E19: 90 Day GDPR Checkup

Well, it has been a little more than 90 days since the GDPR “went live”. In this episode of “Are You DataSmart?” the Ward brothers break down the initial global response to GDPR, the rise and fall of DSARs, and two other issues that will be critical to watch as GDPR continues to re-shape the privacy landscape.

PODCAST

TRANSCRIPT

Jay: “Are You Data Smart?” A weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. Today we’re gonna do our 90-day checkup, Jay, GDPR. It’s been live for about three months. Let’s say the buildup was significant. I think people were complaining about dogs and cats living together, mass hysteria. So far, it seems like it’s gone relatively smoothly. You had written a blog post about the three issues that we need to keep an eye on as we get further and further into GDPR being live. What’s your initial take?

Jay: Well, I think cats and dogs living together, there was definitely a “Ghostbusters I” level of anticipation and a “Ghostbusters II” response.

Christain: Yes, right.

Jay: It’s been quiet. Quiet doesn’t necessarily mean that nothing’s happened. For instance, the ICO, the Information Commissioner’s Office in London this week just announced that they’ve received a multiple of the number of complaints that they previously would have received. And the data protection authorities have to investigate and resolve every complaint. So, they’re busy. They’re all busy. I think an interesting fact for me is that a lot of the DPAs have put out guidance, not official guidance, but blog posts or articles that said, “Look. This is how we’re dealing with GDPR. This is what our approach is.” And I think it’s unfair to expect that they would have been ready to go on day one when most of us weren’t.

Christian: Right, right.

Jay: Because they really had to build systems and they didn’t have the resources. The Data Protection Commissioner in Ireland, they had a lot more resources devoted to them than many of the other DPAs did. And they were still like, “Okay. We’re gearing up.”

Christian: I thought it was also interesting. Some of the feedback or some of their guidance is, like you said, much less legal ease. It’s like real-world guidance. It’s been starkly clear compared to some of the language in the actual law where I saw one person asking about if there’s a photo and there’s people in the background, is that personally identifiable? Is it not? And they said, “Well, it’s pretty simple. Show the photo of the person who’s in it and if they can recognize themselves, you’re in trouble or it’s personal.” And I thought that was just a brilliant…if you could reasonably assume, and that fascinates me, particularly as it comes to the technology of being able to analyze people from different angles and photo extraction capabilities becomes so good.

For a parent, you can recognize your kid in it in a group of 30 kids from behind. And it’s amazing how the human brain can piece it together. But to know that our computer systems are now able to do this, what becomes personal I think requires really clear frank language from regulators, which is few and far between. So, this has actually been pretty interesting, some of the feedback like that.

Jay: It is. And if you read what they put out which we do because that’s the type of people we are. If you read what they put out, they really are trying to provide guidance that’s not only straightforward but also actionable. They’ll put something, I saw the ICO had their question and answers and one of the questions was, “If I just do B2B marketing, is that personal data?” The answer was, “Yes.” They went on beyond that, but it was just “Yup. It sure is.” And they provide helpful examples. And then examples, I think that guide you into how serious they’re taking it, but like, if you’re doing B2B, and everybody should listen, just because you do B2B doesn’t mean that you’re not getting personal data. You’re getting tons of personal data. They go into that and they say, for example, “Business cards are personal data.”

Christian: I know. I couldn’t believe that.

Jay: Right? Business cards are personal data if you intend to store them and analyze them or enter them into a database. So, we’re wondering if email addresses, phone numbers, and first names are personal data and they’re like, “Oh, yeah. That’s definitely personal data.” Let’s talk about the business, the stack of business cards you have in your desk.

Christian: Yes.

Jay: So, they have not backed off at all from their position on the seriousness of GDPR. And, of course, they wouldn’t. They’ve been preparing for years for this. So I think the notion that the relative silence since May 25th means something, doesn’t mean anything. It really is just the beginning periods of gearing up.

Christian: So, let’s talk about the three issues that you had pointed to that we’d really need to keep an eye on and I know for many of our clients, DSARs, Data Subject Access Requests. This where a data subject wants to understand, what data do you have about me? And how do you handle it? How do you protect it? Where does it transfer to? All these things we’re building up to this crescendo before GDPR of more and more access requests and then once it went live, lots of them. It’s starting to trail off or at least that’s the initial…that we’re seeing is it’s this huge buildup of people who wanna know, “What do you know about me?” And now they’re sort of like, “You know…” not really aligned to it. What do you think people and companies need to be thinking about?

