Surprised that in the last month, between two small marketing list brokers, more than a billion personal records were found to have been leaked on the internet?1
That data then gets leaked and sold to potentially hold users’ computers or reputation for ransom. Or as in a 2018 hack, of DNA tester, MyHeritage, there is the ability to sell the data to the insurance and mortgage industries, revealing DNA disease susceptibilities, thereby making the user ineligible for coverage or a loan.2
GDPR to the Rescue
The European Union struck back in May 2018 in defense of tech users with its General Data Protection Regulation (GDPR). The GDPR restricts the types of data that companies can share, including inadvertently, as in a breach.
The GDPR applies to any organization that provides goods or services to customers or businesses in any EU member state. The data protected include name, address, photos, IP addresses, biometric data (e.g. fingerprints) and genetic data.3
Don’t Do Business in Europe? Similar Regulations may Be Inching Closer
If you represent a strictly US or non-European organization, last June the California Consumer Privacy Act went into effect. It has similar aims as the GDPR, and includes these consumer rights:
- the right to tell a business not to share or sell your personal information
- the right to know where and to whom your data is being sold or shared
- the right to know that your service providers are protecting your information 5
And Massachusetts State Senator Cynthia Creem introduced a similar bill before the Mass legislature in February. The message is clear, governmental bodies are trying to seriously address the misuse of personal data.6
But having begun writing the GDPR in 2012, the EU is at the forefront of trying to secure users’ privacy. Here are the EU’s instructions for an organization’s compliance7:
- Check the personal data you collect and process, the purpose for which you do it and on which legal basis
- Inform your customers, employees and other individuals when you collect their personal data
- Keep the personal data for only as long as necessary
- Secure the personal data you are processing
- Keep documentation on your data processing activities
- Make sure your sub-contractor complies with the rules
- Additionally, the EU suggests assigning a Data Protection Officer to oversee and audit your business’ use of data
- The EU reserves the right to suspend the data collection activities and/or fine violators.
Who can Afford to Ignore the GDPR?
Should there be a data breach, the EU requires a 72-hour notification of the breach, the following is per its 30-page instruction document 8:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the [competent national] supervisory authority …
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
December 13, 2018 Facebook reported a data breach of nearly 7 million users’ photos. It took Facebook almost two weeks to notice and address the leak. The breach and fix happened in September. This means Facebook took about three months to notify users. Facebook has since argued that the GDPR 72-hour notification policy applies only after a company has decided a given breach should be reported, not after the company discovers the breach.9
Similarly there is a complaint against Facebook in Austria, funded by nonprofit, NOYB (None of Your Business), that Facebook demands acceptance of its entire privacy policy that permits it to collect every kind of data, including for advertising reasons. This is against the language of the GDPR, as data collection is to be limited, and only for the purposes of providing a service to the user. If a user does not accept Facebook’s terms, the user’s account is removed.10
Facebook has decided not to change its policies, but use its monetary might to fight its contempt for the rules in the courts. And it will be years before any decision is made, at which point Facebook may pay a fine and adjust its privacy policy. Truth be told, for Facebook (as for Google when in May 2018 it discovered the Google+ data breach affecting more than 490,000 users; Google kept quiet and began mid-October shutting down functionality of the Google+ service11 ) the GDPR represents little more than an inconvenience.
And Then There’s the Rest of Us
The GDPR was intended to reign in the irresponsible reach of tech behemoths, but it’s looking unlikely. Unfortunately what looks likely is smaller businesses that cannot afford to fight government agencies are going to be the ones to struggle under the burden of the law. So it’s important that your organization is in compliance.
Reveal the data you will be collecting and the purpose of the data collection. Securely encrypt the data you collect. Properly store, and then delete the data once it is no longer necessary for the stated purpose. Bryley can help protect and secure your organization’s data for compliance. If you have questions or would like help, call Bryley at 978.562.6077 and select option 2.
1 https://www.wired.com/story/exactis-data-leak-fallout/
2 https://www.theverge.com/2018/6/6/17435166/myheritage-dna-breach-genetic-privacy-bioethics
3 https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
4 https://www.wsj.com/articles/who-has-more-of-your-personal-data-than-facebook-try-google-1524398401
5 Keywords: Google’s Practices Threaten Privacy, Too, Mims, Christopher. Wall Street Journal, Eastern edition; New York, N.Y, Apr 23, 2018
7 https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
8 http://ec.europa.eu/newsroom/document.cfm?doc_id=47741
11 Google Exposed User Data—and Didn’t Say a Word: WSJ: The bug reportedly allowed developers to access the profile data of nearly half a million Google + users over a three-year span, The Daily Beast; New York, N.Y, Oct 8, 2018