When the European Commission first put forward the proposals, most people’s attention focused on the fines for data breaches: as much as €20 million or 4% of global turnover, whichever is larger.
Now, the hard work is going on in companies worldwide. Any organisation that has data about any European Union (EU) citizen is covered by Europe’s General Data Protection Regulation (GDPR). There’s no get-out by moving your headquarters and your data centre to a country where rules are weak: if you’re doing business with Europeans, you have to comply.
At the same time scandals such as that of data mining company Cambridge Analytica, which has been scraping personal data from Facebook to use in election campaigns around the world, has simply raised everyone’s awareness.
As a result, CEOs and their information security and data protection officers are grimly preparing themselves for an onslaught in early June.
Then, anyone will be able to make a subject access request: he or she can approach any company and ask for a copy of all the information it has on them. Strictly, that’s been possible since European countries agreed the last round of data protection laws in the late 1990s, but in the UK for example a search cost £20 a time. Now, in the UK, it will be free, and the time for a response has been cut from 40 days to 30 days.
This at least raises the spectre of the equivalent of a distributed denial of service (DDOS) attack by peppering an organisation with thousands of subject access requests – which can be submitted by email.
So, if you’re a telecoms company, in how many places do you keep identifiable personal data? Not just data for billing, but spreadsheets littering everyone’s computers with contact information about corporate customers, private customers, service engineers (yes, employee data is covered) and suppliers.
At the heart of GDPR is that a person must have given their consent explicitly and freely: there must be no clauses buried at the bottom of a 1,500-word end-user licensing agreement. And companies have to design privacy into their systems – not fill holes after data has leaked out.
In 2016 and 2017 the UK phone company TalkTalk was fined a total of £500,000 for two data-loss incidents. After GDPR comes into operation in four weeks’ time the fine could be 100 times that. (The new rules will apply in the UK even if the UK leaves the EU.)
AOL and Yahoo both experienced data breaches before they were bought by Verizon, whose global turnover in 2016 was $126 billion. If similar data breaches were to happen again, the potential penalty could be up to $5 billion – because the fine is based on turnover of the whole group, not just of the division. AOL and Yahoo are now part of Verizon’s Oath division: a name that might be an appropriate description of the language in the telco’s boardroom.
This month Oath updated its privacy policy, a move clearly prompted because of Europe’s GDPR: 25 May is explicitly referred to in the new terms.
It warns users: “We collect information from your devices (computers, mobile phones, tablets, etc), including information about how you interact with our services and those of our third-party partners and information that allows us to recognise and associate your activity across devices and services.” It notes: “We collect location information from a variety of sources.”
It adds: “We collect information about you when we receive it from other users, third-parties, and affiliates, such as when you connect your account to third-party services or sign in using a third-party partner (like Facebook or Twitter).” Personal information may come from “publicly available sources”, as well as from advertisers.
Security expert Rafael Laguna, CEO of Open-Xchange, warned: “The gathering and processing of user data is of imperative significance, and needs to be done responsibly. It is clear that any company providing an internet-based service has to move towards openness, transparency and choice, if they wish to establish and regain the trust of users.”
It’s not just long-established companies that are affected by the new rules. A few days ago a consumer organisation found that UK-based fibre-to-the-home (FTTH) provider, Hyperoptic, had a security vulnerability in its home router.
Which? magazine, published by the Consumers’ Association, found that Hyperoptic’s router, made by Chinese vendor ZTE, could be hijacked, allowing anyone to take possession of the users’ home network.
Daniel Cater, the security researcher at Context Information Security who discovered the flaw while working on the project for Which?, said that this could have had an impact beyond just the risk to customers.
He warned: “This has implications for the customers’ own data, but also if an attacker compromises enough routers of an ISP, the threat is elevated and has the potential to impact national security, such as via mass surveillance or DDoS attacks against critical infrastructure.”
Hyperoptic says it has fixed the problem – but this incident leaves open the question of how many other routers around the world still have undiscovered flaws.
Even autofill functions on social media services can be flawed. According to Techcrunch, a research found a flaw with LinkedIn on 9 April and reported it to the Microsoft-owned company the following day, but LinkedIn did not tell customers (not an option after GDPR comes in: the deadline for issuing warnings is just 72 hours, even at weekends).
Martin Jartelius, chief security officer at Outpost24, warns that, by having autofill after a user puts in their name and email address, “you may well be giving away all your personal details”.
He adds: “GDPR is mandating a privacy by design approach”, which means internet and telecoms companies – and all other organisations – have to think very carefully about how they build privacy into their systems. “Several vendors have to think twice about how they implement their tools,” says Jartelius. “Even though they are not processors or controllers, they are clearly being a part of the problem.”
The UK’s information commissioner, Elizabeth Denham, warns: “We want you to feel prepared, equipped and excited about the GDPR. I want to reassure you that there is no deadline … 25 May is not the end. It is the beginning.”
Tim Berners-Lee, inventor of the worldwide web, believes he has an answer. He wants to decouple applications from the data they produce.
Allison Standley, consultant at cloud specialist Brightman, thinks this may be an answer. She warns that GDPR “doesn’t go far enough”. With Lee’s idea, “every photo you share on Facebook would not be stored on Facebook’s servers, but on yours”, she says. Will Facebook “ever cede control of our data without being pushed?”, she asks.
What’s clear is that GDPR is only the first stage in a series of rule-changes that the EU is implementing. Next on the list are the E-Privacy Regulation and the Electronic Communications Codes. As with GDPR, they’ll have global impact.
