Podcasts about data protection directive

In today's digital age, data has become one of the most invaluable assets for individuals and businesses across the world. With the advent of technology, the amount of personal data being collected and processed has grown exponentially, and this has raised concerns about the privacy and security of individuals' data. In response, the European Union introduced the General Data Protection Regulation (GDPR) in 2018, a set of regulations designed to protect the privacy and security of an individual's personal data. This article will furnish an overview of the GDPR and its seven principles, which are the cornerstone of the regulation. Understanding the principles of GDPR is crucial for businesses that handle personal data, as non-compliance can result in severe penalties. What is the GDPR? GDPR stands for General Data Protection Regulation, which is a European Union (EU) regulation on data protection and privacy for all individuals inside the EU and European Economic Area (EEA). It came into effect on May 25, 2018, and replaced the 1995 Data Protection Directive. The GDPR aims to strengthen data protection rights for individuals, harmonize data protection laws across the EU, and increase accountability and transparency for organizations that handle personal data. It mandates that organizations obtain the explicit agreement of individuals before collecting, using, or disclosing their personal data and apply security measures to avoid unauthorized access or disclosure. The GDPR applies to any organization, regardless of its location, that processes the personal data of EU/EEA residents. Non-compliance with the GDPR can result in significant fines and other penalties. View More: What is GDPR and its 7 Principles?

Series 11 Episode 30 Hi and welcome, this is Cory… The European Union has had it in one form or another since 1995. Now the Australian government is looking to making changes to the way data protection should operate in 21st century Australia after they published recommendations of a review into this country's privacy laws. According to the details published by The Daily Aus on their Instagram feed, the review was asked to think about how privacy laws should be updated to encompass digital privacy. In 1995, the EU launched the Data Protection Directive, but that was when the internet was still young. In 2016, the European Union adopted the GDPR - the General Data Protection Regulation. It's seen by many countries as the gold standard. https://www.instagram.com/p/Co1gjYxrgfv/ https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en https://ministers.ag.gov.au/media-centre/landmark-privacy-act-review-report-released-16-02-2023 Follow and turn notifications on so you can be alerted when new episodes are released. The CORY feed. A Podcast from Cory O'Connor - on Anchor, Apple, Google, iHeart Radio, Spotify and more. Find clickable links and contact information for the show at the following website. https://coryoconnor.com/pod --- Send in a voice message: https://anchor.fm/corypod/message

Mark Zuckerberg has said that Facebook and Instagram might have to shut down operations if there's not a change to EU privacy requirements. It turns out that's not a threat, it's a cry for help. We learn about what might force these platforms out of the EU.See omnystudio.com/listener for privacy information.

Turkey is the first 2022 stop on our global tour about data localization. What is Turkey's approach to cross-border transfers of personal data about its citizens and residents? Turkey's Law on Protection of Personal Data is comprehensive and like the European Union's former Data Protection Directive, though it differs in some respects. Data localization is not part of this existing Turkish law. Instead, Turkey takes a sectoral approach to cross-border collection and processing of personal data of its residents. Turkish banks must collect and store Turkish customer data within Turkey. Data localizations requirements apply to payment and electronic money institutions, forcing companies like Paypal or Venmo to locate a payment system within Turkey and to comply with Turkish data privacy regulations. Social media providers must register with and report every six months to Turkish authorities about Turkish social media users. In August 2021, the Turkish Data Protection Authority (KVKK) proposed to amend Turkish law to permit cross-border data transfers if it issues an adequacy decision about another country. But unlike GDPR, the amendment would require the foreign country to be reciprocal in its data privacy laws, a unique approach that extends beyond adequacy. If adopted, the KVKK approach would encourage multinational companies to use Turkish-based servers and a Turkish subsidiary to have broad access to the Turkish market but would allow flexibility through binding corporate rules and notifying the Turkish authorities of a standard undertaking. Tune in to Episode 78 to learn how and why Turkey may be aligning with evolving European standards instead of more authoritarian and protectionist rules evident in China, Russia, and India. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

With the fall of Privacy Shield and the Safe Harbor program, what can we expect for the future of transatlantic data transfers? Can the EU and US work out a trade deal? More on Lothar Determann. SPEAKERS Wayne Stacy, Lothar Determann Wayne Stacy 00:00 Welcome, everyone to the Berkeley Center for Law and Technology's Experts Series podcast. This is Wayne Stacy, the Executive Director for BCLT. And today we're going to talk about the future of transatlantic data transfers. And we have with is one of the great experts in the field, Dr. Lothar Determann. Doctor Determann or I'm gonna go with Lothar for now was or is a professor, I guess lecturer is the right title. But he's a lecturer since 2004 of computer law and data privacy at Berkeley Law. And since 1995, he's been a tenured professor in Germany. So he brings expertise on the academic side from both sides of the Atlantic, if you look at his publications, Determann's Field Guide to data privacy law in California privacy law, practical guide and commentary. He's actually teaching out of that this semester. And this semester, or next semester, he's got the California privacy law course that he'll be teaching at Berkeley Law. So actually, if you go through the whole list, we can spend the 15 minutes talking about the scope of all of his work, but I'll just leave it at this: he knows a lot about transatlantic data transfers. So thank you for coming today. Lothar Determann 01:29 Thanks for inviting me, Wayne. Wayne Stacy 01:31 So what I want to turn to first is the fact that there seem to be some large finds coming out of out of Europe these days, and a slow eroding, or maybe a fast eroding of some of the shields that we used to have. So the Privacy Shield went down, you saw the Safe Harbor program go down in 2015. And now you're starting to see these new standard contract contractual clauses coming out. The real question about all of this is people get nervous is what does this mean for transatlantic data transfers, and in what's the big picture going to look like over the next few years for for US companies. Lothar Determann 02:14 For US companies, the biggest challenge has been that the general data protection regulation has extended and clarified the realm of applicability to some US companies, but also that European companies are under evermore pressure and transferring personal data to the US. European Union is a trade zone Originally, it was called the European Economic Community when they started looking at harmonizing data protection law. And the main goal was to make it easy for companies to cooperate within the bloc and transfer data across borders. So the official title of what is now often referred to as the Data Protection Directive was really about the free flow of data in Europe. And it was kind of a compromise to say, if we're all trusting each other with data, the Germans and the Spaniards and the French and the Brits at the time before Brexit, then we do need to have a prohibition from just transferring it onward somewhere else. And that was in the directive of 1995. That was there to allow more Corporation more sharing more flow within Europe. And this prohibition of transferring to the US wasn't a real big deal in the first years, because there was a general understanding that the US has privacy laws, too. And the commission worked out a compromise where US companies could sign up for a voluntary program, the Safe Harbor program, and commit to basically complying with the European rules. And then European companies could share data with them, just as if they were in Europe. But after the Snowd

On 4 June 2021 the European Commission issued new standard contractual clauses (SCCs) for data transfers between EU and non-EU countries.  These modernised SCCs will replace the previous three sets of SCCs that were adopted under Data Protection Directive 95/46. 

