Latest Posts Subscribe to this blog RSS

What does the EC have in mind for the final text of GDPR?

JunckerIn the last couple of weeks the blogosphere has gone into overdrive regarding the final text of the EU General Data Protection Regulation (GDPR) that’s on track to emerge before the end of the year.

Agreement between the European Parliament, Council of Ministers and European Commission now looks like a distinct possibility in November 2015 after which there’ll be a two-year transition period before sanctions begin to bite.

As GDPR watchers will have already clocked, there’s been a leak on the first reading of EU Regulation by the Council of Ministers. The document runs into 630 pages and can be accessed here.

Fortunately, the fog that’s surrounded the details of the final text of GDPR is now starting to lift.

The European Commission – the ‘honest broker’ in the deal between the European Parliament and the Council of Ministers – has started to provide some clarity on what the final shape of GDPR will look like.

It should be remembered the proposal has been subject of intense debate since 2012 when the European Commission proposed a branch and root reform of Europe’s outdated data protection and privacy laws.

What was fuelling this need for reform was the need to create a functioning single market that would deliver jobs and prosperity across the EU.

At a recent IAPP London KnowledgeNet seminar hosted at the London offices of global law firm Allen & Overy, Bruno Gencarelli, Head of Unit, Data Protection at the Directorate-General for Justice at the European Commission shared his thoughts with an audience of over 100 data protection and privacy experts, who appeared to be hanging on his every word!

Such is the interest in the final outcome of the trilogue negotiations. And British PM David Cameron’s promise to hold a referendum on the UK’s membership of the EU has quadrupled this level of interest.

The context surrounding GDPR is perhaps just as important as the content of the proposed EU Regulation.

EU Charter of Fundamental Rights

The Charter is an important development as it’s the first formal EU document to combine and declare all the values and fundamental rights (economic and social as well as civil and political) to which EU citizens should be entitled.

The main aim of the Charter is to make these rights more visible. It is important to note that the Charter doesn’t establish new rights but assembles existing rights that were previously scattered over a range of international sources.

Now that the national courts and Court of Justice of the European Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in issue and clearly GDPR needs to be seen within this context.

EU Digital Single Market

Last week, the EU outlined its strategy to create a digital single market. The thrust of the proposals included establishing standard rules for buying goods online, pruning cross-border regulations on telecoms and reducing the tax burden on business. The plan also calls for a “comprehensive assessment” of whether Facebook, Google and other internet platforms distort competition (aside from posing significant data protection and privacy risks).

EU Commission President Claude Juncker has promised to transform the EU single market for the digital age by removing regulatory walls, moving away from 28 national markets to a single one and generating €415 bn ($468 bn) a year for the European economy as well as creating 3.8m new jobs.

The call for reform isn’t simply politically motivated – many businesses from within and outside of the EU have been pressing for reform in order to compete across a level playing field rather than risk facing fines and penalties across 28 Member States that pursue their own competition, data protection, privacy laws and regulations.

It’s against this backdrop that GDPR is the final piece of the jigsaw that will create a very different picture of the European Union than exists at present.

What’s driving the European Commission to reform data protection and privacy laws across the EU?

There are three key drivers:

  1. Simplifying the regulatory landscape and framework
  2. Updating rights and obligations to the opportunities and challenges of the digital world.
  3. Strengthening enforcement.

According to Bruno Gencarelli, it’s a balance of interests – removing red tape as well as providing protection for the ordinary EU citizen.

“We’ve tried to tailor and granulate certain obligations – the so-called ‘risk-based approach’ that entails carrying out a Data Protection Impact Assessment (DPIA) as well as looking at processing activity that represents a specific risk to the rights and freedom of a data subject. In doing so, we are also looking at the size of business,” he says.

On the point of red tape, Bruno Gencarelli is clear that the GDPR will eliminate most the prior notification and prior authorising processing obligations as a result of the appointment of a Data Protection Officer (DPO) that will sit within the company or organisation and who will report data breaches directly to the Supervisory Authority.

So in a way, this is a self-policing system that will radically reduce the amount of bureaucracy that exists at present, although of course it comes with its own challenges, particularly as Boards will need to be coached in how to work with a ‘mini-regulator’ that’s embedded within its own business.

Putting individuals back in control of their own data

This is perhaps at the root of the proposed data protection and privacy reforms and has the biggest impact of the changes being proposed by the European Commission.

“I would say more than in any other part of the EU Regulation effecting data protection, the proposed reforms mean putting individuals back in control of their personal information in order to re-establish fundamental rights as well as to strengthen trust within the digital single market,” adds Bruno Gencarelli.

Portability of data

One of the proposed eye-catching reforms to be included in the GDPR will be portability of personal data across the EU.

“This is essentially about allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider.

This idea stems from what happens in the mobile telecoms sector and it’s about giving more say to individuals to decide what happens to their data in practice; being able to effectively make a choice in the market and in that way lower the barriers to entry in particular to those markets which are currently dominated by very few big players.”

According to the European Commission, this is an example of a question of balance taken within the GDPR – of balancing fundamental rights as well as complementing the principle of competition within the internal market.

“We don’t see one excluding the other,” explains Bruno Gencarelli.

Breach notification

In this area, the European Commission has studied in detail what some States in the USA have adopted in terms of data breach notifications and are convinced of the case for a federal approach across the EU.

“In practice, the same idea is true for the production of principle points of privacy by design. This is about investing in good data protection practice and methods as early and as upstream as possible in the provision of goods and services,” adds Bruno Gencarelli.

