GDPR hits compliance enforcement in May 2018. Below Michael Christensen, a member of (ISC)2’s GDPR Taskforce, lifts the lid on 5 unforeseen consequences of the legislation that businesses may be unaware of.
Europe is less than a year away from implementing the biggest data-privacy law in history, yet there is an astonishing failure to understand its true implications across industry and society. This immensely complex piece of legislation will have many unforeseen consequences that we are only now beginning to comprehend.
Many organisations have little or no idea of the mammoth task of compliance or the many hidden penalties for non-compliance that go beyond fines from mass compensation claims to malicious data requests.
In my time advising organisations on compliance, I have seen the potential threat this legislation poses, and the extreme difficulties that many are encountering. Even large European public and private organisations, from banks to telecoms operators, are unaware that many of their current contracts and products could put them at risk of prosecution in 2018.
Paradoxically, this legislation is also offering a welcome new impetus for firms to improve and economise, by gaining a better understanding of everything from the value of their data and how it is used to how they determine the ages of their customers and service-users.
Below I list five legal pitfalls, and the business opportunities they present for those firms that get it right.
1. APIs: The Hidden Threat
Application Programming Interfaces (APIs) are the invisible ‘joins’ of the burgeoning Internet of Things (IoT), creating the interoperability between software, systems and devices that will enable a vast array of businesses, products and services to draw from the well of open data. Yet they represent a major GDPR ‘grey area’ because many organisations simply do not know who is responsible for securing them when their data is in transit. This will leave many IoT companies, from connected carmakers to home hubs, unwittingly liable to fines and lawsuits if they lose personal data through cyber-attacks on APIs.
Google and IBM’s Open Web Application Security Project (OWASP) write about common vulnerabilities in web apps, yet there is no comparable study of common vulnerabilities in APIs. They represent the elephant in the room that nobody is discussing.
GDPR will improve the ‘connected economy’ by focusing minds on how we secure the ‘joins’ of the connected economy, as businesses realise that API security is now fundamental to data privacy.
2. The bombshell contained within contracts
Few organisations realise that many contracts that govern data-sharing between organisations must be completely re-written to comply with GDPR.
The regulation specifies data cannot be used for any purposes or by any third parties other than those for which the data subject has given their consent and holds both ‘controllers’ and ‘processors’ liable for data loss or misuse. However, here is the catch; if a data ‘controller’ does not specify what is ‘personally-identifiable’, how can it be used legally?
We have seen public sector organisations sharing personally-identifiable survey data with private firms without even specifying how it can be used in the contract, which means they would be liable for prosecution.
This is a chance for organisations to take control of what is happening to their customers’ data as it is shared with other organisations by writing ‘data privacy’ rules into their contracts.
Many products were originally conceived or commissioned before GDPR was drafted and many companies are unaware that they are in breach of GDPR.
This is an opportunity for companies to re-design their products to ensure that their customers and employees are kept informed and in control of how their data is used, thereby improving consumer trust, brand loyalty and customer retention.
3. Age verification
GDPR requires that organisations must obtain parental consent to keep or share children’s data. Our work has found that many services, from dating sites to public services, have no way of properly verifying the age of their product or service-users. Some social media sites and even sexual health clinics just rely on people self-reporting their age, leaving them liable to lawsuits if underage people are using their services.
This opens up the potential for costly lawsuits and huge reputational damage if, for example, health organisations are exposed and fined for inadvertently sharing the personal details of children without their parent’s knowledge.
Yet this is also a positive, as it provides a new imperative for companies to get to know the true age and identity of their customers and therefore gain a clearer picture of their user demographics. One simple way to achieve this is to introduce bank-style ‘two-factor authentication’ for age verification.
4. Shadow IT
The personal data circulating around so-called ‘shadow IT’ structures – the vast subterranean array of employee devices, apps that exist under the corporate radar – means much of the personal data being held, or the way it is used, might not show up on an official company audit.
Many organisations don’t realise their employees are potentially putting them in breach of the law. If they don’t know where personal information is being stored in the organisation, how can they provide it in response to a public data request?
This creates a chance for long-overdue assessment of ‘shadow IT’ and BYOD, to understand how corporate data is being used across the organisation and to ensure employee practices don’t impact on corporate reputations. Organisations must transform employee training to teach what constitutes personal data and how it can be legally used.
5. Hidden cost of non-compliance
The media has focused around the potential for GDPR to result in heavy fines. But few realise that there is another hidden financial cost that is not widely known.
The legislation gives individuals new rights, including the right to request or erase their personal data. This could open companies up to malicious journalist requests seeking to catch out non-compliant companies for a big exposé. It could also open them up to a deluge of customer and employee lawsuits if data is not delivered or erased on time, or if it is lost or stolen.
This is a huge opportunity for companies to understand that cyber risk is now a central business risk and must be treated as such, with appropriate board-level attention and support.