A year into exacting data privacy regulation, ramifications are becoming more tangible
The European Union’s General Data Protection Regulation, possibly the most draconian privacy shield currently in existence, has companies that do any business in Europe flailing to comply. Its scorching fine for those that don’t report data breaches within three days: a 4% cut of global revenue.
But it’s not just private entities that are straightening up since the regulation went into effect last year – nor is it just data breaches that need to be addressed.
Public authorities are peppered daily by a hail of cyber attack attempts, many emanating from Russia and China. But the number of possible breaches is actually small, and most are either contained or can be isolated quickly.
Government entities have another problem: queries from the public. Under GDPR, anyone can ask to see their personal information. If it no longer serves any purpose to the entity holding it and if the person so desires, they can ask that it be purged under the so-called right to be forgotten. If they are not satisfied with an institution’s response, they can file a complaint with the Information Commissioner’s Office (ICO), which has aroused a good deal of curiosity and some confusion.
“The nature of the complaints is usually misinformed members of the public thinking that we hold this massive Big Brother data, when the data we actually hold is quite rudimentary,” says an official familiar with the matter, who requested anonymity.
For economic reports, for example, a central bank might hold personal data such as the amount of a mortgage, the holders of the mortgage, along with demographic data such as the mortgage is for a two-bedroom flat and is held by a couple in their mid-30s, he adds: “Some members of the public think that we’re using this data to spy on them, and complain to the ICO.”
It is not clear what penalties central banks might face for mishandling its duty to inform citizens. But the long-tailed implications of GDPR are just coming into sharper focus as the regulation sinks in.
It was widely understood that banks would have to lay out large amounts of cash to ensure they stayed within its wide-ranging boundaries. “We have spent more than $2 million to implement GDPR internally, and you will find similar figures at other banks,” says an adviser at a large international bank.
The many trapdoors of GDPR
Financial institutions are doubling down on information security, compliance and legal protections to avoid what happened to Google, which in January got hit with a €50 million ($56.3 million) fine by the French data protection authority. The reason? Its data consent policies were neither transparent nor accessible, the authorities said, and therefore fell foul of GDPR.
But banks, because of their global footprint and their massive stores of data on both people and corporations, are exquisitely sensitive to GDPR.
In the event of a breach, the bank must inform both the customer and the data protection authority when, where and how the breach occurred. This means very quickly determining the location of the data, its purpose (whether it’s being used with customer consent or for regulatory purposes) and whether it’s being controlled by the bank directly or by a vendor, which could be in another country.
American companies had a deer-in-the-headlights reaction. Companies don’t know how to look for things in big data
Ariel Silverstone, Data Protectors
One large European bank has a dozen projects under way to assess what it needs in order to comply with GDPR and make the necessary adjustments, says its data protection officer. Most other banks are in the same boat.
The adviser at the international bank says most of the $2 million investment in GDPR has gone to establishing systems to manage its data systems. The bank’s data is stored around the world at multiple branches, subsidiaries and vendors. The bank therefore decided to build its own software to track the flow of data.
“We had to build up a data landscape from scratch,” he says. “In the past, it was cheaper to simply amass data, rather than have retention policies. Now, we are forced to delete data, and we have to provide evidence not only to the customer, but to the authority.”
Privacy officers need to exercise judgement on what constitutes a breach: not all need to be reported. For instance, if a laptop containing customer data is left on a train, but the data is encrypted, this would be deemed a lower risk than if the data were unencrypted. In contrast, if a set of documents on its way to being shredded were stolen from a van, that would be reported, and considered more serious.
“If the impact is significantly high, then it needs to be reported,” says the data protection officer.
The supply chain represents a million tributaries. While GDPR has ‘model clauses’ that specify ‘major suppliers’, there are many other suppliers that could be problematic.
Permission to use data is another slippery area. If the purpose of collecting the data has changed, the original consent may no longer be valid. If so, a company needs to demonstrate that it still has permission to use the data.
The potential for class action lawsuits also hangs in the air. GDPR allows consumers to seek redress for, among other things, ‘mental anguish’ caused by a data breach.
“Under GDPR, you can elect frustration reasons,” says the adviser at the international bank. “If you feel mental pain, you are allowed to seek damages.”
Compared with other industries, banking has a head start: relatively strong information security and data protection policies were already in place. Even so, the sector is spending heavily. In 2018, financial firms spent an average $1 million on GDPR compliance, and non-financial companies spent only $250,000, says advisory firm Gartner.
Under the 1995 data protection directive that GDPR replaced, each EU country enacted its own laws, resulting in a chequerboard of requirements across jurisdictions. Which breaches were deemed reportable varied widely. Under the new regulation, the threshold has been raised.
“Banks are now obliged to notify the authorities wherever there is significant risk,” says Michael Kaiser, a spokesman for Germany’s Hesse Data Protection Commissioner, which includes the banking capital of Frankfurt. “Under the former German data protection law, the obligation existed only where a very high risk was assumed.”
One regulation, a wide-ranging number of breaches
The European Data Protection Board reported a total of 206,326 cases across the EU since GDPR’s launch up to the end of January. Of the total, 64,684 were data breaches and 94,622 were complaints. Data authorities imposed €56 million in fines, presumably inflated by the €50 million Google fine.