More effective supervision and enforcement

The new emphasis on supervision and enforcement placed by the European Commission reflects the transition from an ex-ante to an ex-post data protection and privacy system.

“Data protection and data breaches have become much more serious and relevant and currently we don’t have a credible set of enforcement rules and sufficiently dissuasive sanctions. In Europe, we have a very fragmented situation where certain countries have that power to impose financial sanctions and some countries don’t appear to have that power.

“We drew inspiration from other areas of Europe such as competition law in looking at the issue of supervision and enforcement.

“There have been a lot of misgivings about the level of fines and it should be emphasised that these are a ceiling – it’s about a maximum amount of the fine which will be applicable to the most serious violation.”

Bruno Gencarelli was at pains to emphasise that the European Commission firmly believes in the principle of proportionality and the level of fines imposed will be based on a catalogue of factors that will include:

  • duration of the data breach
  • seriousness of the data breach
  • negligence or intention
  • nature of the violation
  • impact on users
  • other factors

One Stop-Shop

This is one of the jewels in the crown of GDPR and clearly the European Commission sees this as being fundamental in terms of enforcement and supervision that sits alongside its strategy for the digital single market and the Charter of Fundamental Rights.

What’s now proposed is a two-level structure that provides the benefit of proximity for complainants against organisations and companies by recourse to their own Data Protection Authority (DPA) and the courts as well as making it easier to launch a cross-border complaint by reference to a single adjudication body (the lead DPA body of the main establishment).

In this new regime, both bodies will need to agree on the interpretation of the GDPR rather than having diametrically opposed interpretations that would negate the operation of a one-stop shop mechanism.

“The one-stop shop has become more congruent and more consistent in interpretation and application of EU data protection laws throughout the EU and this is good in terms of legal certainty,” explains Bruno Gencarelli.

The European Commission view is that the one-stop shop is more effective in the protection of users’ rights and this appears to have gained consensus within the European Parliament and the Council of Ministers.

“Originally, we had the idea of concentrating the decision making power with the Supervisory Authority of the main establishment and probably that was too simplistic.

“There were a number of very valid observations made and in particular we had to sufficiently take into account the specific fundamental rights and the nature of data protection afforded to the individual.

“So when a data subject lodges a complaint they may have with a data controller or data processor, they should be able to go to their domestic DPA but also the domestic court.

“Negotiations around the one-stop shop mechanism took a while and were debated in detail by the Council where it was important to strike the right balance and for having the ability to adjudicate on cross-border cases with one interpretation of the data protection rules.

“Although the UK may have had certain reservations about the one-stop shop principle, we are very satisfied with the compromise that’s been reached that safeguards the level of proximity for a remedy in particular when the complaint of an individual is rejected and therefore a decision has a negative impact on that individual.

“At the same time, the one-stop shop maintains our main objective of having one interpretation of the GDPR in cross-border cases and I would say it even reinforces it.

“This sort of co-decision between the adjudication bodies won’t be based on the creation of a new body but on a better functioning of what already exists.

“It will strengthen the co-operation of DPAs within the framework of the Article 29 in a more structured and legally robust way,” observes Bruno Gencarelli.

GDPR is therefore likely to reflect the following mechanism for one-stop shop:

  • when the decision involve measures to be taken vis-a-vis the control of the processor, the imposition of a fine, injunction or to put an end to certain processes, then that decision is jointly agreed and will be formally adopted by the DPA of the main establishment
  • when the jointly agreed decision has a negative impact on the individual by rejecting their complaint, it will be adopted by the local DPA and in that way it ensures that the decision can be challenged before a domestic court of the complainant.

Given this additional safety value, the European Commission feel that the Data Protection Board wouldn’t have to intervene except in a relatively few cases.

“Where the local DPA isn’t able to reach agreement with DPA for the main establishment, then the matter will be referred to European Data Protection Board (EDPB) and that decision will be binding on all parties. And this is a legally more robust position under the Fundamental Rights Charter perspective,” adds Bruno Gencarelli.

Consensus reached?

According to the European Commission, although some points remain to be agreed, the vast majority of the GDPR has reached a stage of consensus in terms of the viewpoints of the European Parliament, Council and the Commission.

“I think the all the basic elements for an agreement are now in place and there’s definitely consensus around the main foundation of the future system – an EU Regulation, a one-stop shop, an ex-post system of control to a greater extent unaccountability and more effective enforcement on a broader geographical scope. In all of these elements we see consensus,” explains Bruno Gencarelli.

Two-year transition period

On the basis that trilogue agreement is reached in November 2015, this isn’t the end of the matter until 2017.

“In a sense reaching agreement in 2015 isn’t the end point. The two-year transition period will be useful to do a number of things and also because we have a change of governance and moving forward we’ll need to agree institutional issues that concerns including the future of the European Data Protection Board and its role within the new regime.

“The EU Regulation is a skeleton of the principles for the future of data protection and privacy within the EU and over the next two years a lot of meat will need to be put on the bones of GDPR,” concludes Bruno Gencarelli.

The Imitation Game

Imitation GameIn the media this week there’s been a fair amount of speculation as to when the EU General Data Protection Regulation (GDPR) is likely to see the light of day. Some commentators are speculating that sign-off by the European Parliament, Council of Ministers and the European Commission won’t happen until Spring 2016.

Earlier this year, a joint statement by EC vice president Andrus Ansip and EU Commissioner Věra Jourová indicated that GDPR could become law by the end of 2015. Perhaps this was wishful thinking?

