GDPR: Know the rules
Would you be able to pay a fine that’s 4% of your global group turnover? Europe’s new data protection rules are important for service providers across the world, writes Alan Burkitt-Gray
Europe’s new law on data protection comes into operation on 25 May 2018. If that’s what you believe, sorry, but you’re wrong.
The EU’s General Data Protection Regulation (GDPR) is already in operation. What happens on 25 May is that the law becomes enforceable. If what you’re doing now is against GDPR, you can’t sit it out and hope to get things right after the end of May.
This is one of the top concerns of Adrian Brookes, director of solutions engineering at Tata Communications: “A lot of people are very much in the dark about the dates. It was the first thing our legal department said: don’t wait until 25 May.”
Neil Coulson, partner at law firm Baker Botts, agrees, saying: “If you’re doing something now, then it’s highly likely you’ll be continuing to do it after 25 May.”
Why should you worry? You’re a carrier and all you do is transmit other people’s calls and data without looking at it. Not really. If you are doing business in the EU (including the UK) you will have data on employees and customers who are EU citizens. That means you are bound by the GDPR, even if you are in the US, India, China or anywhere else.
But isn’t in the same as the existing EU data protection law, with a few extra punishments? Again, not really. Says Coulson: “Privacy by design is the concept that GDPR enforces. Now you have to design privacy into your operations. Any decision that requires personal data needs a privacy statement.”
Colt’s new chief information security officer, Ashish Surti, adds: “What’s new is mandating privacy by design. That is a strong requirement. We’re embedding that into the business lifecycle – for every new product. If we’re making IT changes and organisational changes, we have to consider GDPR if any person is being impacted. We have to make sure we’re compliant.”
Uber data breach
In November 2017 Uber revealed that details of 57 million customers and 600,000 drivers had been stolen in a data breach more than a year before. It paid $100,000 to the hacker in 2016 on the promise he or she would delete the data.
Under the new EU law Uber would have to disclose such a breach to the relevant European national data protection office within 72 hours. Not three working days, and no allowance for weekends or public holidays.
The penalties for GDPR breaches will be severe. Valerian Jenny, counsel at Bird & Bird in Frankfurt, warns: “The fine is up to €10 million or 2% of turnover. If it’s a more serious incident, twice that.”
Lee Suker, market development director at XConnect, notes that there are additional penalties, “compensation for non-material damage” for people whose data is stolen. “Citizens are entitled to compensation under the law,” he says. “They don’t have to prove guilt: enterprises have to prove innocence.”
Sounds like at opportunity for some class actions by lawyers for groups who have suffered from breaches. “Anecdotally, I’m aware of lawyers building such cases,” says Suker.
That fine is 2% or 4% of a group’s global annual turnover, not of a divisional turnover, and not of profit. What does that mean? Uber is still heavily loss-making, but its latest annual turnover was $6.5 billion, making it susceptible to a fine of $260 million if GDPR penalties had been in force. Verizon, which now owns AOL and Yahoo, had a global turnover in 2016 of $126 billion. If another AOL and Yahoo data breaches were to occur in June 2018, the potential penalty could be up to $5 billion.
Verizon may be a classic telco, but its expansion into other areas mean it is subject to GDPR. And if there isn’t GDPR, there’s something else on the horizon in the EU: the E-Privacy Regulation. The EU already has the E-Privacy Directive, sometimes known at the cookie law. It’s why in Europe whenever we go on to a new website we have to consent to cookies on our computer or phone. The E-Privacy Regulation will strengthen that and it will be followed by a new Electronic Communications Code.
Ann LaFrance, a partner in the London office of Squire Patton Boggs, runs the firm’s communications law practice and co-chairs its global data privacy and cybersecurity group. “Telcos have will be to deal with the E-Privacy Regulation being debated in Brussels right now, and it will take definitions from GDPR,” she says. “You will have to look at the two together – and also at the Electronic Communications Code. If you are classified as an electronic communications provider you must get consent.”
She warns: “GDPR and the E-Privacy Regulation and the Electronic Communi-cations Code will apply uniformly across Europe.”
The EU wanted the E-Privacy Regulation to come into operation at the same time as GDPR, but things are running behind schedule. When will it apply? “Maybe the end of 2018,” says LaFrance. “It’s still controversial.”
In the current draft, users “must consent to the use of traffic data or location data”. Telcos that want to monetise data for other purposes must get consent. “It’s putting telcos in quite a difficult position,” she adds.
Suker has perspective on this. XConnect started as a number portability company for the voice-over-IP market, but is expanding into new areas. “My role is to move number information services beyond number portability,” he says.
What does this mean? If you run a mobile company that offers your customers voice over LTE (VoLTE), it’s in your interest to carry calls in the IP domain wherever you can. That means finding out if the called number is also VoLTE-capable. Similarly, if you run an IPX service, you’ll need to know what the destination is capable of.
Take the new rich communications service (RCS) standards. If a customer sends an RCS message, do you pass it on – or deliver it – as RCS, or do you drop down to SMS standard? What about application-to-person (A2P) messages?
To do that, you need information about the subscriber – including where they are now, what network they’re on, what sort of phone they have and what services they subscribe to. That’s personal information, and is subject to GDPR.
XConnect is positioning itself as a repository of this information, so it can offer it to mobile operators and wholesale operators. “The backdrop is abuse of your data and my data,” says Suker. “Go download an app and you have to agree to a lot, including your location and your contacts. This whole notion of trans-parency is very disruptive. I want to help enterprises come to me with rich appli-cations along with A2P services.” So what is XConnect doing? “A lot of education,” he says. He needs to be able to demonstrate that there’s an audit trail for information at the point it comes into XConnect, during the company’s processing of it, and at the point it goes out to a client company.
What does it mean in real life? Let’s take you, the Capacity reader, as an example. If you are reading this in a printed magazine that arrived through the mail, or if you’re attending one of our events and picked your copy up there, we have your data – as we do if you clicked a link in our daily email news or in a mobile app.
That means we, as part of the larger Euromoney Institutional Investor information and events group, are subject to GDPR for your data. So I asked our director of information risk, Martyn Booth, what an enterprise has to do.
“Transparency is one element,” he says. “We have to publish our privacy policies and you should be able to find them on our websites – with details of where to go if you want to do something about it.”
Personal data has to be encrypted, not just when it comes into the company and goes out, but internally. “Most people don’t encrypt in their internal network,” says Booth. “Personal data has to be encrypted.”
One of the challenging areas is the right to be forgotten. “People can ask to be deleted – and that means permanently,” he says. That means everywhere, throughout the company, including back-up tapes.” And there’s incident management, he adds. “We need to show we’re capable of managing those issues.”
Surti at Colt is acutely aware of the 72-hour reporting rule when there is an incident. “We need to ensure our crisis management processes keep to the timeline,” he says. “We have a 24/7 operation that we run and if a crisis were to occur we have to ensure we have the people and the processes to make sure we comply.”
It will be expensive. Brookes says Tata Communications has “recruited an additional 400 people right throughout the business”, but “security is absolutely paramount”.
But he adds: “I would just keep stressing the importance not because of punitive damages, but because it’s the sovereignty of people’s data. If you don’t take it seriously, what does it mean about your attitude to customer data? It’s your customers’ integrity.”