GDPR Celebrates Its First Birthday: Now for the Terrible Twos
By Jodi Daniels
On May 25, 2018, the world welcomed a new privacy regulation. Its impact swept the globe, changing the way marketing is performed and data is processed. It created millions of new cookie banners that people click daily. It led to policies created, data inventories completed, and privacy notices updated. The phrase “legal basis” became part of the corporate lexicon.
As GDPR celebrates its first birthday, this article will look at the relevant lessons for CISOs learned in year one and what they should expect during the “Terrible Twos.”
Fines
Many have waited for regulators to impose a maximum fine of four percent of global revenue on a company. While regulators have not yet issued a big penalty of that size, they have levied financial penalties and/or prompted organizations to alter their business practices.
To date, GDPR’s fines and violations have focused tremendously on what constitutes valid consent. For example:
- In January 2019, Google was fined $57 million for not properly disclosing to users how data is collected across its services—including its search engine, Google Maps, and YouTube—with the goal of ultimately presenting personalized advertisements.
- In October 2018, the CNIL (France’s data protection regulator) filed a violation against Vectuary for not appropriately capturing valid consent for geolocation data from partner apps and bid requests for targeted advertising.
- In August 2018, the CNIL went after another startup, Teemo, for consent deficiencies when collecting geolocation data on partner apps for targeted advertising. According to media reports, Teemo remediated its compliance issues.
- Under investigation right now is a potential $1.6 billion GDPR fine related to a data breach detected in September 2018 that impacted roughly 50 million accounts due to a vulnerability in Facebook's code, which permitted attackers to steal access tokens.
At the recent IAPP Global Privacy Summit 2019 in Washington D.C., EU regulators (notably Helen Dixon, Data Protection Commissioner in Ireland) stated that 18 investigations are underway against big tech companies. During a US Senate Committee on Commerce, Science, and Transportation hearing, Dixon said 51 privacy investigations are currently open in her office. This summer and later this fall, it is likely we will see the details of these investigations, which are important because they will set precedent as to how regulators interpret the law.
Overall, Ireland’s regulator has seen 6,000 complaints lodged—with many already resolved. The Information Commissioner’s Office (ICO) in the UK and the Data Protection Regulator from Austria also attended the conference and echoed similar sentiments that they had many investigations underway and decisions forthcoming.
Data Inventories
GDPR put data that companies process front and center. To comply with documentation requirements, organizations created records of processing and documented from start to finish what data they collect, use, share, store, and delete—along with just about any other action that touches data. In preparing these documents, CISOs became involved to determine what security measures were in place and to identify any gaps that existed.
Any initially completed data inventories are the baseline and need a review at least annually to determine any necessary updates. Additionally, companies should audit or test some of their processes to make sure that documentation matches what is actually happening. Companies need to consider how they will capture any new processes since last reviewing its set of data inventories. For each new process, they need to create a new data inventory. To set a company up for success, they need to create a sustainable process to update and capture new data inventories.
It’s critical for a CISO to become engaged in these data inventories to ensure adequate security measures are in place for each process. A critical component of GDPR is the protection of data. To ensure adequate protection, data inventories expose data that need securing and vendors that need vetting. Through accurate data mapping, CISOs can ensure from a security perspective that they do not miss and always account for data collected, used, and shared.
Vendor Management
As described above as a byproduct of the GDPR data inventories, companies acquired a complete list of vendors that work with them. Vendors (also referred to as “service providers” in many organizations) took on the formal name of “processor.” In this context, some companies were now referred to as “controllers.” These controllers conducted formal vendor assessments that asked privacy-specific questions. In this assessment, controllers needed to understand how vendors addressed both security and privacy risks. Processors and controllers discussed how they would communicate about and handle a data breach and honoring individual rights.
