Decision makers in the European Union (European Union, the Council and the Commission) reached an agreement in December 2015 on something that they had been working on since 2012. This decision, as it turns out would have a major impact globally as can be seen from its effects worldwide. This decision was to agree on a revised framework for data privacy, data ownership and data handling which was meant to apply to EU and its citizens. The EU defined May of 2018 as the month, when this new framework would become effective, something which had not been changed since 1995 [European Data Protection Directive (Directive 95/46/EC)].
The basic tenets of European Data Protection Regulation (GDPR) are not really different from what is common knowledge, but what differs now is that it has been codified into a regulation, something which had not been done earlier. In this article, we will go through these basics and get to understand how GDPR is in fact very good for business in the long term.
Why data security is important?
This is a rhetorical question to begin with! Our constantly-connected world has increasingly become digital to an extent that now it is possible to live comfortably without having to ever step out of our homes. We can work remotely, order food from home, communicate with our loved ones digitally and shop online. There is barely any activity which cannot be performed online. This has increased the amount of digital footprint that our lives leave behind and the amount of data that is recorded, transmitted and generated about ourselves.
With this increase in digital information about everyone, it is meaningless, may be even unwise to ask why data security is important. In the pre-digital era, we would protect our offline assets, our house, car, paper documents, and our electronics; and in the post-digital era, when each of physical assets have been virtualized, it is expected that we need to protect our digital assets.
We do not ask why insurance is important for peace of mind of our family or why seat-belts are important for our safety or even why ensuring safety and security of our family is important! In same tone, we should stop asking why data security is important.
Pre-GDPR era
The European Union, when it took up evaluation of the European Data Protection Directive (Directive 95/46/EC) realised several logical flaws in data protection guidelines, principles and regulations.
Data collectors were effectively free to do whatever they wanted to do with it no matter who it belonged to, how it was stored, how it was handled, what was intended to be done with it. This freedom arose out of a lack of clear guidelines and boundaries mainly since the then existing framework had not defined them well enough. This led to a culture of interpretation in manners that served their own business goals.
Another fallout of a weakly defined framework was that data collectors and data processors were unsure how exactly should data security be implemented. More often, it happened that while companies genuinely intended to protect their customer's information, they were unsure how exactly they should go about doing this. In absence of national regulations to guide them, internal policies ended up being undefined or under-defined.
And finally, a major consequence of the previous framework was that data privacy protection as a business activity became largely self-regulated. This created a conflict between business objectives and security objectives in organizations. Business objectives would frequently dominate over security objectives due a constant pressure on profitability. Many organizations which displayed clear intentions of upholding high standards of data privacy and security chose to adhere to frameworks such as ISO 27001, but without a regulatory mandate, it became a case of choice and not compulsion. The EU identified this gross failure and decided that self-regulation was clearly not the way forward.
There are several examples of global successes involving regulations making it clear as to what organizations are permitted to do & what they must avoid. Financial & Banking industry is one such case where it could not exist without such regulations.
In the domain on data security, which is a relatively newer field, Singapore's PDPA and HIPAA from the US excellent examples. Governments of several countries have silently been working on setting up regulations which are strong enough to set up clearly defined boundaries and principles.
Impact of a data breach
While news of a data breach are surprising, data breaches have had significant negative impact on several organizations. The most major impact that an organization faces when a data breach happens is a permanent loss of goodwill. They become examples of data security breaches. They get quoted, over and over again, in conferences, in discussions, during audits, in training programs. This impact takes a very long time to disappear. Some examples of major data breaches and their impact are listed below. These should make is clear that data breaches are usually very costly whenever they happen.
* Multiple data breaches in 2013 and 2014 knocked an estimated $350 million off Yahoo's sale price in 2016 when it announced that the breach was larger than it had estimated earlier.
* Following a breach in 2008, Heartland Payment Systems was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit card providers until May 2009. The company also paid out an estimated $145 million in compensation for fraudulent payments.
