Humble Suggestions

I am on record as having a very poor view of the ICO. I don’t believe that they are fulfilling their Article 57 requirement to “monitor and enforce the application of this Regulation” (Art.57 (1)(a)) or in their responsibility to “promote the awareness of controllers and processors of their obligations under this Regulation” (Art. 57(1)(d)).

It’s easy to keep taking pot shots, but I think it’s better to try to share suggestions for improvement so here’s my take on some positive, practical suggestions to try to help the ICO to fulfil its mandate.

My main concern is that some of these suggestions might already be happening, however, I have worked in data protection sufficiently long to know that if I haven’t heard of these things happening then it may not entirely be my fault. There is a problem of communication from the ICO; hence the issues with the purportedly large numbers of organisations which haven’t completed their compliance efforts.

Education

I think that there are a number of things which could be done to improve the current situation, but they have to be predicated on ‘education’ first and foremost.

It would be iniquitous – even this late in the process – for the ICO to hammer organisations with sanctions when the advertisement around GDPR was originally mostly based on scare tactics from the “snake oil” merchants. or vendors inflating their prices in what they perceived to be a “boom” period for their products. Organisations have often reacted to the interpretation of the law from a vendor with something to sell rather than objective guidance from the regulator.

I appreciate that market forces will always come into play in situations such as this, but these forces need to be tempered by an informed marketplace; the information asymmetry  around regulatory expectations meant that those organisations which tried to comply often had their fingers expensively burned on sub-par advice from newly-minted “experts” or systems which had “GDPR” tacked onto them and which didn’t deliver anything to support the organisation’s compliance efforts.

Is it any wonder that some organisations have adopted the approach that they can prove that they have spent good money and are now unwilling to see whether it has helped them to protect their businesses?

UK businesses have had nearly two-and-a-half years to comply with the regulation, but the Press suggests that those in a state of compliance are still in the minority.

It appears that the ICO is under-funded. It would be a waste of resource to undertake a media campaign this late into the process. What the ICO lacks in funds they no longer lack in staff. The regulator employs nearly 700 staff (from a low of around 150). Complaints have arisen about the quality of advice from ICO staff, so this suggestion helps to address both sides of the education coin.

Engagement

Engage with trade groups (Chambers of Commerce, Federation of Small Businesses, SRA, CBI possibly) and social organisations (religious groups, sports associations, etc) and offer free seminars on what the ICO expects to see from organisations.

This would comparatively cost very little and would be seen as a gentle reminder to those businesses which haven’t fulfilled their legal obligations. From recent surveys, this would be the majority.

Make this a regular arrangement so that no one can say that they weren’t warned.

Advise these organisations that the threat of sanction is real, but deliver the message in a balanced, sensible way so that there is no sales pressure behind it – just a statement of fact from the UK’s data protection authority.

Amnesty

Offer a select number of volunteer attendees an amnesty in exchange for an audit on a time-limited basis. This would be no different from the regular “no questions asked” knife and gun amnesties which the police sometimes offer. Offer companies a six-month period to volunteer for an audit and select a good representative group.

After six months, the amnesty ends. Those who were audited will have directly-applicable information to improve their data handling. Others in that particular industry could review the audit and learn from that. Anyone else? Well… You had your chance.

An audit within an amnesty would help businesses to understand what their responsibilities are (without fear) and would give some of the ICO staff an opportunity to get some (much needed) real-world experience.

The price of the audit would be to speak at a future engagement event (FSB, CBI, etc.) to describe what was involved, some of the issues discovered and what treatments were recommended. A story, told by a peer, is going to have more weight than any sales pitch from a vested interest.

A “finger in the air” idea of the cost of a fine for the audit (if there is a transgression) would also make data protection fines more “real” to attendees. This would also help to fulfil the Art.83(1) requirement on the ICO that “the imposition of administrative fines… shall in each individual case be effective, proportionate and dissuasive.”

Having an actual financial figure for an audit outcome would enable organisation leaders to gauge what the cost/benefit would be, if only in purely financial terms for the fine. They would, presumably, be well enough acquainted with their own industry to know what sort of reputational damage may occur and the potential number of data subjects’ civil claims.

