Post-GDPR Best Practices

Chris Sienko: Hello and welcome to this week's installment of the Infosec Institute video resource series. This week we are going to be discussing a security awareness topic, and one that's been in the news an awful lot lately. One that you might even be a little tired of at this point, but I want to let you know that there are many new and interesting angles on this topic coming in the weeks and months ahead. So, that's why I invited our very special guest Susan Morrow, to discuss the general data protection regulation, or GDPR, and especially the first round of implementations and the first intimations of noncompliance and the sort of fallout from that and so forth. So, we're going to be talking not just about getting your company GDPR compliant, but also what is actually happening on the ground as regulations begin to take hold and companies begin to be held accountable.

So just to start things off, I want to say that Susan Morrow has been working in the security sector for over 20 years. She is currently head of research and development at Avoco Secure and specializes in designing solutions for consumer and citizen identity systems. She has a lot of experience of the good, bad, and ugly of passwords and other types of login credentials, as well as being a fastidious scholar of GDPR regulations. She always tries to put the human being at the center of technology while balancing security, which can sometimes be a challenge. So welcome-

Susan Morrow: Good job.

Chris: So, welcome Susan Morrow. Thank you for coming back for another talk.

Susan: No thank you Chris. Yes, talking of [inaudible 00:01:44].

Chris: Yes, absolutely. Lots of interlocking pieces on this particular topic. So let's start today in this discussion with the rudiments, what is GDPR for those just starting to look into this topic? Why are we hearing so much about it and why is everyone scrambling to adopt it?

Susan: Okay, so GDPR is an EU directive, which is now in law since May the 25th of this year. And it really is a way for the EU to tidy up. And what was an old directive that went back to 1995. It's their way of strengthening privacy, which in turn strengthens sort of the data protection that you can apply to data to make sure that you've got some of that privacy in place and also to try and make the states across the EU a level playing field.

It gets a little bit nuanced as you go through, and we'll talk about that, because it's a lot of confusion over who exactly it impacts, but in general you can make a generally sweeping statement that if you process the data of someone who is an EU citizen or that you're processing data within an EU state, a nation state, then the likelihood is that you will have to be GDPR compliant no matter what size you are there. Now there are exceptions to the rules where if you have under 250 employees, or you process very small amounts of data, then things like the sort of documentation side of GDPR, are relaxed a little, that sort of thing. But in general, those rules of looking after EU citizens and so on comes into play. But we can talk about that a little bit more detailed later on, because I know there are some questions around how it might impact American citizens for example.

Chris: Right. Now, how did GDPR come into law? This seems like a pretty sweeping law and the implications of it and so forth and what were some of the indiscretions it was created to address?

Susan: So in 1995 of course the internet was, not as well used. It certainly wasn't ubiquitous like it is now. I think at the time, I think there was maybe, and I might be wrong with this number, there was around 45,000 websites on the planet.

Chris: Yeah, amazing to imagine that.

Susan: So email, people shared email addresses. People shared them, they weren't personal. It was a very different digital landscape then. Since then, 10 years later, by 2005 things have changed massively. By 2015 they're almost unrecognizable. We have created a mess of data in the world. It's a mess of data. I think that's the plural for data nowadays a mess. And so GDPR, the EU thought look we need to make some changes that reflect a more modern sort of use model for personal data. People are continuously collecting information about you whether that's self registered information you give it freely to get something back, a service or they're collected data in tracking cookies. And we all know about creepy tech, how to switch Alexa off for example. We all know about creepy tech.

So the EU wanted to make sure that the older directive was updated to accommodate those changes and also to have these sort of more kind of less of a mosaic approach to privacy in particular, because privacy is something. Privacy although it's not a new idea, privacy is something that is inherent in us as human beings. But digital privacy it's actually a fairly new idea and it's a very complicated nuance thing that people haven't got. I mean, everybody has a hard time getting their heads around what privacy is and in tweezing it apart from security because those two are linked, but they're not the same. So they-

Chris: It seems like up until fairly recently, the notion of digital privacy seemed like something we had willingly given up in exchange for the sort of the benefits of the internet. When you hear people talk, they say like, "well, sure," I mean, "well it's too late now, there's no privacy." Just if you're going to use the internet, you've got to deal with the fact there's no privacy. But you're saying that's not necessarily the case.