Jay: I think that there was a definite spike at the beginning. For clients and for others that I’ve spoken to they got a lot because I think there were people at the very beginning. I fielded I think 10 DSAR requests at 8:00 in the morning on May 25th. But, of course, these are the people who camp out to buy their iPhones.They were waiting for it. So, once that initial spike came back down and the request tapered off to a pre-May 25th level. I think the temptation is to just assume that DSARs are around, they’re not gonna be a big thing. I don’t think that’s right. I think we’re going to, as customers and consumers become more familiar with their rights and develop a sense of, “I need to know this information to manage my data.” The number of DSARs is gonna increase again.

Christian: Yeah. So, I couldn’t agree more. I also think that DSARs will ebb and flow with the new cycle. I think that we were looking at Google trends of the words, big data, data privacy, data breach and then I wanna say one other. And data breach has this ridiculous spike and it was the Equifax, data breach years ago. That caused this massive spike and basically, and I’m thinking back now. And now I remember, it was everywhere. And when that sort of situation occurs and it’s highly likely to occur again, not to be doomsday, but it’s gonna happen. When that happens, you’re gonna see DSAR spikes.

I also think based on the software platforms that I’m seeing out there that are now available, we have interviewed Cookiebot months ago in preparation for GDPR, but other software platforms that have arisen to take care of managing your DSARs, when you got the request, when you prove the identification or verified the identification of the person that’s requesting it, which I wanna talk about because that’s still a very difficult topic, but that software, that’s taking off.

The software on the other side that’s gonna take off will be helping people actually request these apps. And that hasn’t happened yet, but that’s…we’ve talked about it in the past. It’s that classic, do-not-call list software platform that literally makes money by making sure these other companies have to stick with the enforcement. And I think that’s coming as well. And that at scale is something that you’re not gonna be able to sit back and just watch.

Jay: It’s gonna be rough. And what’ll happen is it’ll be like there are those apps that you can use or programs where they scan all of your email…

Christian: Yeah, Unroll.

Jay: Yeah. That’s what I’m thinking, there is Unroll. They scan your email and they find everything you’ve subscribed to and then they just send an unsubscribe. Well, this is gonna be exactly that. So, be prepared to send out 500 DSARs. So, to your point about verification, the Recital 64 to the GDPR says that you have to take reasonable steps to ensure that the person who is getting the information from the DSAR is the person who’s entitled to it. And they’re very serious about that because if someone who’s not authorized to see the data makes a request and you give it to them, you’ve just violated GDPR and you’ve had a data breach.

So, balancing the need to identify and verify the identity of individuals and providing them with their data is a tough balancing act, especially because you’re in a situation where this person has requested your data and now you’re essentially saying to them, “Okay. Well, give us some more data.” So, the way that I typically advise clients to deal with this is I say, “Well, let’s use the data sets that we already have about them.” And those can be our measures for verification. And sometimes if all that you ever have someone is an email address, nothing else. An email from that email address…

Christian: Can be enough.

Jay: …can be enough because how else can you verify it?

Christian: That’s also how two-factor authentication or password resets all work today. So, it’s not like any other company isn’t following the same protocol.

Jay: Yeah. I think the more data you have on the data subject and the greater the sensitivity of that data, the more you need to be careful about how you verify their identity. And again, this is all just a reasonableness test, which isn’t helpful because reasonableness, is hard to quantify, ask a tort lawyer. But under the circumstances, you have to make the judgment call about what is a sufficient amount of certainty that the person is who they say they are.

Christian: Yeah.  Again, there’s real business opportunities here. There are companies that allow for password protection, identity protection, things like that. I see a real opportunity for those businesses to get in the middle of these transactions through an encrypted authentication process that allows people to very easily verify who they are. And so if you wanna go that next step, I think it’s highly likely that people will have the ability on a biometric device using their iPhone or their Google phone with thumbprint identification to allow them to request DSARs at a scale. That sort of situation probably could happen as well.

The second issue that you had started talking about was the data processing addenda. So, all of the contractual changes that needed to happen and that I know we’ve seen it is really amazing how many contracts, not even just with the customer, but the third party contracts that are out there that have to be reviewed, and revised, and looked at through a whole new lens with GDPR and not just in the EU, but this cross-border concept. What are you seeing there?