We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy advisory boards. During this first part of the interview with her, we focused on the new General Data Protection Regulation (GDPR), which she says is the biggest overhaul in EU security and privacy rules in twenty years. One important point FitzPatrick makes is that the GDPR is not only more restrictive than the existing Data Protection Directive—breach notification, impact assessment rules—but also has far broader coverage. Cloud computing companies no matter where they are located will be under the GDPR if they are asked to process personal data of EU citizens by their corporate customers. The same goes for companies (or controllers in GDPR-speak) outside the EU who directly collect personal data – think of any US-based e-commerce or social networking company on the web. Keep all this in mind as you listen to our in-depth discussion with this data privacy and security law professional. Transcript Cindy Ng Sheila FitzPatrick has over 20 years of experience running her own firm as a data protection attorney. She also serves as outside counsel for Netapp as their chief privacy officer, where she provides expertise in global data protection compliance, cyber security regulations, and legal issues associated with cloud computing and big data. In this series, Sheila will be sharing her expertise on GDPR, PCI compliance, and the data security landscape. Andy Green Yeah, Sheila. I'm very impressed by your bio and the fact that you've actually dealt with some of these PPA's and EU data protection authorities that we've been writing about. I know there's been, so the GPDR will go into effect in 2018, and I'm just wondering what sort of the biggest change for companies, I guess they're calling them data controllers, in dealing with DPA's under the law. Is there something that comes to mind first? Sheila FitzPatrick And thank you for the compliment by the way. I live and breathe data privacy. This is the stuff I love. GPR ...I mean is certainly the biggest overhaul in 20 years, when it comes to the implication of new data privacy regulations. Much more restrictive than what we've seen in the past. And most companies are struggling because they thought what was previously in place was strict. There's a couple things that stick out when it comes GDPR, is when you look at the roles of the data controller verses the data processor, in the past many of the data processors, especially when you talk about third party outsourcing companies and any particular cloud providers, have pushed sole liability for data compliance down to their customers. Basically, saying you decide what you're going to put in our environment, you have responsibility for the privacy and security aspects. We basically accept minimal responsibility. Usually, it's around physical security. The GDPR now is going to put very comprehensive and very well-defined regulations and obligations in place for data processors as well. Saying that they can no longer flow responsibility for privacy compliance down to their customers. And if they're going to be... even if they... often times, cloud providers will say, "We will comply with the laws in countries where we have our processing centers." And that's not sufficient under the new laws. Because if they have a data processing center say in in UK, but they're processing the data of a German citizen or a Canadian citizen or someone from Asia Pacific, Australia, New Zealand, they're now going to have to comply with the laws in those countries as well. They can't just push it down to their customers. The other part of GDPR that is quite different and it's one of the first times it's really going to be put into place is that it doesn't just apply to companies that have operations within the EU. It is basically any company regardless of where they're located and regardless of whether or not they have a presence in the EU, if they have access to the personal data of any EU citizen they will have to comply with the regulations under the GDPR. And that's a significant change. And then the third one being the sanction. And the sanction can be 20,000,000 euro or 4% of your global annual revenue, whichever is higher. That's a substantial change as well. Andy Green Right, So that's some big, big changes. So you're referring to I think, what they call 'territorial scope'? They don't have to necessarily have an office or an establishment in the EU as long as they are collecting data? I mean we're really referring to social media and to the web commerce, or e-commerce. Sheila FitzPatrick Absolutely, but it's going to apply to any company. So even if for instance you say, "Well, we don't have any, we're just a US domestic company", but if you have employees in your environment that hold EU citizenship, you will have to protect their data in accordance with GDPR. You can't say, well they're working the US, therefore US law applies. That's not going to be the case if they know that the individual holds citizenship in the EU. Andy Green We're talking about employees, or...? Sheila FitzPatrick Could be employees, absolutely. Employees... Andy Green Anybody? Sheila FitzPatrick Anybody. Andy Green Isn't that interesting? I mean one question about this expanded territorial scope, is how are they going to enforce this against US companies? Or not just US, but any company that is doing business but doesn't necessarily have an office or an establishment? Sheila FitzPatrick Well it can be... see what happens under GDPR is any individual can file a complaint with the ports in basically any jurisdiction. They can file it at the EU level. They can file with it within the countries where they hold their citizenship. They can file it now with US courts, although the US courts... and part of that is tied to the new privacy shield, which is a joke. I mean, I think that will be invalidated fairly quickly. With the whole Redress Act, it does allow EU citizens to file complaints with the US courts to protect their personal data in accordance with EU laws. Andy Green So, just to follow through, if I came from the UK into the US and was doing transactions, credit card transactions, my data would be protected under EU law? Sheila FitzPatrick Well, if the company knows you're an EU citizen. They're not going to necessarily know. So, in some cases if they don't know, they're not going to held accountable. But if they absolutely do know then they will have to protect that data in accordance with UK or EU law. Well, not the UK... if Brexit goes through, the EU law won't matter. The UK data protection act will take precedence. Andy Green Wow. You know it's just really fascinating how the data protection and privacy now is just so important. Right, with the new GPDR? For everybody, not just the EU companies. Sheila FitzPatrick Yeah, and its always been important, it's just the US has a totally different attitude. I mean the US has the least restrictive privacy laws in the world. So for individuals that have really never worked or lived outside of the US, the mindset is very much the US mindset, which is the business takes precedence. Where everywhere else in the world, the fundamental right to privacy takes precedence over everything. Andy Green We're getting a lot of questions from our customers the new Breach Notification rule... Sheila FitzPatrick Ask me. Andy Green ...in the GDPR. I was wondering if you could talk about... What are one the most important things you would do when you discover a breach? I mean if you could prioritize it in any way. How would you advise a customer about how to have a breach response program in a GDPR context? Sheila FitzPatrick Yeah. Well first and foremost you do need to have in place, before a breach even occurs, an incident response team that's not made up of just the IT. Because normally organizations have an IT focus. You need to have a response team that includes IT, your chief privacy officer. And if the person... normally a CPO would sit in legal. If he doesn't sit in legally, you want a legal representative in there as well. You need someone from PR, communications that can actually be the public-facing voice for the company. You need to have someone within Finance and Risk Management that sits on there. So the first thing to do is to make sure you have that group in place that goes into action immediately. Secondly, you need to determine what data has potentially been breached, even if it hasn't. Because under GDPR, it's not... previously it's been if there's definitely been a breach that can harm an individual. The definition is if it's likely to affect an individual. That's totally different than if the individual could be harmed. So you need to determine okay, what data has been breached, and does it impact an individual? So, as opposed to if company-related information was breached, there's a different process you go through. Individual employee or customer data has been breached, the individual, is it likely to affect them? So that's pretty much anything. That's a very broad definition. If someone gets a hold of their email address, yes, that could affect them. Someone could email them who is not authorized to email them. So, you have to launch into that investigation right away and then classify the data that has been any intrusion into the data, what that data is classified as. Is it personal data? Is it personal sensitive data? And then rank it based on is it likely to affect an individual? Is it likely to impact an individual? Is it likely to harm an individual? So there could be three levels. Based on that, what kind of notification? So if it's likely to affect or impact an individual, you would have to let them know. If it's likely to harm an individual, you absolutely have to let them know and the data protection authorities know. Andy Green And the DPA, right? So, if I'm a consumer, the threshold is... in other words, if the company's holding my data, I'm not an employee, the threshold is likely to harm or likely to affect? Sheila FitzPatrick Likely to affect. Andy Green Affect. Okay. That's a little more generous in terms of... Sheila FitzPatrick Right. Right. And that has changed, so it's put more accountability on a company, because you know that a lot of companies have probably had breaches and have never reported them. So, because they go oh well, there was no Social