& cplSiteName &

The Digital Economy & GDPR

Stephen Cameron
3/9/2017
100%
0%

The EU General Data Protection Regulation (GDPR), which is due to come into force in May 2018, will affect every organization that uses the data of European citizens. In this article, Stephen Cameron and Chris Pinnock examine the implications of GDPR, consider the changing political landscape and analyze how businesses will be affected by the new regulation.

Background
The electronic use of private information has increased exponentially since the EU's Data Protection Directive appeared in 1995 along with an update of the UK's Data Protection Act (DPA) in 1998.

When these laws were created, the world of computing was very different. Since that time, our dynamic use of the Internet through computers and mobile devices gives many businesses the capability to collect a plethora of information about our private lives, movements, locations, preferences and lifestyles. This has enabled a revolution in marketing methodologies and tools that provide extraordinary insight into customer needs and opportunities.

In the new digital economy, organizations have become increasingly connected across the globe by using services in the cloud and most of their applications are now Internet driven. This means that personal information can be found anywhere, spurring governments to recognize and formulate digital economies to service the needs of customers across the world.

In recent years, there have been several large organizations that have suffered personal data breaches. Recently, Sony's PlayStation network platform was compromised, leaking vast amounts of personal data. Similarly, TalkTalk's customer services portal was hacked and customer information was revealed including e-mail addresses, bank accounts and dates of birth.

It is therefore time for the current data protection legislation to get an update. The EU has ratified the new General Data Protection Regulation (GDPR) and it is due to come into force in May 2018. The Regulation aims to protect personal information and enhance the exchange of information to enable digital markets. It defines clear roles and responsibilities, and a strict process for personal data breaches. It applies to organizations processing the personal data of EU citizens regardless of whether the organization sits wholly in the EU or not.

This is particularly relevant to the telecom market, where businesses store a significant amount of customer data. In the future, we will see more digital interaction with customers via web portals and programmatic APIs. The need to mitigate risk on personal data breaches is therefore greater. The GDPR has further implications for organizations that outsource part of their customer-related operations outside of the EU.

In this paper, we describe the key changes to the regulations and suggest an action plan for organizations to use to start thinking about the GDPR in advance of its go-live date.

What is changing?
The new European General Data Protection Regulation (GDPR) was accepted into European Law in April 2016 and will be mandatory by May 2018. It will replace the current European Union Data Protection Directive 95/46/EC at the same time, whilst retaining compatibility with the ePrivacy Directive 2002/58/EC. Because it is a regulation rather than a directive, all member states of the EU must implement it within that timescale.

The regulation is 88 pages with 173 regulations supported by 95 articles. It defines roles such as Data Subject, Supervisory Authority, Processor, Controller and Data Protection Officer with clear responsibilities to protect the personal data of an EU citizen or a Data Subject. (See Table 1.)

Table 1: GDPR: Key Terms & Roles

Term Definition
Personal Data Any information relating to a Data Subject relating to biometric, physical, physiological, genetic, mental, social, cultural or economic factors.
Data Subject An identifiable natural (living) person. The regulation does not apply to corporate entities or to any personal data of a dead person.
Processor A natural or legal person, or other body that processes personal data on behalf of a controller.
Controller A natural or legal person or other body that determines the purposes or means of processing personal data. A controller can work jointly with other controllers.
Data Protection Officer An officer appointed by the controller or processor who independently oversees that regulation of data within the enterprise.
Supervisory Authority An independent public authority established by the Member State to monitor the application of the GDPR to protect the Data Subjects
European Data Protection Board Over-arching board for regulation to enable consistency across all Member States and countries outside the EU (also known as third countries)

The aim of the GDPR is to protect the rights of the Data Subject, counterbalancing this with the EU's definition of the Digital Economy, where data flows freely across the EU. The European Data Protection Board has been established to support and enforce the GDPR and it will oversee and monitor the compliance of businesses or enterprises to the GDPR legislation. Each member state will have at least one Supervisory Authority and will have representation on the Board. In the UK, this body could be the current data protection body, the Information Commissioners Office (ICO).

There are some key highlights of the GDPR that need to be addressed by business:

  • The GDPR requires the Data Subject to clearly understand how their data is being processed and consent must be given at a granular level with specifics to each type of information, how it is acquired and with whom it is shared. The Data Subject must be able to withdraw consent as easily as giving consent.