In addition, special Data Protection Addendums were created to include specific GDPR requirements. Sometimes, a “battle of the DPAs” led companies to wonder which DPA would prevail: the processor’s or the controller’s? For some CISOs reading this article, your company is the vendor and you had to ensure that you could meet the security and privacy obligations requested from your customers (the controllers).
For companies, GDPR highlights the need for a sustainable process to review all existing vendors on a regular basis and vet all new processors against privacy, security, and GDPR requirements. Third-party vendor management software will help companies manage which vendors need assessing by identifying vulnerabilities and quickly customizing assessments so that small companies do not get an assessment designed for a big company, and vice versa. Vendor assessments should be right-sized for the vendor. These tools can also house documents received as evidence (such as policies) from the vendor.
Privacy Notices, Cookie Consent, and Marketing Activities
In the last year, based on data inventories completed, companies updated privacy notices, drafted cookie consents, and prepared individual rights processes and procedures. They also reviewed and, in some places, overhauled their marketing activities.
The cookie banner is now ubiquitous across websites. As we talked about in my last article, What Every CISO Needs to Know About Marketing Tags, each tag placed in a site creates security risks. It’s important to only include tags on a site required for business purposes—both to meet GDPR’s obligations and mitigate any security risks posed by tags.
Legal, marketing, compliance, and business owners need to ensure that processing activities are appropriately captured in the privacy notice and that the business actually does what it says in that notice. Privacy and cookie notices are dynamic documents and need to be in sync with the organization’s activities. These stakeholders are also responsible for the legal basis in their processing activities and the actual operational steps toward honoring individual rights requests.
Security and Data Breaches
GDPR introduced a 72-hour notification requirement for companies to report a data breach to a regulator. As a result of the controller/processor relationship, companies had to communicate with their identified processors to determine how a processor would report a data breach to a controller within that time period. In some instances, processors demanded notification within 48 hours. Having clear communication guidelines is necessary for companies to meet this requirement.
To comply, companies reviewed their data processes and information security policies to determine if they could meet a 72-hour data breach notification requirement. They evaluated and reviewed security measures to identify any needed remediation, created data breach templates, reviewed processes, updated procedures, and expanded training and awareness so all employees knew how to report a data breach.
If companies have not already done so, a data breach simulation should take place to ensure that the plan on paper makes sense and that no gaps exist. A simulation can ensure the executive team knows who to contact during and after a data breach such as insurance, forensics, and communications—and that the company has a realistic plan in place for a successful data breach response.
As companies update data inventories and vet new vendors, consideration to security and the ability to respond to a data breach should be top of mind. With each new vendor, the contract should include provisions for managing a data breach.
What Should Companies Do Next?
Many companies created foundational GDPR documentation and haven’t dusted it off since. If you’re a CISO at one of those companies, you should dust off that data mapping and policy documentation and start updating it to reflect today’s business activities. GDPR is here to stay, and countries around the world—including the United States through laws such as the California Consumer Privacy Act (CCPA)—are looking to it as a model. As we enter the toddler stages of GDPR, companies should begin “walking” toward repeatable privacy processes such as data inventories, vendor management, individual rights, and privacy by design.
In addition to ongoing data inventories, updated privacy notices, vetting vendors, and ensuring companies have an executable data breach plan, training all employees is critical to a successful privacy program. All employees need more than just an annual security course. Examples of how to achieve this include ongoing communications, monthly tips, quarterly updates, in-person or webinar events, and contests. CISOs or their training partners should work together to make training relevant to each employee.
Maintaining GDPR and other privacy law compliance involves many moving parts. To successfully comply, companies need to appoint either a dedicated person inside the company or hire a virtual fractional consultant to manage these necessary tasks. GDPR compliance is an active exercise that also requires much tweaking.
With GDPR’s first year underway, companies can learn lessons from the stories behind the early fines as year two clarifies how regulators interpret GDPR and what customers find important as more complaints are settled. Companies that keep privacy compliance top of mind will find that it becomes a part of doing business—and they will be ready for the next global or state privacy law.