Security Number, National Identification number, or financial data. It was just their name and their address and their home phone number or their cell phone. And the definition previously has been well, it can't really harm them. We don't need to let them know. And then all of a sudden people's names show up on these mailing lists. And they're starting to get this unsolicited marketing. And they can't determine whether or not... how did they get that? Was it based on a breach or is it based on trolling the Internet and gathering information and a broker selling that information? That's the other thing. Brokers are going to be impacted by the new GDPR, because in order to sell their lists they have to have explicit consent of the individual to include their name on a list that they're going to sell to companies. Andy Green Alright. Okay. So, it's quite consumer friendly compared to what we have in the US. Sheila FitzPatrick Yes. Andy Green Is there sort of new rules about what they call sensitive data? And if you're going to process certain classes of sensitive data, you need approval from the... I think at some point you might need approval from the DPA? You know what I'm referring to? I think it's the... Sheila FitzPatrick Yes. Absolutely. I mean, that's always been in place in most of the member states. So, if you look at the member states that have the more restrictive data privacy laws like Germany, France, Italy, Spain, Netherlands, they've always had the requirement that you have to register the data with the data protection authorities. And in order to collect and transfer outside of the country of origination any sensitive data, it did require approval. The difference now is that any personal data that you collect on an individual, whether it's an employee, whether it's a customer, whether it's a supplier, you have to obtain unambiguous and freely given explicit consent. Now this is any kind of data, and that includes sensitive data. Now the one difference with the new law is that there are just a few categories which are truly defined as sensitive data. That's not what we think of sensitive data. We think of like birth date. Maybe gender. That information is certainly considered sensitive under... that's personal data under EU law and everywhere else in the world, so it has to be treated to a high degree of privacy. But the categories that are political/religious affiliation, medical history, criminal convictions, social issues and trade union membership: that's a subset. It's considered highly sensitive information in Europe. To collect and transfer that information is going to now require explicit approval not only from the individual but from the DPA. Separate from the registrations you have done. Andy Green So, I think what I'm referring to is what they call the Impact Assessment. Sheila FitzPatrick Privacy Impact Assessments have to be conducted now anytime... and we've always... Anytime I've worked with any company, I've implemented Privacy Impact Assessments. They're now required under the new GDPR for any collection of any personal data. Andy Green But sensitive data... I think they talked about a DNA data or bio-related data. Sheila FitzPatrick Oh no. So, what you're doing... What happened under GPDR, they have expanded the definition of personal data. And so that not the sensitive, that's expanding the definition of personal data to include biometric information, genetic information, and location data. That data was never included under the definition of personal data. Because the belief was, well you can't really tie that back to an individual. They have found out since the original laws put in place that yes you can indeed tie that back to an individual. So, that is now included into the definition. Andy Green In sort of catching up a little bit with that technology? Sheila FitzPatrick Yeah. Exactly. But part of what GPDR did was it went from being a law around processing of personal data to a law that really moves you into the digital age. So, it's anything about tracking or monitoring or tying different aspects or elements of data together to be able to identify a person. So, it's really entering into the digital age. So, it's trying to catch up with new technology. Andy Green I have one more question on the GDPR subject. There's some mention in the law about sort of outside bodies can certify...? Sheila FitzPatrick Well, they're talking about having private certifications and privacy codes. Right now, those are not in place. The highest standard you have right now for privacy law is what's call Binding Corporate Rules. And so companies that have their Binding Corporate rules in place, there's only less than a hundred companies worldwide that have those. And actually, I've written them for a number of companies, including Netapp has Binding Corporate rules in place. That is the gold standard. If you have BCRs, you are 90% compliant with GDPR. But the additional certifications that they're talking about aren't in place yet. Andy Green So, it may be possible to get a certification from some outside body and that would somehow help prove your... I mean, so if an incident happens and the DPA looks into it, having that compliance should help a little bit in terms of any kind of enforcement action? Sheila FitzPatrick yes, it certainly will once they come up with what those are. Unless you have Binding Corporate Rules. But right now... I mean if you're thinking something like a trustee. No. there is no trustee certification. Trustee is a US certification for privacy, but it's not a certification for GDPR. Andy Green Alright. Well, thank you so much. I mean these are questions that, I mean it's great to talk to an expert and get some more perspective on this.

Welcome to Season 1, Episode 011, of Web and BeyondCast, "GDPR for Small Business." (If you’re reading this in a podcast directory/app, please visit http://webandbeyondcast.com/011 for clickable links and the full show notes and transcript of this cast.) According to Verizon’s 2018 Data Breach Investigations Report, “58% of malware attack victims are categorized as small businesses.” And, in the 2017 Cybercrime Report by Cybersecurity Ventures, they note that “cybercrime damages will cost the world $6 trillion annually by 2021.” It’s with this general risk in mind that the European Union started the process of updating its already-existing Data Protection Directive from 1995, and enacted the General Data Protection Regulation. Or, as some of you might have heard it as its acronym, GDPR. I’ll call it GDPR for the rest of this episode. I’ve gotten many questions about this topic, so in today’s episode, I’m going to do a deep-dive into: What is GDPR? Who Does GDPR Apply to? What Are the Key Provisions of GDPR for Small Business? What Actions Should You Take To Be and Stay GDPR-Compliant? Disclaimer: None of this should be taken as legal advice. I’m trying to give an explanation of a highly complex, evolving extraterritorial law, and additional laws, and if you have specific questions about your situation and the laws that impact your business, you should seek licensed legal counsel in your jurisdiction. If you'd like to discuss this episode, please click here to leave a comment down below (this jumps you to the bottom of the post), or feel free to contact me here about any other questions or comments. In this Cast | GDPR for Small Business Ray Sidney-Smith, Host Show Notes | GDPR for Small Business Resources we mention, including links to them will be provided here. Please listen to the episode for context. Key Terminology: Subject - a living, natural person (so corporate/business entities, governments or anything other than a living human being don’t count under GDPR) Personal Data - any data that can identify a subject directly or indirectly, so some common forms of Personal Data are a living person’s name, address, phone number, date of birth, and tax identification number. But, it encompasses any data that fits this category. Anonymous data does not apply. Personal Sensitive Data, or Sensitive Personal Data - a class of Personal Data, that should be subjected to a higher level of protection, includes “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.” Data Controller - a person or entity “which...determines the purposes and means of the processing of personal data” Data Processor - a person or entity which processes personal data on behalf of a Data Controller Key Provisions: Data security versus Data Privacy - chain link fence versus a 10’ solid brick wall. GDPR applies to customers and employees of your business. Right to Consent ...for the data you collect about your customers and employees. This includes access to that data. Right of Access ...to the data about you. Right to Portability ...exportable and in a useable format. Right to “Rectification” ...fix inaccurate data or request data not be used any longer. Right to Erasure ...aka right to be forgotten ...erasure of subject’s data upon request. All of these aforementioned requests from data subjects are to be responded within 30 days and you cannot charge them for it--it must be free-of-charge. Right to be Informed ...in the event of a data breach, that “is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Source)

General Data Protection Regulation Following the Data Protection Directive of 1995 ePrivacy Directive of 2002 (cookie law) Articles https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/ https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice General Data Protection Regulation EU Site: https://www.gdpreu.org/ Privacy by Design https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/ Questions • What? • Why? • Who is affected ? ○ Am I a controller? ○ Am I a processor? • What data is included in protection? • What protection is required? • What to protect against? What consent is required? • What are the penalties? Privacy Impact Assessments A Privacy Impact Assessment (PIA), which is required under GDPR for data-intensive projects, is a living document which must be made accessible to all involved with a project. It is the process by which you discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process. Like all GDPR documentation, a PIA can be requisitioned by a data protection regulator in the event of a privacy concern or data breach. Not having a PIA is not an option.