  • The definition of personal data has been broadened and the interpretation includes any piece of data that could be used to identify a natural person (for example, an IP address or GPS location).

  • The GDPR requires organizations to produce adequate risk assessments and reviews of their data processing footprints or private information supply chain to ensure that their systems and processes adhere to the spirit of the GDPR.

  • Data privacy breach incidents need to be handled in such a way that the relevant supervisory authority needs to be informed within 72 hours of awareness of the breach and include the depth and exposure of the incident.

  • The GDPR applies to data controllers and data processors whether they reside within the EU or not, going beyond what is covered by the current data protection laws. It has implications for organizations that outsource their data processing to countries outside of the EU.

  • The GDPR refers to states outside the EU as "third countries." The Data Protection Board will determine if each third country has adequate data protection regulations to be compatible with the GDPR.

  • A company outsourcing their data processing (or otherwise) to an organization in a third country will need to ensure that adequate protection and processes in the organization are in place to comply with GDPR. In so doing, the third country must also support and be compatible with the GDPR.

    The individual need not worry about the GDPR as it applies to businesses rather than individual persons. It also only applies to the personal data of living natural persons.

    Does this matter to the UK with Brexit?
    The question of whether Brexit affects the UK's GDPR stance is moot. Ostensibly, the possible timing of the UK leaving the EU will still mean that the UK will still need to adhere to the GDPR as the earliest the UK will leave the EU is 2019, well after the GDPR is adopted.

    Even so, the GDPR has been regarded as the gold standard by which a digital economy should operate with respect to privacy of data and its exchange. Industry experts have suggested that as the UK is a leading digital economy, being founded on a strong finance industry, that adherence to the GDPR naturally will be embraced. The UK Government has reinforced that sentiment by working on an EU transition bill, the Grand Repeal Act, which will incorporate the current EU legislation to reduce the costs and effects of sudden change out of Europe.

    The GDPR is written, as you would expect, in terms of the European Union, its bodies and processes. There are a few explicit exceptions where it is incompatible with member state legislation. Effectively outside of the EU, the UK will be a third country in terms of the GDPR. To properly adopt the GDPR post-Brexit, there needs to be a UK version of the GDPR that is compatible with the processes of the EU GDPR. One likely scenario is to appoint a supervisory authority (such as the ICO) to maintain the UK version of the GDPR as both a UK Data Protection Board but also a recognized supervisory authority to the EU Data Protection Board.

    Organizations like the British Computer Society would like to see data protection equivalence with the EU a minimum standard (see note 2), with an opportunity for the UK to become a world leader in this area of legislation (note 8), possibly having even stronger laws of protection (note 9).

    In summary, any company based in the UK will still need to comply with the GDPR when it processes personal data belonging to EU citizens. Furthermore, it will be subject to similar UK legislation for processing personal data of a UK citizen post-Brexit.

    What happens if the GDPR is breached?
    The ICO has the power under the current data protection legislation to investigate UK institutions for personal data breaches and can fine institutions up to £500,000 for breaches that are not handled correctly.

    When the GDPR comes into force, the potential fines are much larger. The financial penalty will be at least 2% of the global revenues for the business (or €10 million if higher). In comparison to some actual fines given by the ICO, the increase in penalties will be substantial -- see Table 2.

    Table 2: Recent High Profile Data Security Incidents and Potential GDPR Fines

    Company Incident Numbers Affected Date of Incident Original Fine Potential GDPR Penalty
    Sony Play Station Network accounts hacked. 77 million (see notes 1 and 3 - usernames, passwords and credit card details) 19 April, 2011 £250,000 (by the Information Commissioners Office - see note 4) >$1 billion (where 2011 turnover was $63.84 billion - see note 5)
    TalkTalk Cyber Attack on Customer Services Portal 1.2 million (157,000 names, addresses, phone numbers; 21,000 bank accounts; 15,000 dates of births) 23 October, 2015 £400,000 (by the Information Commissioners Office - see note 6) £35 million (where 2015 turnover was $1.79 billion - see note 7)
    Notes: See the end of the article for the full list of footnotes.

