data. That’s not what we think of sensitive data. We think of like birth date. Maybe gender. That information is certainly considered sensitive under… that’s personal data under EU law and everywhere else in the world, so it has to be treated to a high degree of privacy. But the categories that are political/religious affiliation, medical history, criminal convictions, social issues and trade union membership: that’s a subset. It’s considered highly sensitive information in Europe. To collect and transfer that information is going to now require explicit approval not only from the individual but from the DPA. Separate from the registrations you have done.
Andy Green: So, I think what I’m referring to is what they call the Impact Assessment.
Sheila FitzPatrick: Privacy Impact Assessments have to be conducted now anytime… and we’ve always… Anytime I’ve worked with any company, I’ve implemented Privacy Impact Assessments. They’re now required under the new GDPR for any collection of any personal data.
Andy Green: But sensitive data… I think they talked about a DNA data or bio-related data.
Sheila FitzPatrick: Oh no. So, what you’re doing… What happened under GPDR, they have expanded the definition of personal data. And so that not the sensitive, that’s expanding the definition of personal data to include biometric information, genetic information, and location data. That data was never included under the definition of personal data. Because the belief was, well you can’t really tie that back to an individual. They have found out since the original laws put in place that yes you can indeed tie that back to an individual. So, that is now included into the definition.
Andy Green: In sort of catching up a little bit with that technology?
Sheila FitzPatrick: Yeah. Exactly. But part of what GPDR did was it went from being a law around processing of personal data to a law that really moves you into the digital age. So, it’s anything about tracking or monitoring or tying different aspects or elements of data together to be able to identify a person. So, it’s really entering into the digital age. So, it’s trying to catch up with new technology.
Andy Green: I have one more question on the GDPR subject. There’s some mention in the law about sort of outside bodies can certify…?
Sheila FitzPatrick: Well, they’re talking about having private certifications and privacy codes. Right now, those are not in place. The highest standard you have right now for privacy law is what’s call Binding Corporate Rules. And so companies that have their Binding Corporate rules in place, there’s only less than a hundred companies worldwide that have those. And actually, I’ve written them for a number of companies, including Netapp has Binding Corporate rules in place. That is the gold standard. If you have BCRs, you are 90% compliant with GDPR. But the additional certifications that they’re talking about aren’t in place yet.
Andy Green: So, it may be possible to get a certification from some outside body and that would somehow help prove your… I mean, so if an incident happens and the DPA looks into it, having that compliance should help a little bit in terms of any kind of enforcement action?
Sheila FitzPatrick: yes, it certainly will once they come up with what those are. Unless you have Binding Corporate Rules. But right now… I mean if you’re thinking something like a trustee. No. there is no trustee certification. Trustee is a US certification for privacy, but it’s not a certification for GDPR.
Andy Green: Alright. Well, thank you so much. I mean these are questions that, I mean it’s great to talk to an expert and get some more perspective on this.