Susan: Yeah, yeah. No, and I'm concerned at the minute of that there seems to be a movement towards creating almost like a two tier internet where people pay for privacy. If can't pay, tough. Tough. I think that's a very dangerous way to go. It's not an easy nut to crack privacy, because the genie's out of the bag now, and you can't put it back in. Though it's not just about us now, it's about our children and our grandchildren. So we need to put these things in place now.

Chris: Now we've been talking about this and a lot of our viewers and listeners are in America and they're probably wondering if this is a European system and a European regulation, why so many of the U.S. companies are also scrambling to adopt it. So why is that exactly?

Susan: Yeah. There's some interesting aspects to it. One of the reasons that it becomes sort of an almost unknown territory is because of the often used word, and I hate to say that, because I didn't write it and I'm sure I couldn't do any better job, but sometimes loose wording around ... So whenever use the word citizen for example. So an EU citizen isn't specifically pointed out in any of the articles within the GDPR. But they do use that terminology and there's one, it actually states that, it says this regulation applies to the processing of personal data of data subjects who are in the union. Right? Data subjects who are in the union. So this idea of a data subject, a data subject is basically an individual who the personal data describes. And a data subject, it doesn't actually say a data subject, just an EU citizen. It says in the union. Does that mean an American in the union who's on holiday? Does it then apply to them?

So there's a few looking, and these will be test cases where lawyers will use this looseness to take cases to court and test them out. Well, one of the things that I think is particularly interesting is that so for a lot of companies to abide by the GDPR, it doesn't matter where you are in the world, if you have people who come to your website and you collect it, which is a type of process, and they collect data or they pass it over to somewhere else to process it in the EU for example, or they have an office in the EU. So anybody who comes, we have to be compliant with GDPR.

In becoming compliant with GDPR, they have to put certain measures in place. So for example, I'll give you an example. So they will have to put in place something that if they're collecting data that specifically sets out in a granular way, in a very affirmative and sort of plain English manner, we have collected this data, are you okay for us to do that? We're going to do this with tick, tick, tick, tick, tick and there's no soft opt in. There's no sort of, yeah it has to be.

To do that on a sort of a level where you sort of only show those screens to an EU visitor is going to be a lot more costly in terms of development than to just do a blanket, all right, okay, well we'll just do everybody. And then, oh we can't worry about it, everybody's covered. We don't need to worry about GDPR. We don't need to worry about that we're definitely picking up someone who was in the EU. We're definitely covering all our basis with the EU. We'll just cover everybody. It's interesting because there's a few sites now, a lot of new sites. LA Times I know for sure and a couple of others like unroll.me as well who are basically not supporting EU citizens at all with their over the sites or that they're [inaudible 00:10:28].

Chris: Oh, so they're simply just sort of solving the problem by keeping European citizens off of their site, is that it?

Susan: Yeah that's right. So they won't support you. You can't use their site or their application if you are an EU citizen.

Chris: Very interesting.

Susan: So that's the opposite with what I've been just talking about. Instead of doing a global, we'll just apply GDPR consent for example, to everybody across the board because it would cost too much money too for another example would be access to data. It might cost too much money to just give account managers to EU citizens but not to American citizens for example. So they're doing the opposite thing.

They're just sort of shutting the door on any EU customers that has a number of, the obvious one is that, well then they've lost ... The great thing about the internet is that you can trade globally. So that should offer a whole area of the world that you could trade with first of all. Secondly, it's very difficult to actually enforce those rules because of things like VPNs. I use a VPN and I've just set it to where ever I want to in the world. Also it's actually having a bit of a backlash. It's a lot of people saying, "Well do these companies not care about American privacy then?" If you're American citizens does your privacy not count? So people are getting a bit upset about it actually, so it's had a bit of backlash.

Chris: That's interesting. So with the LA Times and the other sites that are out and out excluding EU citizens, is that just something they're doing temporarily as far as you know, just until they sort of figure it out? Or is this just going to be a blanket policy? Just to, because-

Susan: I mean possibly, it's just a temporary measure. I mean with the sort of the new sites, I mean it may well be that their main, because my basis is American, but then what if you're an American traveling and you love to read about your hometown.