    Therefore, it is critical that businesses have adequate controls in place on the personal data they manage and, in the event of a breach, that they have effective processes in place to report breaches to the appropriate authorities.

    Call to action
    Businesses should consult with specialists who deal with assessing risks and identifying gaps in their security and private data management processes. The models of operation are complex and profuse; they need to be understood and applied to the specific business: e.g. understanding the roles of Controller and Processor.

    For a relatively new business or new project involving personal data, the security and risk to personal data must be considered from day one with systems and processes developed with the GDPR "built in." Existing businesses will need to assess their Information Systems stack and retro-fit changes to ensure that the integrity and privacy of personal data is guaranteed.

    Here are some key points that need to be considered:

  • Risk assessments -- Organizations are required to undertake risk assessments against processes and systems that involve "high-risk" processing of personal data. Here, "high risk" is defined in terms of the rights and freedoms of the individual being violated.

  • GDPR certification -- As the GDPR comes into play and the approach to it matures in the market, there will be the opportunity to certify organizations compliance with it, much in the same way as businesses certify compliance with ISO27001 and other standards.

  • Enhanced Consent of the individual -- Ensure that systems asking for consent do so in plain language and that they allow the subject to withdraw consent as easily as giving it. Ensure that processes support consent on personal data whilst providing information on recipients, processes and risks to the data subject at a granular level and that existing systems are changed to support this.

  • Clear documentation of the nature of personal data held -- an organization must understand what personal data it holds, how it processes it and who the recipient is.

  • Relationships with partners who provide third-party services must be reviewed to ensure that the services are GDPR-compliant, particularly in countries outside of the EU.

  • Be ready to respond to breaches -- Organizations must develop robust processes to handle breaches of personal data compatible with the agreed timelines specified in the GDPR.

  • Adequately budget for data projects and supporting tools. The expectation is that there may be fundamental business processes that are relatively straightforward to adopt. However, one should consider that dealing with the data itself and incorporating new tools will take significant effort.

  • Responsible Parties -- An organization of over 250 employees, whose line of business involves the regular processing of personal data, must have a Data Protection Officer who can act independently and with authority on data issues.

    References/Notes
    1. https://business-reporter.co.uk/2014/12/19/companies-face-being-fined-5-of-turnover-if-they-suffer-sony-style-hack-in-future/
    2. http://www.bcs.org/content/ConWebDoc/56850
    3. https://www.dwf.law/news-events/legal-updates/2013/01/sony-fined-for-data-protection-breach/
    4. http://www.bbc.co.uk/news/technology-21160818
    5. https://www.statista.com/statistics/279269/total-revenue-of-sony-since-2008/
    6. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/
    7. https://en.wikipedia.org/wiki/TalkTalk_Group
    8. http://www.bcs.org/content/conBlogPost/2578
    9. http://policy.bcs.org/content/digital-brexit-planning-successful-digital-future-outside-eu

    — Stephen Cameron is an Information Management and Digital Strategy Leader working in the Financial Industry. He is the author of a successful and authoritative book Enterprise Content Management, A Business and Technical Guide (ISBN 978-1906124670, BCS 2011), a BCS Fellow and a Chartered Engineer.

    — Chris Pinnock is an IT Consultant working in the Telecommunications Industry. He holds a PhD in Mathematics, is a BCS Fellow and a member of the BCS ELITE IT leadership group.

    (3)  | 
    Comment  | 
    Print  | 
  • Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
    kq4ym
    50%
    50%
    kq4ym,
    User Rank: Light Sabre
    3/20/2017 | 9:18:50 AM
    Re: GPDR, Call detail records and privacy
    It was surprising to me that there was such a long period between looking over the rules and regulations. Since the "update of the UK's Data Protection Act (DPA) in 1998," obviously we're in a different world now, nearly 20 years later. It would seem that there should be an automatic review every few years if not sooner as tech progress becomes increasingly quick and the privacy and security issues probably more important now than ever.
    stephenacameron
    50%
    50%
    stephenacameron,
    User Rank: Blogger
    3/13/2017 | 2:40:41 PM
    Re: GPDR, Call detail records and privacy
    The loose, amorphous and constantly changing integration landscape in the TELCO arena to achieve a plethora of services provides ample opportunity for private data to fall between the cracks. It is a symptom of the exhausting number of changes that need to be managed across all the suppliers that exposes the cracks.

