9 April, 2018
This is an excerpt from an interview on global GDPR implications with Sputnik International’s correspondent in Belgium, Luc Rivet.
Sputnik International has asked our CEO Aram Hovsepyan, for his view on GDPR, the new European regulation on the protection of your personal data. CODIFIC’s security and privacy expertise is rooted in our close collaboration with the DistriNet research laboratory of the Department of Computer Science at the KULeuven. DistriNet has about 30 years of security and privacy research and their LINDDUN methodology seems to be the systematic framework that will help organizations demonstrate the “necessary technical and organizational measures”. Thus LINDDUN was developed way before the GDPR hysteria and it is not an opportunistic attempt to surf the hype.
Can you give us a helicopter view of the GDPR
GDPR basically consists of two parts, a legal one and a technical one. We strongly believe that the legal aspects are relatively straightforward to tackle. This is precisely what is behind the “avalanche of emails” that mainly contain some new legal texts and require us to provide a new consent. From a legal perspective, the 25th of May could have been considered an actual deadline.
The technical aspects of the GDPR are fundamentally challenging as organizations need to stick to the principles like accountability, transparency, privacy by design, privacy by default, etc. GDPR also requires organizations to demonstrate the implementation of the necessary technical and organizational measures to ensure data protection. The latter brings us into the domain of software security that is known to be an essential problem within the whole Internet. So from a technical perspective 25th of May is simply a start of a journey hopefully towards a more secure Internet.
As a specialist of GDPR, I’d like your opinion on the application of GDPR. How should an SME or individual react to the avalanche of emails proposing services or requiring to vet new security rules?
– We believe that individuals do not really have a choice at the moment. The Belgian Privacy Commission has only a handful of employees (I think about 50) and they simply do not stand a chance to follow up on every claim / complaint from a natural person. This might change, but it will take quite some time I believe.
– SMEs should firstly focus on creating a list of data they are processing and come up with a clear policy expressed towards the users what they are doing with this data. This is quite straightforward and tackles the “transparency” principle from the GDPR. Once the data subjects are aware what’s going on, the SMEs should focus on making sure they do take all the necessary steps to ensure data protection. Unfortunately, this is where the SMEs are actually in trouble as there are no shortcuts here. An average modern software engineer (no offense to our colleagues) is often focussing only on the functional aspects of a software system. Security is rarely a selling quality except for a specific niche (like banking, medical, etc.).
Regarding the new security rules – while GDPR enumerates some concepts like encryption, pseudonymization, etc. GDPR is explicitly mentioning risk. This means that SMEs must start by threat modeling and focus on the highest risk / impact issues first.
Since the American GAFA are the best organized and you can’t actually speak of a European sector (apart from the Swedish Spotify of French Deezer), isn’t paradoxically the new legislation favouring the American giants?
In terms of both legal and technical GDPR challenges, it does seem that the legislation favours the giants. They have virtually unlimited resources to make sure they are as compliant as one could be*. However, we do believe that this is an opportunity for the European players to step up. US firms no matter how well prepared they might be, are by definition scoring less when it comes to the GDPR perspective. In the post-Snowden era and especially in the light of the recent Facebook revelations it does seem that strong European players could gain on reputation simply by being European.
Frankly, most SMEs seem to be simply protecting themselves by bombarding you with an avalanche of messages, where you need to agree. Is it really going to change the face of internet?
Indeed, right now SMEs’ best shot is to hire a legal consult and make sure they are OK from a legal perspective. This is relatively cheap. Note however that there is already a lawsuit for instance regarding this “forced consent” against Google, Facebook, Whatsapp and Instagram. (source)
It is hard to speculate whether GDPR will have a real impact on the face of the Internet. Most of the GDPR principles are not new and member states already had to implement a similar directive in their legislations. The key difference are the huge fines. I would expect to see changes in two directions:
1. Awareness on a long term could lead to suppliers becoming more transparent.
2. Data breaches could trigger fines which would lead to more secure Internet.
Is the ultimate goal of the EU to be able to tax the GAFA? What can be expected on that front?
GDPR is the perfect leverage for the EU to regulate the big data industry, which is said to be the new oil. Calling GDPR a taxation mechanism is perhaps a little far fetched. Tech giants are known to have the resources to make sure fines are postponed and cancelled (Intel’s >€1bn fine would be a great example). I guess we will have to wait and see what comes by next.
* A minor note on the term compliance. The term “GDPR compliance” and the question “Are you GDPR compliant?” often pop up. As tempting as it may sound, we believe that GDPR compliance is a convergence at best. GDPR requires one to implement necessary technical and organizational measures. From a security point of view this boils down to the question “Is your software system secure?”. A great analogy is asking one if his house is secure or asking the bank if the vault is secure. The right answer would be actually a list of threats one has considered and the countermeasures against those threats. 100% security simply cannot exist. The same applies to the term GDPR compliance. At least for the time being.