The numbers varied by country. The UK’s ICO received more than 8,000 breach notifications in just the first six months of GDPR. France saw 1,170 in 2018, and Germany has had around 1,200 since GDPR went live, while Austria received 551 last year.
The Netherlands was an outlier, with a lofty 20,881 data breach notifications in 2018, more than double the year before. The financial sector accounted for 26% of the cases.
Why so many breaches in that particular country? The Netherlands has had mandatory breach reporting in place since 2016, and its companies may therefore be spring-loaded for the tougher GDPR, said one lawyer who specialises in cybersecurity.
“Dutch companies may have had a head start, better awareness of the legal requirements, existing processes and procedures for breach identification and breach reporting,” said Françoise Gilbert, co-chair of the data privacy and cyber security practice at law firm Greenberg Traurig in San Francisco.
In general, the number of reported breaches could also reflect companies’ grasp of requirements, how the local authority conveys the requirements or “how vehemently it has prosecuted” for violations. She notes also that a lot of breaches are reported unnecessarily, “out of fear or ignorance, even though an incident might not meet the threshold, because companies are afraid of being prosecuted”.
In the UK, Elizabeth Denham, the information commissioner, said pointedly in a speech in December 2018 that the purpose of GDPR was not just to uncover breaches, but to get companies to be responsible for what they did with data: “If, within the 72-hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability in place – which is a requirement of the law.”
For €600,000, there was never a business case to fine-tune your data-deletion policies. Now, with the fines, the business case has exploded
Punit Bhatia, GDPR expert
As banks are sorting out GDPR, some face other regulations that bear on data privacy. One large international bank in Malta has established compliance teams for not only GDPR, but also for anti-money laundering [AML] and payment service directives.
“There is tension between the obligations under AML and GDPR,” said David Cauchi, head of compliance at Malta’s Office of the Information and Data Protection Commissioner. “The timing of GDPR was not ideal because they are in the midst of other compliance challenges.”
In November 2018, the European Commission ordered Malta to redouble its efforts against money laundering, after the European Central Bank shut down a Maltese bank on allegations of fraud and money laundering.
Last year, data breaches from cyber attacks cost financial firms $935 million worldwide, ORX News data shows.
But even so, the number of breaches caused by cyber attacks is relatively small, despite popular perception. Although hackers, rogue states and organised crime try to climb banks’ cyber walls daily, most of them are thwarted. Kaiser, the spokesman for the Hesse Data Protection Commissioner, has seen only three cyber attacks on the banking industry, none of them successful.
But whether or not attacks hit the mark, banks took fright at France’s penalty on Google, the first large enforcement of GDPR and for a matter unrelated to breaches.
Compared with the previous directive, the level of fines under GDPR could be so big that even mundane incidents need to be investigated.
In Belgium, for instance, the maximum fine under GDPR’s predecessor directive was €600,000.
“For €600,000, there was never a business case to fine-tune your data-deletion policies,” says Punit Bhatia, a GDPR expert and author based in Brussels. “Now, with the fines, the business case has exploded. They will gladly spend €10 million to avoid a €100 million fine.”
Besides fines, breach notifications are likely to become public.
“When a breach is disclosed to affected individuals (eg, to customers of a business), that could become ‘public’ because at least one customer is likely to comment about the incident on publicly accessible social media,” said Gilbert of Greenberg Traurig.
Damage to the brand could end up hurting more than a large fine. The public or regulators may also question whether the company provided reasonable security for their data – that is, a level of security commensurate with the sensitivity of the data.
“The concern about shame and reputation may create a significant incentive for increasing their security budget,” says Gilbert of companies holding data.
California, tech matrix of the US and birthplace of unicorns, has often been ahead of the rest of the country on social issues. Data privacy will soon be one of them.
The state last year passed a law with some similarities to GDPR, yet milder. The California Consumer Privacy Act will enable people to find out what personal data a company has held on them over the previous 12 months, and will allow them to sue a company for lacking safety measures that ultimately result in a breach. The law’s maximum penalty is capped at $7,500 for each intentional violation.
The law’s protections will apply only to California residents and govern only companies conducting business in the state. But, given the size of California’s economy and the centrality of the tech sector, the law – as with GDPR – could well have global impact. It is due to come into effect on January 1, 2020.
Proposals are already afoot to make filing suit easier and expanding the data covered to passport and biometric data. The California law already allows for class action lawsuits, as does GDPR.
“GDPR opens the door for class actions. There is a similar framework for class actions in the US,” the adviser at the international bank tells Risk.net. “I am very concerned about this issue.”
The adjustment to GDPR might be tougher for US companies. European companies have had ample time to get used to the idea of it. The previous directive had been on the books since 1995, and GDPR wended its way through negotiations for five years.
For US companies, it’s a different story. It is probably no coincidence that GDPR’s biggest fine so far hit a Silicon Valley titan. The cultural differences on opposite sides of the Atlantic are stark. In the US, private property holds a strong grip on the national ethos, and big data is a mantra on the west coast. In Europe, concern for the privacy of its citizens and general group welfare can more often best corporate interests.
“In America, companies believe they own the data. In Europe, data ownership is a basic human right,” says Ariel Silverstone, external data protection officer at Data Protectors in Huntington Beach, California.
Now, the US techs have had to come to terms with combing through their hoards of data to comply with GDPR.
“American companies had a deer-in-the-headlights reaction. Companies don’t know how to look for things in big data,” says Silverstone.