Chris: Oh yeah. Someone's comment box is going to blow up when that happens. Letter to the editor. Okay, so we're far enough into GDPR and the rollout and so forth that have there been any sort of penalties issued yet for noncompliance and what are the sort of consequences of noncompliance?

Susan: So of course the fines, are the thing that's made everybody run around, like catching those chickens trying to sort it out. Because of this sort-

Chris: Yeah, they're pretty significant, right?

Susan: Yes. So there's two levels, there's a level a 2% or 10 million euros, whichever is the higher. 2% of your global revenue or 10 million euros, which ever is the higher. That is for things like if your controller or processor, they don't comply with the rules of GDPR. So they're out of compliance with that. Then the second level is the higher level and that's 4% of your global revenue or 20 million euros. They're around sort of the breach notification, if you're not using the data subject rights correctly. So you're not using consent correctly. Asking for consent correctly, that type of thing. That can get you the really high, because those levels are put in place to show the importance of the data subject being central and these things like the data subject rights being applied correctly.

And interestingly that is sort of the most the sort of biggest headline case brought so far has been Max Schrems who was behind the original and Facebook versus Europe sort of lawsuit back a few years ago now, where he said that Facebook were illegally transferring data outside of Europe and not protecting it. That case was instrumental in the changes to the privacy shield. So he's taken Google and Facebook and it might br one other, I can't remember, to court over violations of GDPR. He took them to court the day after GDPR was enacted and he's taken them to court on that sort of the higher fine level. His case revolves around consent and is this idea of you offered to take consent but if the user refuses to give consent then they don't get the service.

So basically it's kind of a blackmail. Using consent as a way of blackmailing users. So he's saying that's not in the spirit of GDPR. It's out of compliance. We'll have to watch that one. See where that one goes. Not that tilted. Yes, yes, yes. But what will be most interesting is how the Facebook and Google's lawyers react. And I'm sure that part of the case, it will start to draw in some of these tests on some of the more nuanced wording around GDPR. So it'll be a very interesting case to watch.

Chris: What do you think some of what do you think some of the sort of stress points are that their lawyers are going to use to sort of [crosstalk 00:15:32] the lawsuit?

Susan: Well certainly there's consent. The gosh what was it called? Actually if you wait, I do have ... That's it. Complin prohibition. It's called Complin prohibition. That is I think that will be the main stress point in the case. Now I'm not a lawyer, but that will be the main stress point in the case. If Facebook and Google win on that point then that really just waddles GDPR.

Chris: Yeah. Now, so sort of, we know a lot about GDPR mostly by sort of going through it on a day to day basis. All of our newsletters and stuff are asking us to re-up or showing us their new terms of service and stuff like that. So as we trudgingly go through our email and click to accept our hundred therms of service update and reaffirm that we actually want to be on our 50th newsletter, what can you tell our viewers about the real benefits of all this enforced reaffirmation of intent and what are we actually getting in exchange for this headache?

Susan: So then on good side, I've used it to cull accounts, because there's been sort of there's been a waterfall of user accounts online, certainly over the past the five years I would say have been the worst. Now, whether or not, not reaffirming has actually ended up in an account removal, I'd love to have the time of chase up some of the ones that I've purposefully not reaffirmed.

Chris: Yes. I was just going to say I've been getting things from newsletters 15 years ago and all you have to do is just sort of whistle and do nothing and maybe you'll be away from them. Yeah, it's interesting.

Susan: I know it's actually astonishing isn't it? It's very interesting.

Chris: It seems like it's a good way to sort of clean out your closet, but also to sort of remind yourself of how sort of thinly spread you are across the internet.

Susan: The internet was designed without an identity layer. Therein lies the fundamental problem. Everybody has to create their own identities and therein lies the problem. However, it's not just about consumers. GDPR isn't just for consumers, it's about employees, it's about consultants, it's about anybody whose data can be used to personally identify them. But as part of that, part of what we must always remember is that technology is just a tool for human beings to interact with each other and used to do jobs. That's all technology is. It's just it's kind of because we're like little children with an exciting toy. We haven't really stopped, sat back and thought, "All right, okay. This is actually what is behind the technology." And what's behind the technology and what GDPR is really good at is giving us a mechanism to build a relationship with people, with our customer base, for example.