A general list of easy wins would help organisations to make small but potentially high-impact changes to their operations in order to protect data subjects.

Website

Purely from a user experience perspective – please change the website.  I often hear other practitioners say, “But – all of the information is on the website?!”

Absolutely.

Taking a step back and looking at the site from a non-practitioner perspective, it doesn’t deliver. It should offer more content dealing with the generalities of compliance so that organisation leaders can actually understand what is required. The website for CERN’s Large Hadron Collider is engaging, despite the fact that it deals with matters (and “anti-matters”?!) which are massively outside of a normal person’s scope of understanding.

If the ICO undertook the “Education” and “Amnesty” route, outlined above, there would be a wealth of industry-specific information to build into the real-world expression of how the regulation operates.

…and there are plenty of “royalty-free” pictures available in order to brighten up the page and make it more welcoming the passing visitor.

Enforcement

I have said this elsewhere, but there needs to be evidence of the ICO in operation amongst the types of businesses which aren’t going to attend industry groups such as the FSB or CBI. These organisations are likely to be the type which see the Data Protection Act (2018) as something which concerns other people, not them.

I visited a website a short time ago which said that the site was run under the guidelines of the Data Protection Act (1998) and by submitting my personal data I was agreeing to marketing materials being sent to me.

Surely, this is an “open and shut case” that this organisation is ignoring their legal responsibilities?

I phoned the ICO. I was told to report it to the website owner and – if I’d had no response within 28 days – to come back to the ICO and “We’ll see what we can do about it.”

Totally unacceptable.

If I saw someone throw a brick through a shop window, I would call the police with a description of the individual, the time of the offence and any associated information and let them deal with it.

If I saw someone pouring oil into a stream, I would contact the environmental health services with as much evidence as I could gather and let them deal with it.

If I disagreed with a government policy, I would make my case to my local MP, who should speak on my behalf.

I had given the ICO person on the phone the URL of the website and the wording of the message, but they expected me to pursue this on behalf of all of the other data subjects who would be affected. Whatever happened to the ICO’s Article 57 (1)(a) responsibilities around monitoring and enforcement?

Notices

Presumably, the ICO has a case management system for investigations.

When a data subject calls with a prima facie case where an organisation is in breach there may not be enough resource to don the blue “ICO Enforcement” jackets and wade into the head office of the organisation (or enough of a reason).

My complaint – and I’ve heard this from others – is that no record was made of my report. If a case file was opened then it could be used to gather evidence, or even mitigation to show that the organisation is receiving complaints from mischievous and malcontent data subjects.

If a growing body of complaints suggested that a company was ignoring their responsibilities within the regulation then the ICO could act. Send an email, make a phone call – anything – to advise the organisation that their behaviour isn’t what is expected.

Ultimately, this is to protect the data subject. It is also to enforce the regulation. It is a manifest example of the ICO engaging with organisations and advising them.

The more egregious breaches should be investigated quickly and the ICO should not be frightened to enforce the cessation of processing. Draconian? Why? It’s within the regulator’s powers and if it protects data subjects – how can that be wrong? It would also get the message out that data protection is an important factor in modern life.

The ICO can’t parade all of their work with Cambridge Analytica and Facebook and then expect people to accept that their banking details or health matters are “fair game” because no one at the ICO took the effort to record early warnings of serious transgression.

For the more mundane and less serious issues, a formal notification that the ICO is aware of the organisation’s operation would be a decent shot across the bows in order to suggest more work needs to be done to address shortcomings in the organisation’s stance on data protection.

Taking this approach would fulfil the ICO’s Art.57(1)(a) responsibilities to some extent. It would also bring data protection into a position with some context and it would further serve to underpin the ICO as a regulator in the minds of data subjects everywhere.

 

Conclusion

It might be easier to solve the issues around an absence of engagement from the regulator if there was a bottomless pit of money. Back in the real world, this isn’t going to happen.

I have tried to outline some low cost, high impact strategies which would enable the ICO to fulfil its legal responsibilities and – first and foremost – protect the data subject.