And this week, some 60 pressure groups including the UK’s Open Rights Group, Liberty, the Dutch Consumer Council and US Electronic Privacy Information Centre have written an open letter to EU President Jean-Claude Juncker outlining their concerns over the way GDPR is currently drafted and warning that it will erode rather than strengthen existing data protection and privacy laws than at present.

To some extent, a lot of this politicisation over the precise wording of GDPR is largely irrelevant. There’s enough evidence out there to show that Data Protection Authorities (DPAs) across the EU are already applying the risk-based principles of GDPR. In other words, DPAs are acting as if GDPR already exists. It’s a case of the ‘Imitation Game’.

Movie goers will recognise the link. In film of the same name, a group of cryptanalysts crack the German Enigma code with the help of Cambridge maths genius Alan Turing (played by Benedict Cumberbatch) who then goes on to invent the world’s first computer.

80 years later

Fast forward nearly 80 years and companies are now adept at deciphering intimate and sensitive data on just about every aspect of online and offline lives – in order to drive their vast business empires.

The fact that the European Parliament has already voted on GDPR is evidence that the time for talking really is over and what’s now required is action. Hanging on to the outdated Data Protection Directive 95/46/EC isn’t really an option.

However, it isn’t as simple as that.

Following the first reading of GDPR, there were some 4,000 proposed amendments to the EU Commission’s draft and agreement on the GDPR by the European Parliament was reached on 12 March 2014.

The Council of Ministers is now pouring over whether to accept the European Parliament’s position – in which case the GDPR is adopted or where the Council doesn’t adopt all of the European Parliament’s amendments or wants to introduce its own, it adopts a first reading position which then goes back to the European Parliament for a second reading.

And this is where things are right now.

The Council is expected to come clean very soon, although there’s no time limit placed on how long it can take to deliberate on its position on GDPR, which is part of the frustration felt by many data protection and privacy professionals.

Make your mind up time

When the Council eventually makes up its mind on its first reading position, it is back to the European Parliament to examine the Council’s position and this could take between 3-4 months of deliberation.

A special European Parliament committee – Civil Liberties, Justice and Home Affairs Committee (LIBE Committee) – is tasked with drawing up a recommendation for Parliament’s second reading.

At this stage of the game, the text to be amended is the Council’s first reading position rather than the original European Commission proposal for the GDPR that first saw the light of day way back on 25 January 2012!

Likely outcome?

Good question – and it depends on how much tampering has been done by the Council as to whether the European Parliament decides to expedite and approve the Council’s first reading position.

In the event that this happens, this will speed up the process. Of course, there are likely to be some tweaks and further amendments on the Council’s first reading of GDPR. In other words, concessions are likely.

But the good news for GDPR watchers is that about 80% of all EU laws are now agreed after the first reading and in fact most law-making takes place behind the scenes. This is the ‘trilogue’ phase which isn’t mentioned in EU treaties but is specifically designed to speed up the cumbersome EU legislative process.

Three-way split

Informal meetings behind closed doors will take place between:

  • European Parliament (represented by Rapporteur and shadow rapporteurs)
  • European Council (chair of Working Party and/or Permanent Representatives Committee)
  • European Commission (responsible for the dossier and Secretariat-General).

In these informal discussions, the Commission’s role is that of mediator or facilitator of compromise texts but because of its expertise and resources it can have significant influence over the final drafting that’s produced.

Thinking of where to put a data centre in Europe?

Some Governments are blatantly cashing in on the current situation by offering a ‘safe place’ for organisations to continue to ply their trade and not trip up over the forthcoming GDPR.

For example, at the recent IAPP Europe Data Protection Intensive held in London earlier this month, Dara Murphy, Irish Minister for State European Affairs & Data Protection was making such a pitch to IAPP members.

In his address, Murphy made the point that Ireland had become the first EU Member State to create a Ministerial position with respect to data protection and he acknowledged what this meant to the Irish economy.

“We have in our country 29 of the top 30 digital companies in the world and nine of the top ten companies born on the internet. Many of them have their European HQs in Ireland. One of the key priorities we set when we had our reshuffle a couple of months ago was to up the role and importance of data protection within government.

“We’ve doubled our expenditure, opened a second office in Dublin and significantly increased the number of staff.”

Whilst promoting the principle of balancing the benefits to be gained through data-sharing, analytics and innovation, Murphy was also careful to stress the importance of protecting citizens’ rights.

“The work ahead is to put the right of the citizen at the heart of everything lawmakers do with an eye toward reducing administrative burdens and providing a consistent application of rules that foster an environment that creates jobs and growth while simultaneously protecting civil and digital rights and privacy.”

Murphy reflected the mood of many at the IAPP conference that the pace of data protection regulation has picked up remarkable speed and that the existing laws that were developed nearly a decade before most of the tech giants existed were now looking “ridiculous”.

However, conscious that he was there to “sell” Ireland to other global businesses thinking of putting a data centre in Dublin, Murphy added that he didn’t believe in “exemplary fines” in the hope that this signal would encourage more inward investment in his country as a Data Protection Authority that was on the side of big business and in favour of a strong digital market having the capacity for business to function.

An astute PR move but the EU Regulation will have the effect of reducing – not exacerbating – differences in approach to data protection and privacy across the EU that currently exists and has caused the level of uncertainty and confusion that we have at present.