Sue Foster is a London-based partner at Mintz Levin. In the second part of the interview, she discusses the interesting loophole for ransomware breach reporting requirements that's currently in the GDPR However, there's another EU regulation going into effect in May of 2018, the NIS Directive, which would make ransomware reportable. And Foster talks about the interesting implications of IOT devices in terms of the GDPR. Is the data collected by your internet-connected refrigerator or coffee pot considered personal data under the GDPR? Foster says it is! Inside Out Security Sue Foster is a partner with Mintz Levin based out of the London office. She works with clients on European data protection compliance and on commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She's a graduate of Stanford Law School. SF is also, and we like this here at Varonis, a Certified Information Privacy Professional. I'm very excited to be talking to an attorney with a CIPP, and with direct experience on a compliance topic we cover on our blog — the General Data Protection Regulation, or GDPR. Welcome, Susan. Sue Foster Hi Andy. Thank you very much for inviting me to join you today. There's a lot going on in Europe around cybersecurity and data protection these days, so it's a fantastic set of topics. IOS Oh terrific. So what are some of the concerns you're hearing from your clients on GDPR? SF So one of the big concerns is getting to grips with the extra-territorial reach. I work with a number of companies that don't have any office or other kind of presence in Europe that would qualify them as being established in Europe. But they are offering goods or services to people in Europe. And for these companies, you know in the past they've had to go through quite a bit of analysis to understand the Data Protection Directive applies to them. Under the GDPR, it's a lot clearer and there are rules that are easier for people to understand and follow. So now when I speak to my U.S. clients, if they're a non-resident company that promotes goods or services in the EU, including free services like a free app, for example, they'll be subject to the GDPR. That's very clear. Also, if a non-resident company is monitoring the behavior of people who are located in the EU, including tracking and profiling people based on their internet or device usage, or making automated decisions about people based on their personal data, the company is subject to the GDPR. It's also really important for U.S. companies to understand that there's a new ePrivacy Regulation in draft form that would cover any provider, regardless of location, of any form of publicly available electronic communication services to EU users. Under this ePrivacy Regulation, the notion of what these communication services providers are is expanded from the current rules, and it includes things that are called over-the-top applications – so messaging apps and communications features, even when a communication feature is just something that is embedded in a website. If it's available to the public and enables communication, even in a very limited sort of forum, it's going to be covered. That's another area where U.S. companies are getting to grips with the fact that European rules will apply to them. So this new security regulation as well that may apply to companies located outside the EU. So all of these things are combining to suddenly force a lot of U.S. companies to get to grips with European law. IOS So just to clarify, let's say a small U.S. social media company that doesn't market specifically to EU countries, doesn't have a website in the language of some of the EU country, they would or would not fall under the GDPR? SF On the basis of their [overall] marketing activity they wouldn't. But we would need to understand if they're profiling or they're tracking EU users or through viral marketing that's been going on, right? And they are just tracking everybody. And they know that they're tracking people in the EU. Then they're going to be caught. But if they're not doing that, if not engaging in any kind of tracking, profiling, or monitoring activities, and they're not affirmatively marketing into the EU, then they're outside of the scope. Unless of course, they're offering some kind of service that falls under one of these other regulations that we were talking about. IOS What we're hearing from our customers is that the 72-hour breach rule for reporting is a concern. And our customers are confused and after looking at some of the fine print, we are as well!! So I'm wondering if you could explain the breach reporting in terms of thresholds, what needs to happen before a report is made to the DBA's and consumers? SF Sure absolutely. So first it's important to look at the specific definition of personal data breach. It means a breached security leading to the ‘accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data’.  So it's fairly broad. The requirement to report these incidents has a number of caveats. So you have to report the breach to the Data Protection Authority as soon as possible, and where feasible, no later than 72 hours after becoming aware of the breach. Then there's a set of exceptions. And that is unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. So I can understand why U.S. companies would sort of look at this and say, ‘I don't really know what that means’. How do I know if a breach is likely to ‘result in a risk to the rights and freedoms of natural persons’? Because that's not defined anywhere in this regulation! It's important to understand that that little bit of text is EU-speak that really refers to the Charter of Fundamental Rights of the European Union, which is part of EU law. There is actually a document you can look at to tell you what these rights and freedoms are. But you can think of it basically in common sense terms. Are the person's privacy rights affected, are their rights and the integrity of their communications affected, or is their property affected? So you could, for example, say that there's a breach that isn't likely to reveal information that I would consider personally compromising in a privacy perspective, but it could lead to fraud, right? So that could affect my property rights. So that would be one of those issues. Basically, most of the time you're going to have to report the breach. When you're going through the process of working out whether you need to report the breach to the DPA, and you're considering whether or not the breach is likely to result in a risk to the rights and freedoms of natural persons, one of the things that you can look at is whether people are practically protected. Or whether there's a minimal risk because of steps you've already taken such as encrypting data or pseudonymizing data and you know that the key that would allow re-identification of the subjects hasn't been compromised. So these are some of the things that you can think about when determining whether or not you need to report to the Data Protection Authority. If you decide you have to report, you then need to think about ‘do you need to report the breach to the data subjects’, right? And the standard there is that is has to be a “high risk to the rights and freedoms” of natural persons’. So a high risk to someone's privacy rights or rights on their property and things of that sort. And again, you can look at the steps that you've taken to either prevent the data from — you know before it even was leaked — prevent it from being potentially vulnerable in a format where people could be damaged. Or you could think also whether you've taken steps after the breach that would prevent those kinds of risks from happening. Now, of course, the problem is the risk of getting it wrong, right? If you decide that you're not going to report after you go through this full analysis and the DPA disagrees with you, now you're running the risk of a fine to 2% of the group’s global turnover …or gross revenue around the world. And that I think it’s going to lead to a lot of companies being cautious in reporting when even they might have been able to take advantage of some of these exceptions but they won't feel comfortable with that. IOS I see. So just to bring it to more practical terms. We can assume that let's say credit card numbers or some other identification number, if that was breach or taken, would have to be reported both to the DPA and the consumer? SF Most likely. I mean if it's...yeah almost certainly. Particularly if the security code on the back of the card has been compromised, and absolutely you've got a pretty urgent situation. You also have a responsibility to basically provide a risk assessment to the individuals, and advise them on steps that they can take to protect themselves such as canceling their card immediately. IOS One hypothetical that I wanted to ask you about is the Yahoo breach, which technically happened a few years ago. I think it was over two years ago … Let's say something like that had happened after the GDPR where a company sort of had known that there was something happening that looked like a breach, but they didn't know the extent of it. If they had not reported it, and waited until after the 72-hour rule, what would have happened to let's say a multinational like Yahoo? SF Well, Yahoo would need to go through the same