I don’t believe that at any point I have used this article to try to create further business directly for data protection practitioners. With a strong, fair regulator, there is no reason to artificially create a market for data protection practitioners. An informed market is better for everyone and would avoid organisations making purchases more in hope than expectation.

If you REALLY need this explaining…

We are in the midst of the “savvy consumer”. This has been proven with the photos of Xbox and PS4 shelves, bereft of all games after Black Friday.

Except for one.

EA Games has really messed up with the “Star Wars: Battlefront II” game.

By all accounts (I haven’t bought it), the game is riddled with micro-transactions, pay-to-play and enforced periods of waiting to move forward in the game (unless you unlock the stopwatch by purchasing additional ‘stuff’).

Apparently, the game will take either $2100 to complete via micro-transactions, or over 4,000 hours of waiting for (seemingly) arbitrary periods of time as a ransom to unlock playing.

People – lots of people – have protested long and loud about this. Paying $60 for a game should provide you with the game, not provide the game manufacturer with the opportunity to entice younger players to innocently abuse their parents’ credit cards.

Possibly worse still, the child may be humiliated in the schoolyard because they are waiting to move onto the next phase of the game, whilst their wealthier friends are moving on because parents have paid the additional fees (anything for a quiet life). Or the child has found how to use their parents’ credit cards and haven’t yet come to the end of the credit card transaction period. The bill will come home and show that EA Games has been using the child as a siphon for their parents’ money, surreptitiously.

Disney, which owns the Star Wars brand, is apparently a little ‘miffed’ that their brand is being sullied, especially in the run-up to the new movie in December.

Various state regulators are looking to strengthen rules around gambling, as “Star Wars: Battlefront II” features random, paid-for, “loot boxes” which give the player tools and collectibles for the game, for a fee. This, to many minds, is gambling.

Let’s remember – “Child + Gambling = No-no!” in most nations. It hasn’t stopped EA from trying…

Perhaps, most heinously, the purchaser of “Star Wars: Battlefront II” unwraps the game, inserts the DVD and finds that the game comes without someone quite significant to the storyline.

That’s right… Darth Vader isn’t in the game as it ships..!

What does this have to do with GDPR, I hear you yawn?

It’s to do with reputation.

Very few people reading this will work for games manufacturers. That’s not the point of this article.

Most people work for an organisation which relies on a good reputation – how else do we retain good business?

EA’s reputation, at the moment, is in the gutter. Share price has fallen, games aren’t selling and those in the know metaphorically spit on the ground whenever the brand is mentioned. The Belgium government is looking into accusations of operating a gambling franchise, rather than a gaming franchise. Whether EA have broken the law or whether the “loot boxes” aren’t illegal is beside the point. It’s bad publicity for EA games.

Imagine, if you will, a data breach. Something like TalkTalk. Now, the TalkTalk breach didn’t massively effect company profits, but this is in a regulatory environment which isn’t as powerful as GDPR and isn’t overseen by other vested interests. The current Data Protection Act (1998) came as the result of an EU directive. In layman’s terms, it means that the EU pretty much said,

“We really need every state to have laws. Here’s some guidelines – sort the rest out yerself…”

The GDPR comes as a regulation which – with very few exceptions, “derogations” – is standard across the EU.

If TalkTalk happened after May 2018 then the ICO would get involved, but Chapter 7 of the regulation talks about ‘consistency’ of application across the EU, so if a German telephony provider had the same breach and was fined €8m there would be a precedent for the ICO to consider in their fining regime. It’s not a rubber-stamp along the lines of “Germany fined €8m, so here’s an €8m fine for you, TalkTalk”, but it is a compelling guide for future fines.

This is wandering into “Negatives”, mister…

Yes.

Yes it is, however, it’s an ill wind that blows somebody some good.

Imagine you have gone through all of the data mapping, the Data Protection Impact Assessments and written appropriate policies and procedures. Your IT team have put in place state-of-the-art protection for everything from a mobile phone to a server farm. To anyone looking in (if security allows them to!), your business is an exemplar of data privacy and digital protection.