It is really a way to show people that you know what, we're being kind of forced to do this, but if we sit back and think about it, actually this is a really good thing from a sort of a commerce perspective. The company can say, I've now got a way to go out to this disparate lost user base and reach out to them. This is a really good way for me to reach out and say to you, "Look what we're doing now. Look these exciting things and come back to us. We respect you." So you could use it as a way to build relationships and touch your user base again.

Chris: Sort of connected to that. So I think most of us would probably have a friend online or in real life who are saying, "What's going on with all of this? It seems like I keep resubscribing to all my newsletters." I think one of my friends thought it was all a Mark Zuckerberg ploy. Other people think it's just another way of them ripping you off. So how would you explain GDPR to someone who thinks that this is just yet another ploy I suppose?

Susan: Yeah, I know the sort of whole ... But I think price has come to the forefront because of negative privacy press like they're faced with Cambridge Analytica debacle. It's definitely raised the profile if you like, of what is privacy. So it's a difficult thing to explain to people why it's important. A lot of times people say, well, I've got nothing to hide to so why do I need to be privacy aware? There are a number of reasons that you need to be aware of privacy now, because first of all aside from the sort of increase in cyber attacks and the data breaches, I mean there's I think at last count there was something like 9.7 billion data records have been breached over the last sort of, I think it's, well since 2013, Gemalto really have breached level index and they keep tabs on all of this.

But anyway it works out it's like five million data records a day are being exposed. Privacy is a bit more than just having data stolen, but it's all part and parcel of the same thing. If you can have control over your own data, if you can have control over it. And that's really what GDPR is about. Giving the control back to the user so they can control who has it and what they do with it. It kind of feeds into the whole, the security it's a sort of like almost a pipeline. It's part of the pipeline privacy and it feeds back into the security of that data. Once it's out of your hands, it only adds a little bit of control back into your life, because all of us do feel like our data is out of our control now.

Chris: Yes. Yeah. That is true. So on a personal level, what are some steps to ensure that you're making the most out of your GDPR changes? So what sort of etiquette things? What can you do with your own browsing history, internet usage to ensure that GDPR is making your experience more free just as a personal user?

Susan: Yeah, I mean there are a lot of companies who are taking this very seriously actually and they're setting up policies to make sure that things like tracking is within their policy. Their tracking cookies are deleted after a certain amount of time. So you can insist on that. I mean there are provisions in GDPR to allow certain types of companies to use those. So, for example, if they're used for fraud detection, then they can persist them. So it's just not every company that you would be able to ask for. But the right to be forgotten. Data erasure is a really neat, but sometimes tricky data subject, right?

So for example, you might have had your genome sequenced by someone like 23andMe and you can download your raw data from 23andMe and you can use that in other systems like Promethease to analyze the genome. So you don't need 23andMe, you stay on there really for the social aspect, so you can share it with family members and stuff like that. But if you feel very uncomfortable about it, like some of those do, you might want to ask 23andMe to download your raw data. So you've got your raw data yourself and then you can have that removed from a cloud repository.

So it's really, it's just about picking and choosing what pieces of data you feel comfortable with. Or you might want to for example, so I don't mind having given data sometimes for a particular resource access, but then I want that data to be removed once I've got the resource, I do not want it to persist. And it's the persistence of the data that I find most difficult. Again, I also augment all of that by using VPN and some people might also find privacy enhanced browsers like DuckDuckGo useful as well. There's a couple of those available. And it's just little things like that. It's what you as a person feel comfortable with.

But now that we've got these data subjects, right? Like being able to access the data that they've got on you. Being able to check that that data is correct. Being able to ask for that data to be transferred somewhere else. Those data subject rights, it's worth every day consumers knowing about them. It's like the consumer laws that you have and countries have consumer laws, so if you buy something and then you take it home and you don't like it or there's something wrong with it, you can take it back and get your money back.

Chris: Yes, absolutely. Yeah, and that's, I mean that's again, I think that's a really emerging concept within all of this is that we have more rights on our privacy and with our data than we have been led to believe and that we've led ourselves to believe. So that's actually a very exciting implication. So moving up one step up the ladder to the sort of organizational and enterprise level, what is the best way to find out if your company has made modifications to its data privacy policy? And if they haven't, is this something you as a non C-suite member of the company can influence?

