Authored by Yves le Roux; Paul Lanois, SSCP; Visia Tartaglione, CISSP; Eric Tierling, CISSP Members of (ISC)2 EMEA Advisory Council GDPR Task Force.
In the age of Big Data, the Internet of Things (IoT), Artificial Intelligence (AI) and Machine Learning, organizations have routinely collected as much data as possible – because they can, not necessarily because they have a clearly defined strategy for it. Data brings knowledge, power and value, however, as digital capabilities enter mainstream practice, we are also seeing expectations that it will be managed and used responsibly. Concerns, particularly around privacy, as compounded by the seemingly endless flow of media reports covering data security breaches, snooping or surveillance and, most recently, the ability to conduct increasingly sophisticated levels of profiling would suggest that we are falling short of these expectations. GDPR, the General Data Protection Regulation from the European Union (EU), provides a response by catering to consumer expectations of data privacy and significantly extending the scope of individual rights regarding their personal data. A data subject’s “right of access” and requests made by individuals for the correction or erasure of the personal data held or processed about them by an organization have emerged to be one the most challenging areas to address.
The days of hoarding personal data without a defined purpose will have to be replaced with an immediate requirement to understand and actively manage the data collected. This represents an enormous task in an environment where organizations have widely admitted that they are unaware of the nature and value of up to 70% of the data[1] they previously collected. Organizations also report that they have little inkling of the demand they are likely to experience for either access to or requests for personal data to be erased or changed. Further, the concept of “personal data” under the GDPR is broader than the concept of personally identifiable data (PII) that is understood in particular outside of the EU: internet protocol (IP) addresses, cookie identifiers and other identifiers (such as radio frequency identification tags) as well as pictures of individuals, posts on social media, etc. all fall within the scope of “personal data” under the GDPR. In December 2017, the European Court of Justice went as far as to qualify marked exam test papers as personal data.
Not an Absolute Right
It’s worth noting that these rights are not new, nor are they absolute in all circumstances: the current European Data Privacy laws that will be replaced by GDPR are the result of an EU Directive from 1995 that already provides for the right of access, while the Charter of Fundamental Rights of the European Union provides that “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” GDPR goes a step further by introducing additional requirements, such as the 30-day time limit to respond to access requests, the obligation to inform about the period for which the data will be stored, information about the existence of the right to complain to the Data Protection Authority (DPA), and more. Organizations with a European presence are likely to already have a body of experience to build upon. Further, GDPR recognizes in its recitals that data subject rights should not adversely affect the rights or freedoms of others or undermine the organization’s interests to, for example protect trade secrets, intellectual property, or copyright. The being said, a balance of interests will need to be considered. In anti-fraud cases for example, the European Data Protection Supervisor (EDPS), which is responsible for the public sector within the EU, clarified that organisations will have to “balance the interests of both the informants and the person(s) concerned before deciding when and how much access can be given.”
Further, individuals’ rights are linked to a purpose. The right of access, for example, is provided to give the opportunity to be aware of, and verify, the lawfulness of the processing of their data. Repetitive requests cannot be made over an extended period of time for a vexatious intent, while those not related to the purpose specified in the regulation may be rejected (as confirmed in a recent ruling of the European Court of Justice)
Establish Due Diligence
Clear guidance and established practice on how these rights should be met is still in development. For example, the GDPR legislation does encourage that where possible, organizations should be able to provide a secure system for remote access to his or her personal data, however this is not a requirement. The UK Information Commissioner’s Office, qualifies it as a recommended best practice, and self-service portals are emerging as a trend, but this may not necessarily be appropriate for all. As May 25th approaches, it is expected that more guidance from DPAs will be issued. Organisations should have established a data governance regime, grounded in a “record of processing activity” that gives a clear picture of their data landscape, the personal data processed and why. This provides a basis for companies to immediately demonstrate their commitment to comply to both the in-country DPA and the individuals that may exercise their rights. Furthermore, the experience shared across (ISC)2’s EMEA Advisory Council’s GDPR Task Force suggests to start planning for the following abilities:
- Enhance Transparency: Don’t wait for an individual to make a request. The first principle that the regulation aims to establish is the transparency of the processing. It should be clear to individuals to what extent their personal data is used, expressed within easily accessible and easy to understand communications. Regular, proactive communication also supports strong customer relationships, supported by accountable policies, preventing the motivation to resort to a formal request.
- Acknowledge the Request: Be ready with a customer service communication that acknowledges the receipt of a request and outlines the steps your organisation will be taking to respond within the 30-day period defined by the GDPR. Be specific: point out that the request will be assessed, and that your organisation will be in touch within a specified time frame to either clarify the request or respond to it.
- Clarify Customer Expectation: Don’t just assume every customer is looking to have you provide them with anything that could be considered personal data under the letter of the legislation. Contact them, learn the motivation for the request and respond to this. It could be that invoking a customer service or complaint procedure would be the more appropriate response.
- Ensure the legitimacy of the request: Set criteria for referring requests for legal assessment. You can ask the person who is submitting the request to make their case for it. As noted, there also could be overriding regulations in certain specific situations (e.g. anti-fraud cases or country-specific tax provisions) and customer obligations.
- Document policy for search criteria: Data mapping (also referred to as a "data inventory") will enhance the record of processing activities and will provide an overview of the data flows within, to and from an organization, including to third parties such as service providers (e.g. cloud service providers). Even if all relevant data isn’t caught, you will be able to demonstrate that you have made a reasonable effort to capture as much as possible, something many DPAs have assessed to be reasonable under current EU data protection rules.
- Anticipate spikes – While it is difficult to anticipate volumes of customer requests to exercise their GDPR rights, large, well-known brands expect a flood of first requests as the legislation comes into effect and customers seek to test it. Previous experience when the European Court of Justice upheld a case for an applicant to have a news item removed from search engines motivated hundreds of similar requests in the aftermath.
- Automate & maintain: Once inventories are documented, criteria set, and processes defined, you can look to develop tools or automate processes. Ultimately, a business case will dictate the validity of such an investment, and processes will have to be reviewed regularly as they will have to change as the business changes, and improve with experience.
However prepared organizations are today, the task ahead is likely to be significant. The capacity to meet data subject rights is not an isolated requirement, but rather a task that will develop in maturity with the overall compliance effort. It is anticipated that many may not be ready, and that organizations will undoubtedly be tweaking and refining their processes and approaches for some time to come. In all cases, the key to navigating data subject rights will be grounded in your ability to demonstrate a commitment to accountability for sound data management as a pillar of a trustworthy business.
[1] Databerg Research by Vanson Bourne for Veritas Technologies LLC: https://www.veritas.com/content/dam/Veritas/docs/reports/veritas-strike-global-report_a4-sdc2.pdf