* After a breach in 2013, Target's CIO resigned in March 2014, and its CEO resigned in May. The company later estimated the cost of the breach at $162 million.
* The data breach is believed to have cost Uber dearly in both reputation and money. At the time that the breach was announced, the company was in negotiations to sell a stake to Softbank. Initially, Uber's valuation was $68 billion. By the time the deal closed in December, its valuation dropped to $48 billion. Not all of the drop is attributable to the breach, but analysts see it being a significant factor.
* In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach that occurred in 2011.
What does GDPR expect from businesses?
GDPR is legally worded and presented, but it is easy to understand its general principles. GDPR wants businesses to care about data security of subjects, have a sense about rights of data subjects, and enforce responsibilities of the Controllers and Processors who manage and work on the data.
* Every business activity involving someone's data should to be lawful, fair and transparent. This is a straight-forward expectation. No business is permitted to use data illegally, unfairly or covertly.
* What is expected to be done to someone's data should be expected by, and known to, the person whose data it is. In other words, anyone should not be surprised with what a business does with their data.
* Businesses should gather only necessary amount of data for the purpose of carrying out their business.
* The data you keep must be accurate. Active involvement and engagement of data owner is recommended to maintain accuracy over a long period of time.
* Business should only keep it for as long as it is needed. Once someone's data is not required anymore, businesses should delete it.
Global relevance of GDPR
Owing to the fact that the EU has spent significant time and effort in evaluating changing needs of data privacy and security, following which it came up with a robust regulatory framework, several Governments internationally are changing their own Data Privacy and Security Laws to reflect elements of EU GDPR within their own regulations.
This in essence makes GDPR not a Europe-specific regulation, but an international one, although implemented and enforced by various Governments.
It is commonly believed within security circles that adhering to GDPR makes an organisation automatically comply with most of global standards and regulations. This belief also extends to organisations and security professionals seeing a major change in how internet behaves.
What does GDPR mean for consumers and why it is good for business?
Consumers in general are not against the idea of sharing their personal information with businesses. Rather they dislike it and react strongly if their trust is breached, which may be because an organisation did something with their data which they did not consent for, or something that they did not expect an organisation to do, or something that they clearly were opposed to when sharing their data.
And consumers are especially offended when organizations take them for granted and do something that undermines their value. This last point has been sufficiently proven by the worldwide outcry following revelations of how Facebook carelessly handed over data to Cambridge Analytica without consent.
Consumers also tend to become upset when their trust is implicitly breached when organisations do not implement adequate levels of security to protect their data and which eventually leads to a breach. In such cases, Consumers are usually more forgiving as long as the organisation is genuinely apologetic and takes measures to improve their security. This case has played out several times as with Sony PlayStation, Target, LinkedIn and Equifax, all being major breaches due to lower standards of security. All these organisations followed up their breach with improved standards of security.
GDPR addresses all of these issues of consumer trust by making it mandatory for organisations to ensure that proper consent is obtained, data is handled exactly as indicated, data is never handled carelessly, adequate measures of security are implemented to protect data, control of data is handed back to consumers, and data is deleted when not required anymore.
As against earlier times, when organisations decided for themselves as to what & how they handle security, EU GDPR makes it mandatory, makes it clear & makes it explicit. Organisations have a ready set of principles on how to go about handling consumer data and what are the bare minimum set of things that they need to do while dealing with data.
Organisations do not need to self-regulate anymore. Adhering to GDPR makes it easy and makes it clear. This leads to a scenario where trust levels of consumers on businesses improve automatically. Consumers now know that organisations are adhering to a set of principles and this is why they will trust them more.
Trust is good for consumers and trust is good for business.
Shailendra Singh is a Chief Information Security Officer at Capillary Technologies. Views expressed are his own and do not reflect the newspaper's policy.
Published: Thu 24 May 2018, 9:06 PM
Updated: Thu 24 May 2018, 11:20 PM