analysis, and it's hard to imagine that a breach on that scale and with the level of access that was provided to the Yahoo users accounts as a result of those breaches, and of course the fact that people know that it's very common for individuals to reuse passwords across different sites, and so you, you know, have the risks sort of follow on problems. It's hard to imagine they would be in a situation where they would be off the hook for reporting. Now the 72-hour rule is not hard and fast. But the idea is you report as soon as possible. So you can delay for a little while if it's necessary for say a law enforcement investigation, right? That's one possibility. Or if you're doing your own internal investigation and somehow that would be compromised or taking security measures would be compromised in some way by reporting it to the DPA. But that'll be pretty rare. Obviously going along for months and months with not reporting it would be beyond the pale. And I would say a company like Yahoo would potentially be facing a fine of 2% of its worldwide revenue! IOS So this is really serious business, especially for multinationals. This is also a breach reporting related question, and it has to do with ransomware. We're seeing a lot of ransomware attacks these days. In fact, when we visit customer sites and analyze their systems, we sometimes see these attacks happening in real time. Since a ransomware attack encrypts the file data but most of the time doesn't actually take the data or the personal data, would that breach have to be reported or not? SF This is a really interesting question! I think the by-the-book answer is, technically, if a ransomware attack doesn't lead to the accidental or unlawful destruction, loss, or alteration or unauthorized disclosure of or access to the personal data, it doesn't actually fall under the GDPR's definition of a personal data breach, right? So, if a company is subject to an attack that prevents it from accessing its data, but the intruder can not itself access, change or destroy the data, you could argue it's not a personal data breach, therefore not reportable. But it sure feels like one, doesn't it? IOS Yes, it does! SF Yeah. I suspect we're going to find that the new European Data Protection Board will issue guidance that somehow brings ransomware attacks into the fold of what's reportable. Don't know that for sure, but it seems likely to me that they'll find a way to do that. Now, there are two important caveats. Even though, technically, a ransomware attack may not be reportable, companies should remember that a ransomware attack could cause them to be in breach of other requirements of the GDPR, like the obligation to ensure data integrity and accessibility of the data. Because by definition, you know, the ransomware attack has made the data non-assessable and has totally corrupted its integrity. So, there could be a liability there under the GDPR. And also, the company that's suffering the ransomware attack should consider whether they're subject to the new Network and Information Security Directive, which is going to be implemented in national laws by May 9th of 2018. So again, May 2018 being a real critical time period. That directive requires service providers to notify the relevant authority when there's been a breach that has a substantial impact on the services, even if there was no GDPR personal data breach. And the Network and Information Security Directive applies to a wide range of companies, including those that provide "essential services”. Sort of the fundamentals that drive the modern economy: energy, transportation, financial services. But also, it applies to digital service providers, and that would include cloud computing service providers. You know, there could be quite a few companies that are being held up by ransomware attacks who are in the cloud space, and they'll need to think about their obligations to report even if there's maybe not a GDPR reporting requirement. IOS Right, interesting. Okay. As a security company, we've been preaching Privacy by Design principles, data minimization and retention limits, and in the GPDR it's now actually part of the law. The GDPR is not very specific about what has to be done to meet these Privacy by Design ideas, so do you have an idea what the regulators might say about PbD as they issue more detailed guidelines? SF They'll probably tell us more about the process but not give us a lot of insight as to specific requirements, and that's partly because the GDPR itself is very much a show-your-work regulation. You might remember back on old,old math tests, right? When you were told, ‘Look, you might not get the right answer, but show all of your work in that calculus problem and you might get some partial credit.’ And it's a little bit like that. The GDPR is a lot about process! So, the push for Privacy by Design is not to say that there are specific requirements other than paying attention to whatever the state of the art is at the time. So, really looking at the available privacy solutions at the time and thinking about what you can do. But a lot of it is about just making sure you've got internal processes for analyzing privacy risks and thinking about privacy solutions. And for that reason, I think we're just going to get guidance that stresses that, develops that idea. But any guidance that told people specifically what security technologies they needed to apply would probably be good for, you know, 12 or 18 months, and then something new would come along. Where we might see some help is, eventually, in terms of ISO standards. Maybe there'll be an opportunity in the future for something that comes along that's an international standard, that talks about the process that companies go through to design privacy into services and devices, etc. Maybe then we'll have a little more certainty about it. But for now, and I think for the foreseeable future, it's going to be about showing your work, making sure you've engaged, and that you've documented your engagement, so that if something does go wrong, at least you can show what you did. IOS That's very interesting, and a good thing to know. One last question, we've been following some of the security problems related to Internet of Things devices, which are gadgets on the consumer market that can include internet-connected coffee pots, cameras, children toys. We've learned from talking to testing experts that vendors are not really interested in PBD. It's ship first, maybe fix security bugs later. Any thoughts on how the GDPR will effect IOT vendors? SF It will definitely have an impact. The definition of personal data under the GDPR is very, very broad. So, effectively, anything that I am saying that a device picks up is my personal data, as well as data kind of about me, right? So, if you think about a device that knows my shopping habits that I can speak to and I can order things, everything that the device hears is effectively my personal data under the European rules. And Internet of Things vendors do seem to be lagging behind in Privacy by Design. I suspect we're going to see investigations and fines in this area early on, when the GDPR starts being enforced on May, 2018. Because the stories about the security risks of, say, children's toys have really caught the attention of the media and the public, and the regulators won't be far behind. And now, we have fines for breaches that range from 2% to 4% of a group's global turnover. It's an area that is ripe for enforcement activity, and I think it may be a surprise to quite a few companies in this space. It's also really important to go back to this important theme that there are other regulations, besides the GDPR itself, to keep track of in Europe. The new ePrivacy Regulation contains some provisions targeted at the internet of things, such as the requirement to get consent from consumers from machine-to-machine transfers of communications data, which is going to be very cumbersome. The [ePrivacy] Regulation says you have to do it, it doesn't really say how you're going to get consent, meaningful consent, that’s a very high standard in Europe, to these transfers when there's no real intelligent interface between the device and the person, the consumer who's using it. Because there are some things that have, maybe kind of a web dashboard. There's some kind of app that you use and you communicate with your device, you could have privacy settings. There's other stuff that's much more behind the scenes with Internet of Things, where the user is not having a high level of engagement. So, maybe a smart refrigerator that's reeling information about energy consumption to, you know, the grid. Even there, you know, there's potentially information where the user is going to have to give consent to the transfer. And it's hard to kind of imagine exactly what that interface is going to look like! I'll mention one thing about the ePrivacy Regulation. It's in draft form. It could change, and that's important to know. It's not likely to change all that much, and it's on a fast-track timeline because the commission would like to have it in place and ready to go May, 2018, the same time as the GDPR. IOS  Sue Foster, I'd like to thank you again for your time. SF You're very welcome. Thank you very much for inviting me to join you today.