Start making plans for GDPR mechanism now

“Many organisations that are ahead of the curve are mitigating their risks of an ICO investigation by taking educated guesses on how portions of the forthcoming GDPR will come into reality,” explains Martin Hickley, a leading data protection and cyber security expert.

He adds: “For example, many have started making plans where under GDPR they will need to respond to complaints through a one-stop shop mechanism, respond to subject access requests for the right to be forgotten, put in place a higher standard for data transfer and encryption of data that is accessed within the enterprise as well as the pseudonymization of that data among other measures.”

But lingering questions still remain and clarity on the following points will be required so that organisations can start to fully prepare themselves for life under the new EU data protection and privacy mechanism:

  • How will GDPR help to harmonize the way data processing and compliance is conducted within the EU as well as outside of the EU?
  • What should large multi-national organisations do regarding the one-stop shop mechanism if they are significant data controllers across several jurisdictions both within the EU and outside of the EU?
  • Will Data Protection Authorities (DPAs) look at mutual recognition systems like Binding Corporate Rules (BCRs) and apply the same logic to the one-stop shop? In such a scenario, a lead DPA is backed by two supporting DPAs in approving a company’s data transfer process.
  • How will GDPR apply to situations where the company is both controller and processor of a vast quantity of data?
  • What will the seal that is an assurance mark for data protection and privacy look like?
  • Will the Safe Harbor Principles need to change as a result of GDPR?

Hickley concludes: “My advice is to conduct a data protection impact assessment (DPIA) without due delay across the whole organisation rather than on a project basis which is a mistake often made by many organisations that I advise. Ask yourself the question – where do you sit now in relation to what’s been published about GDPR so far? And what do you need to do in order to be compliant before it’s too late.”

Don’t call us, we’ll call you. Illegally.

AT&T image of data theftWhile the EU General Data Protection Regulation (GDPR) requirements have yet to be finalised, 20 years of European jurisprudence is a strong indication of the direction of travel where the supervisory authorities are going to clamp down hard on those organisations and their outsourcing providers that violate the new minimum standards for data protection.

And if you’re in any doubt how hard this will impact the telecoms sector, then you should look no further than what’s just happened to AT&T earlier this week in the US to get a taste of what we can expect to see here in the EU in the wake of the GDPR.

The US Federal Communications Commission (FCC) reached a settlement with the telecoms giant AT&T to pay close to $25m for a series of consumer data privacy violations following an investigation where in excess of 280,000 customers’ data records were illegally accessed and stolen by employees working at AT&T Call Centres in Mexico, Colombia and the Philippines.

To put that into context, the fine equates to around $90 per data record that was breached.

AT&T customer data was used to request unlock codes for AT&T handsets and this data was then provided to unauthorized “third parties” dealing in stolen and “secondary market” handsets.

Such practices may have escaped detection for years and not just within AT&T but across the telecoms sector as it’s highly unlikely to have been an isolated incident.

The FCC has taken the step to make its investigation and subsequent fine a very public matter so as to send a warning shot to all other telecoms companies and outsourcing providers that such data breaches will be severely punished. And European data protection authorities (DPAs) are studying the details of this case with close interest as they aren’t exactly a push-over when it comes to taking action on such a scale.

“You have to recognise that the sheer amount of data that these companies store and process on a daily basis leaves them extremely vulnerable to data breaches on this type of scale,” comments Professor Bryan Foss, a leading data protection and technology expert and former IBM director.

“It’s very common for organisations the size of AT&T to outsource such activities and related services to outsourcing providers and in doing so a great deal of data protection and security is passed—and quite possibly compromised—through the supply chain to third-party service providers.

“The situation also raises interesting questions as to levels of responsibility, as well as liability with regard to data flows through supply chains, and whether adequate safeguards and privacy compliance measures exist with service partners and vendors across the spectrum of industries. The GDPR squarely places responsibility for such data breaches on the shoulders of data controllers and processors,” adds Professor Bryan Foss.

This issue also reaches well beyond internal compliance policies that many large organisations must now look at in some detail, usually as a result of a data protection impact assessment (DPIA) that should be carried out across the whole organisation rather than simply on a project basis.

“However, this still leaves many other questions unanswered such as how do organisations implement sufficient data traceability measures as well as the levels of protection from the source and entry points to potential exit points through to the end of the supply chain,” observes Professor Bryan Foss.

In its news release, FCC announced:

“AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities…”

In response, AT&T has sought to calm the nerves of its shareholders and investors by releasing the following statement:

“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”

Should AT&T and other telecoms providers continue to fall below the data protection standards expected of them they can be certain of being subject to severe fines on both sides of the Atlantic.

Bring Your Own Device to Work is a “ticking time bomb” warns security expert

BYOD tab and mobileAs many data protection, compliance, human resources and legal experts speculate as to the consequences that will be wrecked on all organisations as a result of the forthcoming EU General Data Protection Regulation (GDPR), there is widespread confusion across the web as to whether Bring Your Own Devices (BYOD) is still acceptable or whether organisations need to radically undertake a data protection impact assessment (DPIA) and change their internal policies as a result.

“Even though the law in this area hasn’t changed today, it would be foolhardy in the extreme for organisations not to carry out a DPIA as a precautionary measure given the massive data protection and security risks that allowing BYOD currently presents,” warns data protection and compliance expert Martin Hickley.

GDPR will replace a European-wide regime that was created by an EU directive in 1995 when the internet was still in its infancy and we didn’t have anything like the mobile technology we do today.