Susan: Well of course it extends to employees, GDPR. So all employees within an organization really should have had updates to their contracts and should have been informed. I mean, obviously if you're a very small company, you can do it in an ad hoc basis, but if it's a big company, you have 250 employees and you've got an HR department, HR department should be on top of this. But from a sort of perspective of all the people, my customers, are they being correctly looked after under GDPR. In particular things like sales people as well who have to manage customer relationship management databases and so on. So I mean they would need to be informed themselves about what the data subject rights in particular are. In terms of what their particular business does, how things like consent would impact their business. Are they taking the right sort of granular levels of consent because the GDPR is difficult for even sort of the most privacy and security savvy of us to get our heads around.

From a sort of non technical person I guess, so for example, I'll give you an example. One of my relatives is in sales and he has had to try and get on top of GDPR himself and understand GDPR from a sales perspective and understand sort of the nuances like legitimate interest for example, there's one. Legitimate interest is an interesting one because that is one that is going to be used in law I reckon as a test case, because it basically says that if haven't taken concent, but you've got legitimate interest to use people's data, then you can use it. You don't need to reaffirm. Legitimate interest in the GDPR itself, it actually mentions data used for marketing. Given that sales and marketing are using legitimate interest as a way to kind of not get around the GDPR, but kind of stop themselves from having such a massive workload to try and get into compliance. That would be-

Chris: Yeah. It seems like it's sort of a thing where you're saying I don't have time. We're in the midst of a transaction and I can't be sitting here and checking for consents and stuff, which is interesting.

Susan: Yeah. So from an employee's perspective, trying to actually, if you find something wrong when you want a policy change, then show them the money that is [inaudible 00:27:30]. Tell them what the fines are for noncompliance and you're doing your company a favor, if you're pointing it out. They might not like me for it. At least you'll be [crosstalk 00:27:41].

Chris: Well to that end, I mean, I know that it's not always easy if you're sort of lower on the corporate ladder to suggest these sort of things. So if you see that your company's data privacy policy isn't up to code, what can you say or do to convince your C-suite that it needs to be a priority and that they should sort of listen to you?

Susan: Well, I think again show them the fines for being out of compliance. If you find some areas that are out of compliance, show them the level, the specific level of the fine that they're likely to incur and incur a problem. It should be built in GDPR and should be built into your security policy, because you have things like limited time, 72 hours to let your supervising authority know about a breach for example. So these things should already be baked into the security policy, if they're not they should be. But also I think there really is a strong case for explaining that it's not just about technology. This is about human beings and it's about there is a business case for it as much as there is a technology case for it. Again, going back to the business case being that these are your clients, these are your customers, these are your employees. You want to build a relationship with them and you want to show that it's all about respect and trust.

Chris: Excellent. So yeah, that I mean, and you would think that would be enough. So yeah. I mean if you see something, say something and certainly the fines are going to be rolling out soon I would imagine. So going from the other side, the bad side to the good side, how do you think the data landscape is going to change whether for the better or for the worst in coming years as a result of these enforced policies? Do you think companies are going to try to exploit loopholes, I mean we already talked a little bit about that. There's going to be marketing loopholes and so forth. But sort of jumping forward five years, how do you think this is going to sort of play out in terms of day to day privacy and data collection?

Susan: Well, I think that at the same time there are a lot of things happening in the identity industry that are trying to build a better way to identify yourself online. Now there's a lot of different industry sectors coming together to do this. So you're finding a lot of things in government, in the financial sector, in e-commerce. The kind of the planets are aligning and GDPR is, it's not a driver for these things. The driver for these things is the ridiculous situation we have with a plethora of user account across the internet. That's the driver for it. An unsustainable situation. But GDPR is feeding it. It's feeding it for sure. I think all that will happen is you'll have new technologies that will be able to take the whole idea of user centric control is not a new idea. it's been floating around.