We’ve been writing about the GDPR for the past few months now and with the GDPR recently passed into law, we thought it was worth bringing together a panel to discuss its implications. In this episode of the Inside Out Security Show, we discuss how the GDPR will impact businesses, Brexit, first steps you should take in order to protect EU consumer data and much more. Go from beginning to end, or feel free to bounce around. What is the EU General Data Protection Regulation? Who will be tasked to implement GDPR? What’s the first step you need to take to take when implementing GDPR? Data Breach Notification Brexit and GDPR Territorial Scope Tension between Innovation and Security Tips on Protecting Customer Data Final Thoughts Upcoming Webinars: July 21st English, July 28th German and French Cindy: Hi and welcome to another edition of the Inside Out Security show. I’m Cindy Ng, a writer for Varonis’s Inside Out Security blog. And as always, I’m joined by security experts Mike Buckbee, Rob Sobers, and Kilian Englert. Hey, Kilian. Kilian: Hi Cindy. Cindy: Hey Rob. Rob: Hey Cindy, how is it going? Cindy: Good. And hey, Mike. Mike: Hey Cindy, you made me go last this week. That’s all right. Cindy: This week, we also have two special guests, also security experts. Andy Green, who is based in New York, and Dietrich Benjies who is based in the UK. And they’re here to join us to share their insights on the latest General Data Protection Regulation that was just passed with an aim to protect consumer data that will impact not only businesses in the EU, Britain and the US and the rest of the world. So Hi Andy. Andy: Hey Cindy. Cindy : Hey Dietrich. Dietrich: Hi Cindy. What is the EU General Data Protection Regulation? Cindy: So, let’s start with the facts. First, what is GDPR and what are its goals? Andy: In one sentence? Can I get two? Cindy: You get two and a half. Andy: Okay, two and a half. So it stands for General Data Protection Regulation. It’s a successor to the EU’s current data security directive which is called the Data Protection Directive, DPD. And it really…I mean if you are under the rules now, the GDPR will not be a major change but it does add a few key major additions. And one of those is…well there is a stronger rules on, let’s say right to access your data. You really have … almost like a bill of rights. One of them is that you can see your data, which is maybe not something in the US we are experienced with. Also, another new thing is you have a right of portability, which is something that Facebook probably hates. In other words, you can download the [personal] data. If I were, I assume this would happen in the UK or the EU, that if you are a Facebook customer you will be able to download everything that Facebook has and have it in some sort of portable format. And I guess that  [if you have another] social media service, you can then upload that data to that social media service and say goodbye to Facebook, which is kind of not something they’re very happy about. … You have almost like a consumer data rights under the new rule. I don’t know if anyone has any comments on some of these things but I think that’s…that, I think, is like a big deal. Dietrich: I’m sorry Mike. Were you going to go next? I chimed in so I suppose I’ll carry on- Cindy: Go ahead, Dietrich. Dietrich: So I think in terms of your attendance, it’s the European Union recognizing that data is…the European citizens recognize their data as important and historically, recently and historically, there has been many cases where it hasn’t been demonstrated to be appropriately controlled. And as it’s a commodity, the information on them is a commodity traded on the open market to a degree that there has just been an increasing demand to have greater safeguards on their data. And those greater safeguards on European citizen data gives them greater confidence in the market, in the electronic market that the world economic market has become. So that the two pillars, which we’ll get to, or the two tenants are Privacy by Design and accountability by design … we’ll get to a lot of things but that’s synopsis on it. Mike: I was curious about to what extent this was targeting enterprises or is it targeting, say like you brought up Facebook, which I consider an application, like a web application service. Was there an intent behind this, that it’s targeting more one or the other? Andy: Yeah. It’s definitely, I would say consumers. I mean it’s really very consumer-oriented. Dietrich: Mike do you mean in terms of it’s targeting the consumers? Yes, it’s consumer data. It’s related to but do you mean in terms of the types of businesses where it’s most applicable? Is that what you mean Mike? Mike: Well, you know, there is a decision-making framework that, so now with GDPR as the Data protection Directive to need to make decisions, that I’m building an application, I’m going to need to have new privacy features. We talked about Privacy by Design which has its own sort of tenets. Or I’m building out the policies for my company which has satellite offices all over the world and some of them happen to be in the EU. Just trying to look at the impact and look at how this should change my decision making on the business. Dietrich: Well, it’d be cynical. I’d say if you want to avoid it totally and entirely, just don’t sell to an EU citizen. Rob: Yeah, I think, to answer your question, Mike, the Facebooks of the world and these global web services are going to have to worry about it if they are collecting data. And we all know Facebook not only collects the data that you give them but it also ascertains data through your actions. And I think that’s what Andy was talking about is that it’s not just the ability to click a button and say give me my profile data back now so I can take it with me. It’s like I put that data in but I think what the GDPR is aiming to do is give you back the data that they’ve gathered on you from other sources. So tell me everything you know about me because I want to know what you know about me. And that’s, I think, a very important thing. And I really hope that the US goes in that direction. But outside of those web services, think about like any bank that serves an EU customer. So any bank, any healthcare organization, so other businesses outside of these big global web services certainly do have to worry about it, especially if you look in your customer database or any kind of…if you are a retailer, your transaction database, and you have information that belongs to EU citizens then this is something that you should at least be thinking through. Who will be tasked to implement GDPR? Cindy: So who needs to really pay close attention to the law so that you are executing all the requirements properly? Dietrich: Who needs to pay attention to it in terms of those organizations and scope? It’s pretty well spelled out that the organizations who deal with, who transfer, who process big things on processing and doing this information associated to European citizens. So if I backtrack a bit, it was where we are starting with the portability of the data, the information that we have, that organizations have on individuals and those subject access request, right to erasure, kind of the first and foremost is the protection element. Making sure that the data is protected, that we are not…organizations aren’t putting us at risk by the fact that they are holding our data and making that overexposed. Kilian: To kind of address the question more technically speaking, I think … everybody involved in the process needs to pay attention to it. From the people designing the app, Mike, if you want to launch your business, you need to realize that there are…boundaries are kind of made up anymore with technology. So right from the beginning, we’ll talk about Privacy by Design. But that needs to be the first step, all the way up to the CEO of the company or the board realizing that this is a global marketplace. So they want to get the most amount of customers, so they have to take it seriously. Andy: Yeah, I was going to say that they do have a heart at the EU … and they do make an exception …  there is some language for making exceptions for smaller businesses or businesses that are not sort of collecting data on, what they say, like on a really large scale–whatever that means! What you are saying is all true but I think they do say that they will sort of scale some of the interpretations for smaller businesses so the enforcement is not as rough. And there may even be an exclusion, I forget, for under 250 employee companies. But I think you are right. This is really meant for the, especially with the fines, it’s really meant to get to C-Level and higher executive’s attention. What’s the first step you need to take to take when implementing GDPR? Cindy: So if you are a higher up or someone responsible for implementing GDPR, what’s the first step you need to look for and so you don’t miss any deadlines, so that you are planning ahead? Andy: I think we had to talk about this the other day. I’ve actually talked about it with Dietrich. Some of this is really, I’d say, like common IT sense and that if you are following any kind of IT best practices and there are a bunch of them or some standards, you are probably like 60 or 70% there, I think. I mean if you are, let’s say you are handling credit card transactions and you are trying to deal with PCI DSS or you are following some of the– forget what they call — the SANS Top 20 … So maybe I’ll say it’s sort of like putting laws around some common sense ideas. But I realize the executives don’t see it that way. Kilian: Yeah. I think the first thing you have to do is figure out if you have that data, to begin with, or where it’s at. I mean the common knowledge is you probably do. If you do some type of commerce or interact