The dawn of smartphones came in January 2007 when Steve Jobs brandished a piece of plastic no bigger than a KitKat and proclaimed “this would change everything.” Eight years on, the Apple iPhone exemplifies the early twenty-first century’s defining technology.

Smartphones are now taken for granted and has opened up a new world of work where we are able to work equally effectively from the home as the local coffee shop as a result. Some studies have found that in developing economies every ten extra mobile phones per 100 people increase the rate of growth of GDP-per-person by more than 1%, for example, by drawing people into the banking system. WhatsApp was founded in 2009 and already handles 10bn more messages a day than the SMS global text-messaging system.

The phone is a platform, so start-ups can cheaply create an app to test an idea – and then rapidly go global if people like it.

The way in which mobile has become the centre of our connected world has changed work-life balance into work-life integration.

Mobile manufacturers have been quick to jump on this bandwagon and have been pushing the benefits of employees having their own devices that keeps them in touch with the office and more productive.

The mood music behind this surge in working ‘the way you want, when you want’ is why would organisations seek to supply every employee with a laptop or smartphone when they already have one? Wouldn’t knowledge-based organisations be missing out on cost savings?

If every employee already owns a smartphone and tablet (maybe several devices) why are organisations still buying employees a computer and smartphone when they join the company? That equipment then needs to be maintained, upgraded and replaced. Isn’t the money better spent improving internal infrastructure such as better security and collaboration tools to enable employees to work anywhere, anytime, on their own devices?

In this way the company can then take that money and reinvest it into tools that make that mobile worker more productive.

So will this get companies off the hook for getting caught in a spiral of escalating costs in investing in the latest technology and having to support this across the organisation?

As attractive as these arguments may appear, they are deeply flawed according to Martin Hickley.

“Cost savings aren’t comparable to the financial damage and reputational risk that can be incurred as a result of lost or stolen data and the security implications that a data breach entails. Data protection authorities (DPAs) are insisting that organisations must work to a much higher standard than at present and in the UK the ICO has just published guidance on this area and it makes interesting reading,” he says.

Under the existing Data Protection Act 1998, data controllers must ensure that all processing of personal data under their control remains compliant and in the event of a data breach, the data controller must be able to demonstrate that they’ve secured, controlled or deleted all personal data on a particular device.

The reality is the BYOD makes this almost impossible to police and the ICO guidance states:

“The underlying feature of BYOD is that the user owns, maintains and supports the device. This means that the data controller will have significantly less control over the device that it would have over a traditional corporately owned and provided device. The security of data is therefore a primary concern given that the data controller may have a large number and a wide range of devices to consider.”

Martin Hickley advises that companies should carry out an organisational DPIA that includes a review of the policy and procedures under which employees are permitted to use their own mobile devices for work purposes.

Specifically, data controllers MUST find out:

  • what type of data is held on BYOD used by all its employees
  • whether it is encrypted
  • where such data may be stored
  • how such data is transferred
  • what the risk is for data leakage as a result of BYOD
  • how can the company ensure that personal and business use of BYOD is maintained
  • the security capabilities and vulnerabilities for every BYOD used by employees
  • the policy for when an employee who owns a BYOD leaves employment having had access to personal and confidential information about the company’s customers/clients
  • how to deal with the loss, theft, misuse and failure of an employee’s BYOD
  • what support (if any) is offered by the company to help maintain a BYOD.

“When you start to run through that list you quickly realise that BYOD isn’t a way to save money – in fact, it’s potentially a nightmare that leaves the company massively exposed.

“For example, how can such devices be partitioned where personal information like photos of the employee’s children aren’t accessed by the company’s servers? And should an employee want to take a photograph of a PC screen displaying confidential information at the office, this image will be stored on the BYOD without any control by the company over its use whatsoever.

“Data controllers might be lulled into a false sense of security by thinking that the solution is an App that’s downloaded onto an employee’s mobile device where restricted data can only be accessed through this App.

“The trouble with that as a solution is that the employee may have downloaded other Apps on the BYOD that could be much less secure and could have security vulnerabilities where the employee’s mobile device could be completely hacked without them knowing this is happening. Such a scenario is a real danger for the theft and loss of personal data for which the company remains responsible. And under GDPR, there are significantly higher financial penalties for data breaches that will outweigh the cost of supplying a mobile device to every employee in the first place – which is still the most effective solution,” concludes Martin Hickley.

Europe’s Digital Czar fires warning shot at Facebook over data collection activities

facebook and clean up

Guenther Oettinger, Europe’s digital economy chief and the German representative on the European Commission has delivered a stark warning to Google and Facebook that they must either comply with the principles of the forthcoming EU General Data Protection Regulation (GDPR) or face being thrown out of the single market.

Oettinger accused the tech giants of using “an electronic vacuum cleaner” to collect and then target advertising using detailed information of users often without their knowledge or consent.

Speaking to the Wall Street Journal, Oettinger said: “The Americans are in the lead, they’ve got the data, the business models and so the power.”

He predicted that Google and Facebook “will go to the Member States where data protection is least developed, come along with their electronic vacuum cleaner, take it to California and sell it.”

Both tech giants have significant data centres located in Ireland thanks to high-speed fibre coupled with generous tax benefits on profits for tech companies that relocate to Dublin – making this a convenient bridge-head into the European market from which to carry out such activities.

Currently, the GDPR awaiting final agreement between the European Parliament, Council of Ministers and the European Commission and could emerge from the middle of 2015, after which all companies and organisations will have a two-year window to comply or risk significant financial penalties.