Many years, there was a man called ... It can come. I mean he's very famous in these identity industries. He's a Microsoft sort of man. He might not be the person who came up with the idea originally, I don't know. But he certainly, he put this idea of the laws of identity into a manifesto if you like. One of them was that it was user privacy and user centric identity and that idea of having control of your data. So identity is just about data. Having control of your data and that is going to be much more achievable because of new types of technologies that are building that as a core of their service. So that's what will change the data landscape. GDPR is feeding that by making it a law that you have to do it. But the technologies that make that achievable are now coming online. Whereas 10 years ago, it was very difficult.

Chris: Yeah, absolutely.

Susan: Also people are changing as well. Expectations of people.

Chris: Okay. How so? Just do you think people are paranoid about it?

Susan: The awareness, because of all cybersecurity threats, because of the privacy issues that are ... It wasn't just Facebook, but before that it was Snowden and the NSA and because of all these things. If the planets are aligning, hopefully it could be more controllable.

Chris: Yes. Yeah. Knock wood. So pulling back more toward the present day as we sort of push our way through peak GDPR fatigue, what are some optimistic signs right now that the regulations are making positive changes in the data security landscape then?

Susan: I think if you go to pretty much any website at the minute, well certainly ones I visit, they are attempting to comply with the law. Some of them are doing it in a very haphazardous almost way, because I've noticed that some of them are using this what we were talking about before about one of the requisites of the GDPR is that if people don't give you consent then you cannot diminish their service in any way. Obviously some services are exempt from that. But if it's something like a news site or something. Well so in particular the worst offenders for this are tech sites where you go to download a white paper. If you decide that you don't want them to have your data, they should not be able to diminish your experience. So I've been to a few sites recently, you probably have as well Chris, where you say well I don't consent and instead of getting the full blown site, what you get is a sort of plain text version of it.

Chris: Yeah. They put you in a broom closet.

Susan: Yeah, very annoying. Very, very annoying actually. But so people are doing it, but they are doing it in such a way as to kind of play with it. I think what will happen is in the next sort of year, a few things will be flushed out. Then I think hopefully people will be embracing it more for what it really is and what it can be. They'll have the structures in place. Everybody was running around and are frightened. I mean I've dealt with a few smaller organizations and charities trying to put it in place and people have had sleepless nights over this. People have genuine, charities who are doing their absolute best to work within the law, they shouldn't be punished. I think it was interesting. You know California just brought in their own privacy law?

Chris: Yes.

Susan: That seems to me to be sort of GDPR two dot naught. Where they've actually thought through a few things, instead of, so these massive fines, which will be sort of they'll hit the smaller companies in a much, much bigger way than they'll hit. So Facebook will laugh off 20 million euros, but someone who is a small healthcare provider for example. It could put them all under.

Chris: Yeah, it could put them under.

Susan: It could put them under. So the California law I think is a little bit of a sort of an implementation of it. I think the GDPR will probably have a few twists and turns in it both in the next year or two. So-

Chris: Do you think there's going to be sort of a tiered level of sort of fines or punishment based on intent.

Susan: It should be, shouldn't there. There should be. Should be. I know in the U.K. they're trying to sort of do that a bit more. Make it a little bit more, It's like when you go to court and the magistrate should have the ability to on a per case basis, rather than having these blanket. But I know why they do that. I understand why the GDPR are doing it, because they wanted to scare the bejesus out of everybody, so they actually did it. And that's fair enough. You have to use a stick sometimes don't you?

Chris: Yeah. Apparently.

Susan: But hopefully. Hopefully they won't put any businesses out, unless the business really does deserve to go under because they really are being abusive.

Chris: Flagrantly disregarding it. Sure. Sure. Okay, well this will be something worth sort of revisiting in the months and years to come. So hopefully we can maybe have you back with more ramifications down the line. But in the meantime, Susan Morrow, thank you very much for your insights today on GDPR. For all viewers, please check out our YouTube page for a lot more videos on security awareness topics as well as career track topics, tool demonstrations, tools of the trade lists, and a lot more. If you'd like to do some reading, we also have a blog resources at infosecinstitute.com, where you can read articles by Susan and many other people on various security topics, penetration testing, exam labs and various other security topics. So again, have a happy Friday and thank you for watching and we will talk to you soon.

Susan: Thanks Chris. Thank you. Bye.

Chris: Thank you very much Susan.

Susan: Thanks. Bye.