Preparing for the GDPR

The European Union (EU) will put the General Data Protection Directive (GDPR) into effect on May 25th, and with it some potentially difficult and onerous requirements. Here are a few potential issues with which companies worldwide will have to contend:

Article 7(1) of the GDPR states, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” That means that anyone who signs up for a mailing list, a webinar, an email newsletter or any other type of communication from you will need to be fully informed of the “processing” that their data will undergo, and you will need to keep an accurate record of each instance of consent that has been granted. For example, someone who signs up to be on your corporate emailing list is granting consent for their information to be used strictly for the purpose of receiving email from you – you need to maintain a record of that consent. If they sign up for a webinar that you have announced to them in an email, they are granting consent to be contacted with regard to that specific webinar – you need to maintain a record of that, as well.
Our recommendation: excellent and up-to-date recordkeeping is going to be of paramount importance in order to remain compliant with the GDPR. That means good archiving of data subjects’ information, including the ability to search for and retrieve this information quickly and completely, and the ability to defensibly delete this information when needed.
Article 22(1) requires that a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” and that includes their “location or movements” (Recital 71). What that likely means is that there is a prohibition on determining whether or not someone is an EU “data subject” based on things like their IP address when completing a form on your web site, for example. So, if someone who lives in the United States is on your corporate mailing list, where their information is not subject to GDPR compliance, but later moves to an EU country, where their data is now subject to the GDPR, is the onus on you to know they’ve moved? According to a strict interpretation of Recital 71, you’re not allowed to collect their IP address when they interact with you, and so you may not be able to determine that they have moved.
Our recommendation: act as if everyone is subject to compliance with the GDPR and process information accordingly.
Articles 12 through 23 of the GDPR are the “Rights of the data subject”, which include things like their right to access and have corrected any information that a data processor or controller has on them, and their right to have that information deleted – their “right to be forgotten” – albeit with certain limitations. There are some serious implications for data controllers and processors in these requirements:

You need to know where all of your data is located. Data subjects’ information that might be stored on a departmental file share to which IT or legal does not have ready access, information stored in employees’ personal Dropbox accounts, or information stored on ex-employees’ personal devices could make it difficult or impossible to respond adequately to a data subject’s request for information or their right to have this data corrected or expunged.

Even with access to all of your data, an organization with malicious intent could organize a group of a few thousand people to request their data simultaneously. Given that the GDPR gives data processors and controllers only one month to comply with these requests (up to three months in some situations), an organization with inadequate content management systems in place could easily run afoul of the GDPR.

Our recommendation: conduct a thorough data inventory to determine where all of your data is located, give IT access to it, and implement a robust and scalable archiving capability that will enable all corporate data to be searched and produced quickly and with a minimum of effort.

Many thanks to Anne P. Mitchell, an Internet law and policy attorney and legislative consultant, for her input to this post. Her firm is offering consulting on the legal aspects of the GDPR – you can contact her .

For more information on the GDPR, you can download our most recent white paper here.

How Long Should You Retain Records?

We have been asked many times how long businesses should retain their records, whether in email, files or other venues. The simple answer to the question is that there isn’t “an” answer. Instead, there are a number of issues to consider in determining how long you should retain your records:

What does your legal counsel advise?
What have court decisions in your industry revealed?
What is your organization’s tolerance for risk?
What are the consequences of disposing of records too quickly versus keeping them for too long?
What do government and industry regulations require as minimum retention periods?

To address the last question, we are assembling a database of regulations focused on data retention. We published the first edition in December with 421 regulations, but will be publishing the next edition in March with approximately 1,000.

Here’s a sample of the types of data retention regulations that exist today:

Manufacturers and importers of chemicals must retain documents related to notification of risk, contact information about entities to whom chemicals are distributed, production volumes and other information for three to five years (40 CFR 82.13).
Entities that operate as swap data depositories must retain records related to swaps or related cash or forward transactions for a period of five years, the first two years in an easily accessible place, but records of oral communications may be kept for only one year (17 CFR 1.31).
Underground mine operators must retain certifications for safety equipment for one year (30 CFR 57.4201).
Anyone who imports nonroad and stationary engines must retain documents supporting the information required in EPA Declaration Form 3520-21 for five years (19 CFR 12.74).
Entities that operate air curtain incinerators that burn yard waste must retain records about all opacity tests for five years (40 CFR 60.1455).
Manufacturers of heavy-duty vehicles and engines must retain records estimating how their fleets will comply with GHG emissions standards; estimated vehicle configuration, test group and fleet production volumes; expected emissions and fuel consumption test group results and fleet average performance; and other information (49 CFR 535.8).
The Canada Revenue Agency (CRA) requires entities subject to various sections of the Income Tax Act, the Employment Insurance Act and the Canada Pension Plan to retain for two to 10 years any books and records that will permit the CRA to determine taxation, the qualification of registered charities, permit the verification of various types of donations, etc. (CRA Information Circular IC78-10R5).

