Businesses are at a high risk to violate data privacy if they don’t embrace a threefold perspective of the General Data Protection Regulation, formed by legal, technical and business points of view. The article below dissects how ignoring that led to the breach cases of the first two years of GDPR — and what we can learn to avoid making the same mistakes.
Technical & organizational measures in perspective
By reflecting on data privacy breaches of the early years since the General Data Protection Regulation (GDPR) came into force, in May 2018, both law practitioners and professionals from the technical and business areas, develop a more critical perspective on upcoming challenges. It is necessary to understand the pitfalls and neglect that led some companies to prepare themselves insufficiently or leniently, despite the two-year period between adoption by the European Union and the enforceability of GDPR. Through the following case studies, practical measures will be recommended to assist in the correct adoption of data protection laws.
To achieve this purpose, a threefold perspective is suggested: legal, technical, and business.
Even among lawyers who have been working for years with data privacy and are fully familiar with the main concepts of data processing, some technical and practical intricacies are not part of their daily lives. For professionals in the technical areas of data processing, the most complex machine languages can seem trivial if compared to some legal expressions. Added to this, there is the interest of companies to prosper and meet their business needs. Therefore, all these perspectives need to dialogue so that the most important figure in this scenario is respected: the subject to which the personal data and the right to privacy belong.
Such an analysis becomes even more relevant as countries in other regions of the world adopt legislation similar to the GDPR. In Brazil, the General Law on the Protection of Personal Data (LGPD ) was approved in the same year that the GDPR came into force, and is expected to come into effect in 2020. The global trend is to develop specific legislation for data protection and privacy of its citizens.
Although the GDPR mentions several times the need to adopt appropriate technical and organizational measures, it is notorious that in none of the articles of the regulation such measures are expressly defined. For this reason, in the two-year period between the approval of the last version of the GDPR text and the moment when it became mandatory, companies had to decide their measures to adapt to the new data protection reality, without such measures having been specified. The main bases for their choices were the responsibilities listed for the figures of the controller (controller), processor (processor), and the data protection officer (Data Protection Officer, or DPO), in addition to the interpretation of the principles listed in Art. 5 of the GDPR.
Some of the measures taken by most companies were more prone to failures, which led to the first cases of data breach under the GDPR in the early years.
The main hypothesis explored in this brief study is that the risk of failure of these technical and organizational measures is associated with the lack of a holistic interpretation that encompasses the threefold perspective suggested here, that takes into account legal, technical and business aspects. The critical reflection on the technical and organizational measures already adopted, together with the study of real cases of breaches of data privacy, helps to better outline the measures that must be taken from now on.
Precautions commonly adopted by companies for GDPR compliance are:
- Asset management
- Access control (physical and virtual)
- Data pseudonymization
- Control of data transfers, mainly to countries outside the European Economic Area (Art. 44 to 50 of the GDPR)
- Data recovery methods
- Security measures for remote access
- “Bring your own device” policies (BYOB)
- Clean working environment policy (screen and desk)
- Safe data disposal methods
- Mandatory GDPR training for employees
- Guarantee of the subject’s express consent before the collection of personal data
- Audit of personal data collection inventory
The propensity to failures is due to negligence with the practical application of the principle of data protection by design and by default (Art. 25 of the GDPR). This principle means incorporating data protection as a rule since the beginning of the development of products, services and business practices, as a way of minimizing the subsequent effort with the guarantee of data privacy. In turn, the carelessness with the principle of data protection by design and by default seems to be rooted in the lack of dialogue between legal, technical and business perspectives.
For example, it would not be surprising that a lawyer, when assisting a company to inventory its personal data collection, did not have sufficient practical technical experience with computer engineering to ensure that it went down to the lowest levels of data recording (log level data). Likewise, a data technician may not be aware that IP addresses are considered personal data, as they are not as obviously personally identifiable information as personal names or e-mail addresses. A company director, who did not have extensive legal or technical knowledge, but knew the relevance of obtaining certain personal data for the activities of his company, could accept without much questioning the legal and technical interpretations that were more favorable to the continuity of his business as it is, in order to avoid unnecessary costs. It is evident that, without a holistic perspective, a company guided by professionals like these, even if all were well intentioned and competent in their respective areas, is bound to breaches of data privacy.
Companies that were less rigorous in adapting to the GDPR prepared themselves insufficiently or leniently, and therefore took greater risks of committing data breaches.
This careless attitude towards adapting to the new data protection rules can stem from several factors. To understand the scenario of the first cases of GDPR, it is worth doing a brief investigation of hypotheses about the factors that led to the companies’ negligence with the personal data collected.
Building the threefold perspective mentioned above is challenging for any company, either because they do not find many professionals who have sufficiently deep multidisciplinary knowledge, or because of the difficulties in communication between professionals in the different areas. However, it is expected that this mismatch is mitigated quickly. The International Association of Privacy Professionals (IAPP) estimated in a 2017 study that the GDPR would create a need for at least 75k data protection officers, while more recent research indicates about 500k organizations with such professionals registered under the GDPR criteria . Many of these professionals seek proficiency certificates in data privacy, such as CIPP-E and CIPM, which can be obtained by professionals in any area, and help to standardize the minimum legal and technical knowledge about personal data protection.
There was also a belief that large corporations, especially those already known for public inquiries about their data collection policies, would be the most obvious prosecution targets for personal data breaches based on the GDPR. In fact, the McKinsey & Company consultancy found in a 2019 survey that consumer trust in companies that collect their data varies significantly according to factors such as industry and how companies limit the use of personal data . However, even though the probability of each company to end up involved in a data breach investigation or lawsuit varies, no company is exempt from GDPR scrutiny, and for that it is enough that a single person identifies that their personal data protection rights have not been respected.
Besides, with ever faster advances in data collection and storage technology, companies have long collected personal data simply because they could. As a result, the people who ran these businesses felt entitled to collect as much data as possible. The GDPR makes it clear that the processing of personal data must follow, among other guidelines, the principle of minimization (Art 5.1.c of the GDPR), according to which personal data must be limited to what is necessary for the purposes for which they were processed. This demands assessing the company’s needs in a restrictive manner, which requires time and business knowledge.
Many companies may have been lenient with the principle of minimization due to a sense of impunity.
Market research group Kantar TNS found that less than six months before GDPR came into effect, only 34% of respondents knew what GDPR was about . Most of the population was not fully aware of their rights guaranteed by the GDPR, which reduced the likelihood of data privacy breaches being discovered.