    I agree with your sentiment. I am surprised that there is not more being said about this. Clearly companies know the situation is precarious and are working in the quiet zone to clean up their act. They are also hedging their bets: they think that the fines can be negotiated. I know that the EU will want to show teeth on the first strike. The ICO is gradually ratcheting up the fines but have no doubt that the EU will slam any corp that operates across its borders and doesn't effect protection, consent and privacy controls.
    linkedin14264
    100%
    0%
    linkedin14264,
    User Rank: Light Beer
    3/13/2017 | 7:42:17 AM
    GPDR, Call detail records and privacy
    Hi Stephen, 

    Food for thought !

    Being active in the ITEM market ( expense management using call data records  of employees) it baffles me how low attention is paid on keeping employees call data records secure. I came a couple of times accross call data being unsecured, shared  and accessible to people not authorized to get access, Not to mention, even  to personnel of other companies having a view on these data due to loopholes in the data security process (patching and feature add-ons not being thoroghly tested while data and applications reside in the cloud) .

    It shivers me that the fines related to this breaches can put TEM companies out of business due to lack of testing. (time , resources)
    More Blogs from Column
    As the industry looks to aggressively ramp up NFV efforts, it becomes critical for strong and interoperable industry standards to eliminate vendor lock-ins and create a marketplace for best-in-breed services.
    Today's telcos and communication service providers are more vulnerable to large-scale DDoS attacks than ever.
    But this story will take years to write.
    A few myths have emerged about microservices that need to be addressed, says Ciena's Abel Tong.
    New and exciting methods of automation – whether virtualization, the cloud, IoT or even best practices like network segmentation – tend to emphasize innovation over visibility. As such, networks develop blind spots that mask network problems and even faulty devices.
    From The Founder
    Kicking off BCE 2017, Light Reading founder Steve Saunders lays blame for NFV's slow ramp-up and urges telecom to return to old-fashioned standards building and interoperability.
    Flash Poll
    Live Streaming Video
    Charting the CSP's Future
    Six different communications service providers join to debate their visions of the future CSP, following a landmark presentation from AT&T on its massive virtualization efforts and a look back on where the telecom industry has been and where it's going from two industry veterans.
    LRTV Interviews
    CenturyLink: Let's Get Past SD-WAN Hype

    6|23|17   |   04:02   |   (0) comments


    Technology becomes a "shiny object" unless it's properly focused on solving business needs for enterprise customers, says Bill Grubbs, network solutions architect for CenturyLink. He explains to Light Reading why SD-WAN deployments have to be tailored to specific needs – and more.
    Women in Comms Introduction Videos
    Infinera's Sales Director Paints Tech's Big Picture

    6|21|17   |   4:14   |   (1) comment


    Shannon Williams, Infinera's director of sales, shares how she achieves work's many balancing acts -- between her role and the broader company, today and tomorrow's tech and more.
    LRTV Custom TV
    SD-WAN Innovation & Trends

    6|20|17   |     |   (0) comments


    Versa CEO Kelly Ahuja discusses with Carol Wilson the current status and trends in the SD-WAN market, Versa's innovation around building a software platform with broad contextualization, and the advantages that startups can bring to the SD-WAN market.
    LRTV Interviews
    Ovum's Dario Talmesio on 5G in Europe

    6|20|17   |   02:16   |   (0) comments


    At 5G World 2017, Dario Talmesio, principal analyst and practice leader on Ovum's fixed and mobile telecoms European team, explains the emerging trends amongst European operators as they prepare for 5G.
    LRTV Custom TV
    Putting Power on a Pedestal

    6|19|17   |     |   (0) comments


    ARRIS's John Ulm says a major accomplishment of SCTE•ISBE's Energy 2020 program is increased focus on power cost and consumption, including inclusion of energy requirements in operators' RFPs and RFIs.
    LRTV Custom TV
    Gigabit Access: The Last-Mile Pipe for All Future Services

    6|19|17   |     |   (0) comments


    A Gigabit access platform being deployed today must be able to deliver all types of services to an increasing number of devices. A non-blocking architecture is necessary to support the ever-increasing growth in bandwidth demand. The Huawei Gigabit access solution is based on a distributed design that is fully scalable to deliver a unprecedented performance.
    LRTV Custom TV
    Key Factors to Successfully Deploy an SD-WAN Service