Jay: The same addenda over and over and over again. The exact same standard contractual clauses, the exact same outline because lawyers are not creative people. So, we reuse the same forms. I think that DPAs are…I don’t wanna say a necessary evil, but maybe a necessary annoyance because they seem as though they are unnecessary. This is just another piece of paper to check, this is another piece of regulatory red tape for us to deal with. But the reality is they’re a necessity. We have to have these because if you are processing the data of individuals covered by GDPR, you need to have a contract with a controller. It’s right there in GDPR.

There needs to be a contract between controller and processor laying out the obligations of the processor and laying out the responsibilities of the controller. That’s what these DPAs do. They allow you to comply with GDPR’s documentation requirements. So, they’re very important. They also are very important in the sense that this is the document that will be examined by a regulator, by the counterparty, by a data subject to determine what was appropriate, what was permissible for you to be doing with data as a processor or what was appropriate for your processor to be doing if you’re a controller and what wasn’t. And that’s important because if there’s processing that goes on beyond that, you’ve got a big problem.

If your processor is taking on additional tasks and doing new work with the data, well, now, they may have become a controller themselves. So, these DPAs are extremely important to business relationships because they set the parameters, but they’re also very important from a regulatory perspective because this is the framework within which you have to conduct your processing activities. And that’s an extremely important component of your data security and data protection activities because if you don’t stick to what you’ve said, you’re gonna be in trouble.

Christian: Yeah. The other side of this, though is I think the regulators leading up to May 25th were very open about the fact that you needed to show progress. It was unlikely that all these things would be in place in perfect or really capturing exactly what you’re doing. So, I think refinement is gonna continue to be a big theme here, which is as more goes on or there are actual findings for/against certain situations by regulatory authorities. It’s likely to see some of the, let’s say plagiarist approach of using the same form over and over again, which is really funny because like plagiarism in Latin, has to do with kidnapping and thievery. So, it’s great to know the lawyers are so into it, but yes. They shouldn’t be using exactly the same form.

Jay: Are you surprised by that?

Christian: No. No. No, I’m not. All right. But ultimately, I think if those forms need to evolve to more situational awareness for each company, that’s gonna happen as there’s more feedback that really relates to them and the data that they process. This does tie, though to issue number three, which was the cross-border transfers. And I think you likened it to the Ludlum book title, which was awesome. “The Ostrich Stratagem.” Tell me…

Jay: I’d read that.

Christian: What’s that?

Jay: I’d read that.

Christian: Yeah. Tell me about that. So, what’s the thought process here? Because cross-border data transfer is and was such a critical part of all this. How do you see that tying…? And because it really is really an issue too as well.

Jay: Data transfers within the European Union are, although complicated. Really, sort of, subject with safe harbor. You can transfer data from England to France, from Denmark to Belgium. There’s no real issue. It’s when you’re transferring data outside the Union that you start to get to a problem because unless there’s an adequacy decision that the European Commission has reached, and they have with some. So, the Channel Islands like Jersey and Guernsey, they’re covered. New Zealand I think is covered.

Christian: Not New Jersey, Jersey.

Jay: No, no. Definitely not New Jersey. Don’t send your data to Hoboken. But there are countries where the European Commission said, “Okay. There’s the same or adequate level of protection for personal data in these countries, so it’s okay to just transfer your data there.” And some countries are working, like Japan has been working with the EC for a while and they’re on the verge of finalizing a mutual reciprocal adequacy decision so you can transfer data from Japan to the European Union. That’s gonna facilitate a very easy flow of data between those countries. It’s gonna reduce costs. What we used to talk about with Japan in another context, non-tariff trade barriers. It’s gonna reduce those in a really serious way. Other than those countries that have an adequacy decision, you need to have standard contractual clauses, Privacy Shield, other adequacy provisions put in place or binding corporate rules.

Christian: So, before we get into corporate rules, do you think it’s likely that other countries or many countries are going to keep striving for adequacy?

Jay: A hundred percent.

Christian: It’s a business advantage.

Jay: Yeah, without a doubt. So, Brazil just recently published their new law, which is gonna go into effect, I think in two years. It’s quite robust. South Korea has one that’s robust. A couple of states in Southeast Asia have, there’s a couple of countries in Africa that are doing it. This is a big deal and countries are really working to create an opportunity for differentiation and say, “Look, we’re a data-friendly country. You can come do business here.” And also, if you wanna talk about Europe as a capital market, it’s second only to the U.S. in terms of outflows of capital investment from the big money houses. And so you need to be able to have secure transmission of data between those countries and concerns over whether or not you’re gonna be able to do that easily or without a lot of oversight from the European Commission. Those are legitimate thoughts and worries. So, countries are definitely gonna look to get adequacy decision.