Oettinger’s warning comes in the wake of a major report commissioned by the Belgium Data Protection Authority that expressed growing concern about Facebook’s updated terms and policies.

The report will be used by the Belgian Privacy Commission in a probe launched in January 2015 over Facebook’s updated settings and terms and conditions that went live on 31 January.

“Facebook’s revised Data Use Policy is an extension of existing practices. This nevertheless raises concerns because Facebook’s data-processing capabilities have increased both horizontally and vertically,” the report authors said.

“Both are leveraged to create a vast advertising network which uses data from inside and outside Facebook to target both users and non-users of Facebook.”

The report’s authors added that Facebook puts too great a burden on users to sort through complex privacy settings.

At the same time, Facebook has increased its ability to track users elsewhere on the web and its acquisitions of Instagram and WhatsApp have allowed it to collect even more user data where there are natural synergies across all of these social platforms.

To coincide with this, Facebook is using ‘soft power’ in the propaganda war with European Regulators and its critics by running a series of TV commercials in the UK that’s part of a wider campaign featuring billboards and online advertising.

The TV spots focus on how the social network helps to build friendships, using the themes ‘Girl Friends’, ‘Friend Request’ and ‘Our Friends’.

The stories are played out over instrumental versions of classic tracks including Madonna’s ‘Like a Prayer’ and each one has a British voiceover. The ads are brand-focused rather than emphasising a product, aiming to highlight how Facebook ‘creates and sustains friendships’, according to its ad agency.

A poster campaign has also been launched, located at sites such as Oxford Street underground station, showing the image of a tick and the word Friends over a picture of people enjoying each other’s company.

While this is Facebook’s first UK TV advertising push, it has already rolled-out several campaigns in the US, with mixed results, the most famous being its ‘chairs are like Facebook’ spot which was widely ridiculed.

A spokesman for the network, which has 1.3bn global users, said the UK launch aimed to identify the network as a place where ‘friends go to make meaningful connections’.

Facebook remains unrepentant about the revision of its terms and conditions and maintains it’s not doing anything to cause alarm.

“We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising,” explains Facebook spokesperson Matt Stanfield. “We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates ­ including this one ­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.”

Such an argument will wear thin when Facebook faces a more restrictive EU-wide data protection regime under GDPR that will impact its ability to continue such activities irrespective of where it chooses to operate from within the EU.

Thought leadership in digital marketing

telepaint

Data protection rules overhaul – Top Tips for compliance

Extract: Data protection and the security of data is perhaps the biggest issue facing the advertising and marketing sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five per cent of global turnover or €100m. Ardi Kolah shares his top ten tips for marketers.

Urgent Action is Required as Data Breaches hit Record Highs

Extract: According to global digital security firm Gemalto, 1,541 data breaches in 2014 led to one billion data records being compromised, representing a four per cent increase in data breaches and a 78 per cent increase in data records that were either stolen or lost compared to 2013. Ardi Kolah gets the views of one of the UK’s leading data protection and governance experts in conducting a data protection impact assessment (DPIA).

What does it take to succeed as a disruptive brand?

disruptive-innovationSeasoned music and film executive producer Helen Gammons runs the highly acclaimed MBA programme for the music and creative industries at Henley Business School.

Now in its third year, its graduates are living proof that the sector is one that’s in a constant state of re-invention and change – perhaps more than any other on the planet.

“The industry is completely different to what it used to be and this has opened the door to a much wider range of opportunities for disruptive brands,” explains Helen Gammons who can lay claim to having attracted some of the best in the industry to the MBA programme including Faber Music, Disney, Sony Music, Peermusic and ISM to name a few.

The sector is almost unrecognisable to the one Gammons joined back in the ‘70s. Today, there are fewer players, a completely different set of income streams, many new business models and an extraordinary level of influence from outside the traditional sector that is forcing the sector to manage for disruptive innovation.

On Tuesday 24 February 2015 Henley Business School throws its doors open to those who want to learn how to compete and win in the face of disruptive innovation. The one-day event Managing for Disruptive Innovation will reveal how Spotfiy intends to stay on course and promises to be a fascinating insight in what it takes to succeed as a disruptive brand.

Speakers are Professor George Tovstiga; Keith Jopling, Senior VP KAE; Mark Popkiewicz, CEO, Mirriad; Will Page, Chief Economist, Spotify; Simon Presswell, Music & Entertainment Entrepreneur and Ben Drury, Chief Strategy Officer at 7 Digital.

The one-day event is part of Henley’s cutting-edge ‘Creative Dynamics’ Programme and is an ideal meeting place for those looking for inspiration as well as all-important industry contacts!

To date, subjects covered by the Creative Dynamics Programme include the future of music and brand partnerships; leadership and strategy in the digital economy; building business performance through managing creativity; opportunities for using branded content and marketing with bytes

“The music and creative industries have experienced the ‘perfect storm’ of disruptive forces including digital technology and generational changes in consumption. It’s been open season for market entrants – legal or illegal. But, disruption is transforming the entire creative industries sector, on a global scale – new platforms, business models and access to data bring constant change so it’s a case of either embrace change or die,” warns Helen Gammons.

The programme is already shaping thinking not just here in the UK but as far as South Africa and there are plans to export the know-how and expertise to entrepreneurs in China over the next few years.

According to Keith Jopling, one of the ‘Creative Dynamics’ sponsors and a speaker at the event, the success of Spotify has turned traditional thinking on music rights on its head and has opened the way for new and disruptive models to take root in established and emerging markets.