    6|19|17   |     |   (0) comments


    As service providers transition their SD-WAN solution from trials and limited deployments into production at large scale, there are important considerations to successfully operationalize these solutions and realize their full potential, without adding complexity, introducing uncertainty or disrupting current business operations. Sunil Khandekar, CEO and Founder ...
    LRTV Custom TV
    IoT Solutions: Rational Exuberance

    6|19|17   |     |   (0) comments


    IoT solutions are morphing from hype into viable business opportunities. Huawei has the platform and ecosystem support to help carriers successfully address new business opportunities in the IoT space.
    LRTV Custom TV
    Realizing ICN as a Network Slice for Mobile Data Distribution

    6|19|17   |     |   (1) comment


    Network slicing in 5G allows the potential introduction of new network architectures such as Information-centric Networks (ICN) as a slice, managed over a shared pool of compute, storage and bandwidth resource. Services over an ICN slice can benefit from many architectural features such as Name Based Networking, Security, Multicasting, Multi-homing, Mobility, ...
    LRTV Interviews
    Ovum's Mike Roberts on 5G Uptake

    6|19|17   |   04:08   |   (0) comments


    Mike Roberts, research director for Ovum's service provider markets group, explains why he has boosted his 5G subscriptions forecast.
    LRTV Interviews
    AT&T's Hubbard on Intersection of SD-WAN & MPLS

    6|15|17   |     |   (0) comments


    Rick Hubbard, SVP of Network Product Management for AT&T Business Solutions, discusses how AT&T's approach to SD-WAN fits in with its overall virtualization strategy, explains how SD-WAN can improve enterprise customers' use of the cloud and addresses the intersection of SD-WAN and MPLS.
    Telecom Innovators Video Showcase
    Keep Connected IoT Devices Under Control With Allot

    6|15|17   |     |   (0) comments


    Allot AVP of International Pre-Sales, Daniel Keidar, explains how communications service providers can protect infrastructure and service availability from flooding attacks caused by malfunctioning or bot-infected devices connected to their network.
    Upcoming Live Events
    October 18, 2017, Colorado Convention Center - Denver, CO
    November 1, 2017, The Montcalm Marble Arch
    November 1, 2017, The Montcalm Marble Arch
    November 30, 2017, The Westin Times Square
    All Upcoming Live Events
    Infographics
    With the mobile ecosystem becoming increasingly vulnerable to security threats, AdaptiveMobile has laid out some of the key considerations for the wireless community.
    Hot Topics
    Netflix's Lesson in Culture Expectation Settings
    Sarah Thomas, Director, Women in Comms, 6/21/2017
    No Imagination: UK Chip Biz Goes Up for Sale
    Iain Morris, News Editor, 6/22/2017
    Kalanick Steps Down as Uber CEO
    Sarah Thomas, Director, Women in Comms, 6/21/2017
    BT Tech Chief Makes Plea to 5G Chip Vendors
    Ray Le Maistre, International Group Editor, 6/20/2017
    Like Us on Facebook
    Twitter Feed
    BETWEEN THE CEOs - Executive Interviews
    Following a recent board meeting, the New IP Agency (NIA) has a new strategy to help accelerate the adoption of NFV capabilities, explains the Agency's Founder and Secretary, Steve Saunders.
    One of the nice bits of my job (other than the teeny tiny salary, obviously) is that I get to pick and choose who I interview for this slot on the Light Reading home ...
    Animals with Phones
    Live Digital Audio

    Playing it safe can only get you so far. Sometimes the biggest bets have the biggest payouts, and that is true in your career as well. For this radio show, Caroline Chan, general manager of the 5G Infrastructure Division of the Network Platform Group at Intel, will share her own personal story of how she successfully took big bets to build a successful career, as well as offer advice on how you can do the same. We’ll cover everything from how to overcome fear and manage risk, how to be prepared for where technology is going in the future and how to structure your career in a way to ensure you keep progressing. Chan, a seasoned telecom veteran and effective risk taker herself, will also leave plenty of time to answer all your questions live on the air.