Christian: Yeah. We keep talking about a theme that’s popping up this whole concept of data is currency. But really, when you think about exchange rate policies of various currencies between countries and the flow of money in and out of countries, it’s just as regulated, it’s just as controlled. So, if data is currency and it’s money, once again, we think the regulation is going to stand up to the same level of scrutiny as you move data in and out of countries.

Jay: And that’s why for countries that don’t have an adequacy decision like, I don’t know, the United States, issues regarding the transfer of data are really complicated. So, we have Privacy Shield, which again, I think that’s such a ridiculous name. I always come back to the thing that you put on top of your computer screen, your laptops that nobody else can look at it when you’re on a plane. That’s the successor to the Safe Harbor which had existed before that, that allows data transfers. As of now, it’s still okay to transfer data to the United States if you are a Privacy Shield-certified company. You don’t need to do all of the other standard contractual clauses or any of that stuff, you can just rely on your certification under Privacy Shield. The problem is, I don’t know how much longer Privacy Shield is gonna last. It’s before the European Court of Justice and they…

Christian: Do you think they’re gonna strike it down?

Jay: I do. I think they will. I’m not positive, but they struck down Safe Harbor and they had no concerns or qualms about doing it. And now the European Parliament, which doesn’t really have a say, this was more like a feel-good vote. They overwhelmingly were like, “Get rid of it. We don’t like it. It’s no good.” So, there’s a lot of political pressure to get rid of Privacy Shield. And then if that happens, what are we gonna do in this country? Well, we’re gonna have to rely on standard contractual clauses or we’re gonna have to hope that the Commerce Department and the European Commission are gonna work out a deal where we get another version of it. But the U.S., I’m telling you right now, U.S. is not getting an adequacy decision from the European Commission anytime in this decade for sure. And potentially, it would be quite some time into the next decade before it happens.

Christian: Unbelievable.

Jay: So, don’t bank on it. We need to come up with a different solution that’s going to work, a reasonable solution that benefits both sides. But that doesn’t matter for us now who live in the real world, what are we going to do if Privacy Shield goes away? And the answer is we need to come up with standard contractual clauses, we need to think about applying under the Binding Corporate Rules program, which is actually a really cool program, but very few American companies have taken advantage of it. It’s like a mini adequacy decision.

Christian: Yes, right.

Jay: Which is really interesting. But I know I use the word cool in that context. I keep using that word. I don’t think I know what it means.

Christian: No. No. You definitely don’t.

Jay: So, in any case, the development of the cross-border transfer regime, whatever it is, is important because it demonstrates the degree to which the GDPR really is about, concern for the production of data once it leaves the European Union. And I think American companies have, by and large, missed the boat on this and that’s where the Ostrich Stratagem comes in. The idea is that either by ignoring Europe as a market altogether or…

Christian: Which we’ve seen. Which is again, it’s insanity. But with California looming, it’s, sort of like are you gonna cut out the number two global market, oh, and the number eight global market?

Jay: Right. You’re gonna be marketing in Poughkeepsie pretty soon. You and Popeye Doyle. So, you can stick your head in the stand and say, “Well, the reg isn’t gonna apply to me. I’m not gonna worry about it or I’m gonna be careful, I guess. And I won’t sell people’s information on the dark web.” But pretending like these regulations don’t exist, even though they can be burdensome is not a strategy. It’s just danger.

Christian: And as we’ve said, look, I think for many companies that are trying to do the right thing with their data in the security and the privacy of their customer, and their employee, and other datasets, whether or not they are really nailed to the wall by regulation… The press and the media coverage of companies being identified as being out of compliance can have a significant cost. And so we’ve talked about one of the strategies that companies need to start to embrace is that trust is a huge part of brand equity.

And for the amount of money that people put into building their brand and the equity in their brand, and the trust with the consumer, the trust with their counterparts in B2B, that is a real cost and a real profit center, eventually if done properly. And this is one of those gaping holes if you’re following the Ostrich Stratagem. So, as we said, that’s a quick 90-day checkup on GDPR. We’ll keep checking in on it, but I think as Jay said, it’s not quiet, it’s actually a lot going on, but we haven’t seen any major court, or rulings, or otherwise. As that happens, I think we’re gonna see a lot more activity in this space.

Jay: It was quiet in “Jurassic Park” before the T-Rex came.

Christian: Right, right. Before the cup of water started shaking. Excellent. Well, thank you everyone. We’ll catch you next week on, “Are You Data Smart?” Thanks again.

Leave a Reply