In the past, this has all been “Well, it’s what is expected” and no one mentioned it outside of the IT team and the CIO.

Boasting about IT was almost like saying, “Look! Look here! Our office has walls!”

Will Marks and Spencer put out a Christmas advert about their multi-factor authentication?

Will John Lewis have a snowy, Winter scene of Father Christmas having to run a retina scan to get down a chimney?

Of course not.

But…

If a company has a major data breach, their competitors can use this as justification that they ‘care’ about their customers. Frame any positive you can think of within the parameters of the GDPR and it can and – I’m betting – will be used as evidence that Brand A is more concerned with your well-being than the recently-breached Brand B.

We care for you and your data. That’s why we take it seriously, unlike ‘others’ we could mention…

It won’t be as crass as that. It will be subtle, but it will creep up the advertising. Being a respectable custodian of customer’s data will help retain customers but also attain customers, too.

You might say, “Well, it hasn’t worked so far!” and you would, of course, be right.

The eyes of the Media glaze over when it comes to IT security and data privacy unless there is some salacious element to it, or an embarrassing fine. This sort of breach will come more into focus after May 2018 and I can foresee Jane Hill on the BBC intoning, “Under the new data privacy regulation from Europe, the General Date Protection Regulation…” and then explaining in detail the hows, whys and ‘how muches’ of the data breach.

A tough fine will catch attention.

People will slowly, almost by osmosis, start to appreciate their rights and the responsibilities of the organisations into whose care they entrust their data (and that’s before the ambulance chasing lawyers get involved in suing for data breaches in class actions).

At that point, GDPR will be a positive marketing tool.

A company which appreciates that long-term investment in data privacy will give them the seal of approval of a growing, more educated market will set themselves apart.

Even if that company is breached and the ICO finds that the breach was so specific, so unforeseen and that the organisation had done everything humanly/technically possible to prevent it, the exposure to the public of this “Black Swan” event will only build further trust.

If someone trusts you, they are usually happy to be in your company. They feel safe. The future is predictable around you. You have shown that you have their best interests at heart.

It may be a considerable investment in the near/mid term, but investment in data privacy will pay off in spades under a new regulation and with a new, slowly-becoming-more informed market.

Don’t forget – in four or five years’ time we will be seeing first-time home buyers who will have known no other environment under which their data resides. To be reckless with their data will be to kill off the market of the next, and succeeding, generation.

Investing in the processes, policies and technical elements of data privacy is future-proofing.

It will keep customers happy.

It will drive sales.

As time passes, it will be a considerable determinant of whether a company succeeds.

Do it now. Start beating your organisation’s chest with the news that you are trustworthy, have the customers’ best interests at heart and want to maintain their happiness.

Because? All together now

Happy Customers = Sales

You never know – it may come in handy?

As a long-standing IT practitioner, the main thing I’ve learned over my time is – don’t trust computers.

I’m not the only person with this earth-shattering insight, to be fair. Veritas, Cheyenne, Seagate and many other companies have made a very valuable SKU from their backup software.

The IT professionals out there have made a virtue from backing up anything and everything to tape, disk or Cloud (or diskette, if you go back far enough). I can’t fault them/us for that. Computers screw up. The ferrous oxide on which we all relied for storage occasionally throws a wobbly and loses information; people sometimes find a file called “Do NOT Delete on Pain of DEATH.TXT” and… delete it.

Business has adopted the back-up as a means to protect the business. I have no argument with that, whatsoever. I’m not trying to pick a fight with storage vendors.

The problem is, with GDPR, that the “back up everything” mentality is no longer fit for purpose when it comes to private data.

Article 5 of the General Data Protection Regulation is specific about “Principles relating to processing of personal data” (being specific within the context of the regulation seems to be a rare commodity).

Article 5 (1)(e) states that personal data shall be:

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)

Article 89 (1) states:

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

If you care to read the Regulation further, Article 89 then refers to the local derogations which can be made under Articles 15, 16, 18, 19, 20 and 21 (inclusively).

So… Unless you have a particular interest in the wording and application of the Regulation in the broadest sense, or your name is Rumpole and you work at the Old Bailey… So what?