There are two key takeaways from this:

There is no such thing as an “unregulated” industry or company in the context of data retention: every business in every industry must retain records for some length of time.
Data retention is not easy, particularly in the context of being able to find archived records, disposing of them properly, and migrating them to new archives and other information platforms. The technology used to archive, search for and migrate records is critical.

For more information on our Data Retention Requirements Guide, click here.

What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and , to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

The Impact of the GDPR on Cloud Providers

We just published a new white paper on the European Union’s (EU’s) General Data Protection Regulation (GDPR) and will soon be publishing the results of the two surveys we conducted for that white paper.

In the second of the two surveys we conducted, we asked the following question: “Will your organization increase or decrease use of cloud technology as a result of the GDPR?” We found that 50 percent of respondents indicated they would do so, 39 percent said there will be no change, six percent said they didn’t yet know, and only five percent said that use of the cloud will decrease. That tells us a few things:

Many decision makers are still unsure about how they’ll deal with the GDPR. A thorough reading of the regulation, as with most government rules, leaves room for interpretation. For example, if data on an EU resident is subject to a litigation hold in the United States and the EU resident exercises his or her right to be forgotten, should the data controller violate its obligations to retain the data or violate the GDPR? That uncertainty will lead many to seek the assistance of third parties, many of which will be cloud providers that have more expertise in dealing with these kinds of issues.
Many organizations will pass the buck to their cloud providers. Because many organizations are simply not sure about how to deal with the GDPR, particularly smaller ones that can’t afford a team of GDPR-focused legal and compliance experts, they will rely increasingly on cloud providers who they anticipate/expect/hope will navigate the intracacies of the GDPR on their behalf. We believe that will accelerate the replacement of on-premises solutions with those based in the cloud.
Consequently, the choice of cloud providers will become extremely important. Since a cloud provider that inadvertently violates key provisions of the GDPR while working on behalf of their clients will not be a shield from prosecution, GDPR savvy will become a top priority when selecting new, or staying with existing, cloud providers.
The new ePrivacy Regulation that will supplement or replace key provisions of the GDPR will impose significant usability restrictions on even simple activities like web surfing. For example, it is very likely that web site visitors will need to grant permission for each and every cookie dropped into their browser when visiting a web site, yet that web site operator will not be able simply to block content for those users who do not grant permission. This will make the choice of a web host extremely important in order to comply with both the GDPR and the ePrivacy Regulation.

In short, while the GDPR increases privacy protections for individual users in the EU, it is increasing the risk for those that wish to provide content to them. Many companies, particularly smaller ones, will seek to mitigate that risk by handing it off to cloud providers.

You can download our newest GDPR white paper here, and get more information on the ePrivacy Regulation here and here.

How to Protect Corporate Data When Employees Leave

A key part of employment – particularly in a good economy – is that employees leave employers on a regular basis. According to data from the US Department of Labor, mean turnover among US-based employees in 2016 was 23.8 percent. That means in an organization of 1,000 people, nearly one-quarter of them will quit or otherwise be terminated during a year’s time, or about 20 people per month.

How do employers ensure that departing employees don’t take important data assets with them when they leave? The answer, it turns out, is that they don’t protect against this eventuality. Our research found that for many organizations, information governance policies, practices and technologies focused on data protection are not well implemented, if they are implemented at all. This puts these organizations at significant risk from employees who either quit or are terminated involuntarily and take with them key data assets, such as customer lists, trade secrets, financial projections, or various types of intellectual property.

Here’s what we found in a recent survey:

In only 48 percent of organizations can HR data be relied upon to determine when someone is going to leave a company.
Only 33 percent of organizations are sure they can detect if an employee that has left the company is still using their access to corporate data.
In only 16 percent of organizations does HR take the lead in ensuring that access to data sources, devices, accounts, etc. is disabled for departing employees.
Only 24 percent of organizations know when third parties stop working on their systems and data, and only 12 percent know if employees or third parties are sharing access to data through the same account, bypassing any terminations processes.

There are several processes and technologies that organizations can implement that will enable them to gain visibility and retain control over their sensitive and confidential data assets, while assuring that employees are not leaving with these assets. There are a number of technologies that can be implemented to protect corporate data from exfiltration by departing employees, but a governance-based model for user lifecycle management and access management can provide organizations with a high degree of assurance that only the right employees have the right access to corporate data at the right time.

For more information about these issues, please feel free to download our white paper, Protecting Corporate Data When Employees Leave Your Company.