But perhaps what wasn’t predicted is that ‘old school’ brands have caught up with the challenger brands in this global market and are also a source of disruptive innovation.

“Spotify succeeded in a business with notoriously high barriers to entry and with a model that few consumers had yet to adopt. However today the ground is moving beneath its feet and those brand owners seeking to knock it off its perch include Apple, Google and Amazon.

“Since 2009, Spotify has grown to become the biggest streaming music service in the world but its planned IPO could be under threat unless it can respond to these new challenges from much bigger competitors” reflects Keith Jopling.

spotify-logo-580x218Research by Henley Business School shows that challenger brands like Spotify can become incumbent in a competitive market in a relatively short space of time. They have thought differently about customer needs, rather than just replicating a previous business model and doing it a little better or more quickly. They’ve completely re-designed the market based on that customer insight and haven’t been afraid to step out of the mould of their industry.

“However, at the same time such brands can’t afford to stand still and disruptive brands like Spotify need to be agile and forward thinking in order to maintain momentum. There are as many ‘also run’ fads as there are enduring game changers – and the skill is to recognise those business models that have genuine capacity for building long-term customer value,” concludes Helen Gammons.

Why wait and see doesn’t work with Third Party Contracts

On your marksThere’s currently a ‘wait and see’ with the forthcoming EU General Data Protection Regulation (GDPR) and what’s certain from all the conversations we’re having with companies is that they need clear guidance in how to prepare for the inevitable when it arrives.

However, that doesn’t mean that companies should sit on their hands and wait, according to Martin Hickley, a leading data protection and governance expert.

“Imagine you’re a company and the data controller. You know that once the GDPR is approved, you’ll have a two-year grace period in order to ensure that all data protection and security procedures comply with the principles of the EU Regulation. However, two years is a shorter period of time compared with the average length of most business contracts so the implications of the GDPR take effect not in some distance point in time but from TODAY.

“For example, all contact renewals and new contacts that entail personal data transfer or processing will need to have a clause in them that effectively says that once the new EU Regulation is passed, the third party has to supply to you within a set time frame its plans to become compliant with the GDPR.

“Furthermore, you might need to re-negotiate the third party contract based upon those plans, due to cost and liability issues.

“For example, we know there’ll be a statutory requirement to declare a data breach within a very short time frame, so the third party will need a formal process to tell you that they believe there’s a breach and this is what you have to report.

“Timescales are short because it’s a two company process. But who’s responsible if the deadline isn’t met? The answer is simple – it’s you as the data controller!

“What penalties do you accept, and what do you pass onto the third party in such circumstances? This can only be done if it’s provided for in the contracts that you are entering today that have more than a two-year shelf life.

“Imagine if a data processor has a single data breach but the data is on multiple records. The fine will not be for one breach, but multiple breaches under the GDPR,” explains Martin Hickley.

Impact of GDPR on the financial services will be “significant”

Last week I chaired a seminar jointly organised by the Worshipful Company of Marketors and the Financial Services Forum at Cass Business School on the impact of the EU General Data Protection Regulation (GDPR) on the financial services sector.

EU-Reg-seminar-at-Cass-BusiOn the panel (L-R) were Martin Hickley, a data governance, protection and privacy specialist; Hazel Grant, partner and head of privacy and information law at Fieldfisher LLP; myself; Jenny Moseley, director and co-founder of Opt-4 and Chris Wood, head of business compliance in the UK for HSBC.

The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform.

In March 2014, a first reading of a draft bill went through the European Parliament and a second version was voted on by the Council of Ministers – in effect creating two drafts of the same Regulation with significant differences between them with the Council of Ministers declaring that nothing is agreed until everything is agreed.

To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015.

Although differences remain, the feeling among the panel was that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t.

Data protection and the security of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.

To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook.

Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and other hackers like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.

Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU.

The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data.

A proposed ‘data protection seal’ will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with.

The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours.

Some of the concerns on the panel of data protection experts was around slippage in the timetable to introduce the GDPR and that delays had created a false sense of comfort for senior executives who may not appreciate the threat to business continuity that the GDPR actually represents.

The issue of customer consent was also widely discussed and it’s clear that many banks are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business.

Under the new EU Regulation, financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose. However, there’s still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.

A major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced.

However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR. Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email.

As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed. For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

Top Ten Tips for marketers

  1. Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.
  2. Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so marketing professionals should pay particular attention to passport details and other personal information stored on their servers.
  3. All companies need to invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.
  4. All companies need to set very clear, fair and transparent rules for obtaining customer consent.
  5. All companies shouldn’t keep data forever – unless of course it’s to ensure that they don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.
  6. All companies should have a policy for destroying out-of-date data.
  7. All companies need to recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.
  8. Marketing professionals need to integrate data protection fully into all business processes and not treat this as an add-on or side issue.
  9. Marketers should consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.
  10. Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.

British Government delays progress on GDPR as EU pressure mounts

cameron06june14-480632Impatience with the progress of the forthcoming EU General Data Protection Regulation (GDPR) is starting to grow within the European Union.

A recent joint declaration adopted by representatives of the German, Austrian, Belgian, Croatian, French, Greek, Hungarian, Lithuanian, Luxembourg, Dutch, Portuguese, Czech, Romanian, UK, Slovakian and Swedish  parliaments called on European legislators to adopt the GDPR “by 2015″.

German Green MEP Jan Philipp Albrecht, vice chairman of the civil liberties committee at the European Parliament warned this week that failure to agree on the new security and data protection rules was “bad for democracy” as this left European citizens exposed to snooping from foreign and European security services as well as companies.