The regulation is saying that organisations can’t keep data beyond its intended use. Under Article 5 (1)(e), if you have told a data subject that you will keep their data for one month – and you have the legal grounds to do so – you keep it for one month, end of.

End of..? Not quite. Article 89 states that if there is a public interest, statistical, scientific or research purpose behind keeping the information then you can keep the data, but it has to be on the principle of data minimisation and you need to seriously think about pseudonymising the data. A pseudonym would render my name (Mark Evans) as Citizen X, for example. All of my attributes could be used for research, as long as a concatenation of those attributes doesn’t single me out and destroy the pseudonymisation.

For example:

Pseudonymisation: Citizen X

  • Male
  • 45-54 years of age
  • Based in the West Midlands
  • Works in Data Protection and Cyber Security
  • 6ft tall
  • Bald, shaved head
  • Speaks with a Black Country accent
  • Speaks at conference
  • MBA qualified
  • Writes articles on GDPR on LinkedIn

As you can see, it doesn’t take long before pseudonymisation breaks down and I become more easily identified.

So? Come on – benefits of GDPR?!

Think of the money invested in storage by most organisations. Think of the “Whoah – just in case!” data stored across any business and there is a cost. In these days of Cloud backup where the cost per Gb is miniscule, guess what? There’s still a cost.

Article 4 (12) defines a ‘personal data breach’ as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Okay, so a ‘breach of security‘ leading to loss, deletion, disclosure, or alteration is the key here. I’m sincerely hoping that you’re all already on the next page, here.

What type of data can’t be accidentally or unlawfully destroyed? Can’t be lost, altered, disclosed, transmitted, stored or otherwise processed?

Data which no longer exists. Data which has served its purpose and been disposed of. Data which has been lawfully destroyed.

As far as private data is concerned, the GDPR is mandating that companies achieve a lean, process-driven approach to the use and removal of the data.

Long-term storage in Amazon, Azure or whatever will be fractions of a penny per Gb for some organisations.

There is an old saying, “That which is given freely is rarely valued.”

Business has long held private data as freely given – who doesn’t want a special offer on saving four pence on pasta sauce from a supermarket? – and has, by erosion of respect for the data above what money it generates, allowed a situation to happen where large organisations are sitting on a mountain of data which is now an attack vector for GDPR…

  • Get rid of the data which informs you of nothing
  • Save on storage
  • Make data searches faster (less data, faster searching)
  • Make data searches on current information! Who needs to know that Citizen X bought a brand new Morris Ital in 1982 (I didn’t, but that’s data that might trip someone up, somewhere)
  • Make backup and restore operations more focussed
  • Be able to prove to the ICO, to senior managers and shareholders that not only are you protecting the business legally, you are looking to put a cap on the spiralling cost of storage, backup, operational overhead from backing up and restoring data
  • Become a leaner operation
  • Know where the data is, what it is for and when it is no longer relevant
  • Remove “noise” from business decisions
  • Become an expert in your own data

There may be an argument for keeping historic data for trend analyses. Fine… Get m’learned friends in to formulate the requirement within the parameters of the regulation. Get your technical people in to formulate the appropriate security. Get HR in to own the processes for dealing with any “off piste” activity from employees around the data and its usage. Get data scientists to put the data into a context where “Citizen X” doesn’t map directly to “Mark Evans”. I foresee an opportunity for universities to gather information (with appropriate permissions from data subjects where required and contractual bases for using the university as a data processor, obviously) in order to process data on behalf of organisations… Another potential cost saving.

So… What’s the benefit GDPR brings?

A mandate for lower storage cost, operation, processing, risk. More time-bound, current information. Less opportunity for data to succumb to anything in Article 4 (12).

The days of “You never know – it may come in handy?” for personal data are coming to an end.

I think people who sell storage may not be so happy, but if people are buying less storage volume, this might prompt the move to faster SSD uptake in the storage market, a potential money-spinner?

I, for one, will be professionally overjoyed to see organisations deleting data they no longer need. It will show a maturity of custodianship which is long overdue.