with anybody really, you are going to store some information. But kind of nailing it down where it’s at or where it might be is I think the key first step. Dietrich: And in terms of deadlines, I suppose to answer your question very directly, the deadline is May 25th, 2018, is when it comes into full force. That is the, I wouldn’t say it’s fast approaching. We still have 23 months. … Dietrich: I’ve got a clock on my laptop right there. Deadline to GDPR. Data Breach Notification Cindy: So there is also a data breach notification. What does that process entail? Like how do you get fined and how do you know that personal data has been lost or breached? What’s defined as personal data? Because there is a difference between leaking like company ID, company IP versus leaking personal data. Andy: Actually I happen to have the definition right in front of me. So it’s any information related to a person. And in particular, it can be…so it says an “identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier”. So it’s really, I guess what we would call in the US, PII [personally identifiable information], but it’s broad. It’s not just a strict list of social security number or specific account numbers. Those are examples of the types of identifiers. So it’s very broad but it has to relate back to a person and they do consider the online identifiers as “relatable to a person”. Brexit and GDPR Cindy: And kind of I can’t help but ask Dietrich, will Brexiters be exempt from GDPR? Dietrich: No. Not at all. So, first off, yes. A week ago today, we cast our votes. And then a week ago tomorrow it was found out that yes, in fact, we are leaving the European Union. So the reality of that is we haven’t invoked article 50. So article 50 is that yes, we are definitely doing it. We are doing it and then we have 24 months for them to get the heck out of the European Union. The starting of that clock isn’t likely to happen for some time. For one David Cameron, who is currently our prime minister is stepping down…has stepped down. We have to wait. He said, “I’m not going to invoke. I’m going to let somebody else handle not only that process of invoking article 50 but in addition to that, negotiating the trade policies and all the things associated with the exit.” In addition to all the things associated with the exit is the adoption or exclusion of a lot of the European directives, GDPR being one. So we could just sit there and not only, so if you take that time scale that will come into play if article 50, and there is some questions on the legality of the referendum, which I won’t go into in detail but there is a lot of debate going on in the moment that we voted leave if it’s actually something that will happen. If it happens, and let’s say it will, the time scale of that activity is likely to be well after GDPR is in effect. And if GDPR does come…sorry, and even if we leave and the likelihood as in democratic country in which we live, we have cast a vote that we will leave, we could still take on GDPR as our own. We have our own Data Protection Act here in the UK. We could just bump it up with GDPR at a stroke of a pen. And that’s quite likely considering we are debating in negotiation. We will negotiate for, hopefully, as freer trade as we can do within the European Union and I’m sure that will be…it would make sense that that would be a dependent clause. Andy: And I was going to say, it looks like if you’re…since the UK has to trade with the EU, the EU countries are going to put in higher standards for e-commerce transactions. Dietrich: Yeah. They are out biggest trading partner. I believe and don’t quote me on this but I could be wrong. I think it’s 54, 54% of our exports go to the EU. And likewise, we are one of the biggest trading partners for France, for Germany, etc. Territorial Scope Cindy: So, the US, we trade with the EU and the… Dietrich: Do you? (sarcasm) Cindy: I’m really talking about territorial scope. And I’m curious if I start a business or Mike starts a business, we talked about this earlier, how will I…what’s the law in terms of me needing to protect an EU consumer’s personal data? That’s a little controversial. Go ahead Dietrich. Dietrich: Can I give you some examples on this? In the last 48 hours, I have purchased a flight from Southwest Airlines, United Airlines, I’m a European citizen. I have purchased a backpack from some random site that’s being shipped to my father. Look, I hope I’m not debt dipping myself in tax loss but anyway, you know what I mean. As a European citizen, I’m going to be in the States for three weeks as of next week. So I’m a European citizen who is going to be transacting, who is going to be purchasing stuff over there. So, considering the freedom of movement that exists, the small world in which we live where European citizens regularly travel to the US, regularly buy from sites online, I can’t see how the border is going to make any difference. Most, if not, I’d say the vast majority of organizations in the US will deal with European citizens and therefore at least for that subset of data related to European citizens, they will be…they’ll have to put in controls if they want to carry on trading with European citizens. Cindy: Go ahead, Mike. Mike: Well, I was trying to think of parallels to this. And there is one that I think a lot of people are aware of which is like the Cookie Law which is, there were some European directives around like you should have, like if you land on a website, sometimes you see those banners at the bottom that says this website uses cookies and then click to, which came out of a similar thing. That’s really only been European websites that are doing that, but that sort of a half step into this. I just wonder if that shows a model for how this is going to be adopted so that it’s only the very strictly EU sites. Andy: Yeah. I think that was, that came out of, I forget, it may have been the Data Protection Directive but you’ve got to gain consent from the consumer and they apply it to cookies, accepting cookies. So you do see that on a lot of the EU sites, that’s right. Mike: It just seems very odd because there is no…it doesn’t seem like it will improve things. It just seems like, yeah, we are getting cookies off you so here is this giant banner that gets in the way. Andy: Will they ever click no? Mike: Well, what’s interesting is that I don’t think I’ve ever actually seen like, “Yeah, no, don’t collect my cookies.” It just says like, “Hey, we are doing this so accept it or leave.” You are on my website now, so probably with a French accent. Tension between Innovation and Security Cindy: So in terms of, we talked about the cookie law, we’re talking about the GDPR. If you are a CEO and you know that there is a potential risk of anything really, and let’s say data breach, if something happens, they’re often asking, “okay, higher ups, can we work through this? Will our companies survive?” It sounds like people don’t like to be strong-armed into following certain laws. Like if I’m an entrepreneur, I’m going to come up with an idea. And the last thing I would want is like, oh, I have to follow privacy by design. It’s annoying. Rob: Yeah. I mean it’s a push and pull between innovation and security. You see this with all sorts of things. You know, Snapchat is famous for its explosive growth, hundreds of millions of active users a day. And in the beginning, they didn’t pay attention to security and privacy. They kind of consciously put that on the back burner because they knew it would slow their growth. And it wouldn’t have mattered as much if they never became a giant company like they are today. But then it came back to bite them, like they’ve had multiple situations where they’ve had data breaches that they’ve had to deal with and I’m sure devote a lot of resources to recovering from, not only on the technical side of things but also on the legal and PR side. So it is a push and pull but we see it in varying degrees everywhere. Look what Uber is doing as they expand into different markets and they have to deal with all of the individual regulations in each state that they expand to, each country. And they would love to just close a blind eye and focus on improving their technology and recruiting new drivers and making their businesses a success. But the fact of the matter is — and the EU is way out in front of everybody else on this — is that somebody has to look out for the customers. Because we just see it over and over again where in the US, it’s almost like flipping. Like we see these massive breaches where people’s healthcare information is exposed on the public web or their credit card numbers get leaked or God knows what kind of information. And it just doesn’t ever feel like there is enough teeth to make organizations really assess their situation. Like every time I apply– and I don’t do this very often, thank God!