With the current spate of data breaches emerging on a daily basis as well as EU President Juncker’s determination to ‘fast track’ the passage of the GDPR, Albrecht’s intervention in the on-going discussion on the timetable for GDPR is certain to highlight the divisions within Europe and in particular the British Government position.

What appears to be happening is the debate about the protection of an individual’s right to privacy has become conflated with issues of national security.

In the UK, MI5, MI6 and GCHQ want greater surveillance powers in order to stop terrorist activities of the type witnessed this week on the streets of Paris.

Understandably, the British Government has already brought in emergency legislation in order to equip the security forces with the tools to protect the public from such atrocities and indeed attempts to blow up transatlantic airliners and an attack on the London Stock Exchange had all been thwarted by electronic intercepts.

The Head of MI5 Andrew Parker has warned: “I don’t want a situation where privacy is so… sacrosanct that terrorists can confidently operate from behind those walls without fear of detection.”

No one would disagree with that assessment but the GDPR deals with the current position for citizens to feel more confident that their data is properly collected, stored, transferred and used in a way that’s consistent with the principles of natural justice and the rule of law.

The existing European rules on data protection were adopted in 1995 when the internet was still in its infancy and clearly the world is in a very different place now.

In January 2012, the European Commission (EC) published a vast legislative package aimed at replacing the existing rules and providing a higher level of protection of personal data across the European Union.

The package includes two legislative proposals: a general regulation on data protection that’s directly applicable across all 28 Member States and a directive specifically aimed at data protection in the police and the justice system to be incorporated into national laws by enabling legislation.

Both legislative proposals were voted on during the first reading at the European Parliament in March 2014, before the European Elections and the GDPR includes measures to protect EU citizens’ data and to restrict its use by businesses.

Since then, the data protection debate has taken several twists and turns, notably in 2013 when American whistle-blower Edward Snowden revealed that the US National Security Agency (NSA) had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called PRISM.

Predictably, this led to a call from European politicians for tighter controls on the way in which EU citizens have a right to their privacy being protected.

However as a matter of logic, should someone be suspected of plotting terrorist activities and poses a threat to national security, then they have effectively waived their right to the protection of privacy afforded to law-abiding citizens on the grounds of national security.

No one in their right mind would think it was wrong to intercept the communications of those terrorists who murdered French citizens and who were eventually caught and killed by the police and national security authorities in a terrifying shoot out yesterday in two different parts of Paris.

The balance of rights and responsibilities is an important one in a civilised society and matters of national security and snooping on suspected terrorists aren’t incompatible with the proposed GDPR.

But the case for reform is overwhelming and shouldn’t be unnecessarily delayed as reflected by the joint communique recently issued by EU Member States.

In the UK, an often hostile attitude towards the EU has transferred itself into a flat rejection of a unified approach to data protection across Europe. This is likely to be a point of argument in the run-up to the forthcoming General Election on 7 May 2015 where divisions between the main political parties will be exposed.

But all of this smacks of politicisation of an issue that in many respects should be above politics.

According to Albrecht, issues surrounding informed consent for the use of data, sanctions, privacy by design and red tape remain sources of friction between the European Parliament and EU Member States represented at the Council of Ministers. Albrecht has warned that failure to agree the GDPR would encourage and increase unjustified snooping of security services on citizens in Europe. The MEP is supporting efforts by Microsoft to avoid disclosing data stored by its Irish office to the US authorities.

“The US authorities shouldn’t be allowed to demand data from companies headquartered in the EU and the Commission should be supporting that position. No EU rules bind the security services and national security is the black hole of European law. That is why the introduction of the GDPR is so necessary to limit the amount of data which they can easily access,” he argues and it’s clear he too is motivated on political grounds.

The European Parliament and the European Commission (EC) want data processors to seek explicit consent from users before processing the data whereas some Member States want such consent to be “unambiguous” – a less rigorous test according to MEPs.

The EU Executive – backed by EU Member States – has proposed a maximum sanction for breach of the rules by companies of up to two percent of global turnover while MEPs wish to see this threshold lifted to five percent of global turnover or €100m fine.

Just before Christmas 2014, the EC announced partial agreement on the setting up of a one-stop shop for citizens to be able to complain to their local supervisory authority in respect of a breach anywhere within the EU. However, not all EU Member States were in favour of such a move and this also has resulted in slowing down the passage to agreement over the GDPR.

German concerns focus on how the GDPR might erode the sovereignty of the country’s powerful regions and alongside France Germany is sensitive to the idea that data issues could be decided in the smaller EU Member States.

The British Government remains opposed to the notion of a GDPR and instead favours the idea of the EU adopting a Directive instead.

However, for global companies looking to do business across the EU, such a position will be disastrous as it would create uncertainty in how data protection laws will be interpreted and enforced across the EU, driving up rather than lowering costs – a situation that exists today.

President Juncker has already made it clear given the border-less nature of digital technologies means it doesn’t make any practical or legal sense for each EU Member State to have its own rules for telecommunication services, copyright, data protection or the management of the radio spectrum and many within the European Parliament agree.

“If ministers want a GDPR, it will be up to the Council to deliver it. If they want to allow companies to regulate themselves, they have to beef up the rights of individuals to overcome this with stronger levels of protection,” warns Albrecht.

June 2015 remains the indicative date by which a common general position on the GDPR should be achieved by the European Parliament and Member States.