–apply for a mortgage in the US, the process, it scares me. You have to email sensitive information to your mortgage broker in plain text. They are asking for PDFs, scans of your bank account. And where that information goes, you’re just not that confident in a lot of these companies that they are actually looking at information and putting it in sensitive secure depositories, monitoring who has access to it. It’s just…without this regulation, it would be…without regulations like GDPr, it would be way worse and there would be no one looking after us. Kilian: You actually kind of beat me to the point I was going to make there Rob by couple of sentences. But, you know, fine. The businesses don’t like being strong-armed but the consumers don’t like having their entire lives aired out on the Internet. And I think you are 100% right there. It is a pain in the butt in some cases for innovation, but we keep going back to it or I will but Privacy by Design. You don’t have to make an and/or decision. If you start with that mind to begin with you can achieve both things. You can still achieve massive growth and avoid some of the problems instead of trying to patch up the holes later on. Dietrich: One thing in terms of the strong arm, in terms of the regulatory fatigue that organizations get, I have been dealing with organizations for some time and it seems that regulations are at points that the external world makes organizations focus on the only things they will focus on. And this is important. It’s important for us. I mean I kind of like…I don’t kind of like. I quite like the intent of the regulation. It’s down to protect me. It’s not something that’s esoteric. It’s something that’s quite explicit to protect more information. And if it requires a regulation for them to take heed and pay note and to get over the fact that regardless if they have been ignoring data breaches in the past, to do so in the future may cost them more than it had, then that’s probably a good thing. Andy: I was just going to say that one of the, like the one word they use in a lot of the law is just it has to do with Privacy by Design. It’s just minimize. I think if you just show that you’re aware of what you are collecting and trying to minimize it and minimizing what you collect, put a time limit on the data that you do collect, the personal data, in other words, if you’ve collected it and processed it and you no longer have a need for it, then get rid of it. It seems common sense and I think they want the companies to be thinking along these lines of, as I say, just minimize. And that shouldn’t be too much of a burden, I think. I don’t know. I mean I think as Rob was saying, some of these web companies are just going crazy, collecting everything, and it comes out to sort of bite them in the end. Mike: And this is me being cynical but I wonder if this is going to be a new attack vector. If there is like an easy way to get all your information out of Facebook, then that’s the attack vector and you just steal everyone’s information through the export feature. I don’t know if anyone else saw there is a thing that you could hijack someone’s Facebook account by sending in a faxed version of your passport. That was a means by which they would reset your password if you couldn’t do anything else and you lost access to it. They are like, “Well, this whole rigamarole, but fax in your passport,” and so people were doing that as a…I think its good intentions. I just wonder about the actual implementation, like how much of a difference it will actually make. Rob: Yeah, and I think you are right Mike that the execution is everything in this. With these regulations, we see it with failing PCI audits. PCI auditors that are checking boxes. And having worked for a software company that, in a previous job, that did retail software and was heavily dependent on collecting credit card information from certain devices and terminals and keyboard swipes and all sorts of things and gone through a PCI audit, knowing that there were holes that weren’t done by the auditors, it’s all about the execution. It’s all about following through on best practices for data security. And the regulation itself isn’t going to make you excellent at security. Tips on Protecting Customer Data Cindy: So if I’m trying to catch up… in terms… if I am not following PCI or if I am not following the SANS top 20, which is now renamed to something else like Critical Security Controls… so what are some of the things that I can start with in terms of protecting my customers’ data? Any tips? Rob: Well I mean one thing and Andy kind of touched on this is don’t collect it if you don’t have to. I think that’s the number one thing. I mean certain services out there actually make it easy for you not to touch your customers’ data. For instance, Stripe, which is a pretty popular payment provider now, if you are collecting payment information on the web from customers, you should never know their credit card number. It should never hit your servers. If you’re using something that Stripe, it basically goes from the web form, off to Stripe and you get at most the last four digits and maybe the expiration number. But as a business, you never have to worry about that part of their profile, that sensitive data. So to me, start with asking that question of what do we actually have to have. And if we don’t need it, get rid of it and let’s look at all of our data collection processes, whether it’s by paper form or web form or API, whatever the method is and decide what can we ax to just cut out the fat. Like we don’t want to have to hold your information if we don’t have to. Now, failing that, I know a lot of companies cannot do that, like Facebook’s business is knowing everything about everybody and the connections. And so in that situation, it’s a little bit different. Cindy: It’s hard because what if I’m a company and I just what if I’m a hoarder? Like I hoard my…I live in New York, my studio is tiny, what if I like to hoard? And it’s kind of like you are digitally hoarding stuff. And …. storage is cheap, why not get more? What would you say to a digital hoarder in terms of I might need this information later? Rob: I would say stop. Stop doing that! There are data retention policies that prevent you from doing that that you can implement. It’s an organization culture thing, I think. Some organizations are great at data retention, others are hoarders. It’s just bad data protection. Dietrich: Greater data retention and hoarders. We’d love to retain data. Most of the organizations we’ve talked to love to retain data. It’s nice having something to get in that stick which sits there and goes, just get rid of it. I talk to organizations now and I’ll go finally this is being implemented in such a way that we actually can go back to the business. Who doesn’t want the data deleted? It’s usually people in the business who says I may, at some time in the future, need that document that I created 15 years ago. Well not if it has anything related to an individual associated with it. In that case, you can only keep it for as long as it is a demonstrable requirement to have that. So I think it’s something at that level, which should be welcomed by organizations, not unless they are really…I mean my wife’s a bit of a hoarder. If she was running a business, she would definitely have many petabytes of information. But related to individuals, it would give me the excuse to throw it out when she isn’t looking. Andy: Right. I was going to add that the GDPR says, I mean yes, you can collect the data, you can keep it, but I think there is somewhere that says that you have to put a time stamp on it. You have to say, “This is the data I have and, okay,” if it’s five years or ten years, but put some reasonable time stamp on this data and then follow through. So sure, collect it. But make sure it has a shelf life on it. Final Thoughts Cindy: Any final thoughts before we wrap up? Silence, I love it. Michael: I was on mute, so I was talking extremely loudly while no one heard me. I was going to say my final thought was that, we kind of started this with Andy saying that a lot of this was common sense IT things. And I think that’s probably the biggest takeaway. The thing to do immediately is to, I think, just do an audit of all of your data. That’s just good practice anyway. If you don’t have that at hand, you should start doing that. Whatever the regulations are, whatever your situation, it’s very, very hard to think of a situation where that wouldn’t be to your advantage. So I think that’s the first thing and most immediate thing any company should do. Dietrich: That’s a very good point and something that also, related to GDPR, is the point within GDPR in terms of the data breach impact disbursements. That’s also understanding what you have, making sure that you have the appropriate controls around it. So that’s just understanding, going through that audit directly helps you for GDPR. Upcoming Webinars: July 21st English, July 28th German and French Cindy: Rob, you mentioned there is a webinar on GDPR. When can people tune in? … Mike: Rob told me there was a barbecue at his house for the next GDPR meeting. Just come on over, we’ll talk European regulations, smoke some brisket. Cindy: I need some help from people de-hoarding my studio. First, I need to go home and change all my passwords because I have a password problem. Now you all know I’m a hoarder. Mike: This is just leading up to you having your own Lifetime television series I mean. Cindy: That will be exciting. Mike: I’d watch it. Cindy: It will be Tiger Mom, 2.0. Rob: So yeah, so we’re having a webinar on July 21st in English and we are having another one on July 28th in German. So for anybody that’s interested in the GDPR, we are also doing it on the 28th in French. So we are having multiple languages for you and they can go to varonis.com and just search for GDPR in the upper right-hand corner and you should be able to find the registration form. Cindy: Thanks so much, Rob. Dietrich: Whether you speak it or not. Yeah, fantastic. Cindy: Thank you so much Mike, Rob, Kilian, Dietrich, and Andy. And thank you all our listeners and viewers for joining us today. If you want to follow us on Twitter and see what we are up to, you can find us @varonis, V-A-R-O-N-I-S. And if you want to subscribe to this podcast, you can go to iTunes and search for the Inside Out Security show. There is a video version of this on YouTube then you can subscribe to on the Varonis channel. And thank you and we’ll see you next week. Bye guys. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS Want to learn more about the GDPR? Check out our free 6-part email course (and earn CPE credits!) Sign me up The post GDPR – IOSS 13 appeared first on Varonis Blog.