Risky Data 4 – Risks and tactics as GDPR goes live!

By Bill Moran and Rich Ptak 

Image courtesy of European Commission

We’ve already discussed GDPR planning, focusing on general areas, e.g. security, that all companies should take seriously. Now, we address specific actions potentially necessary for GDPR conformance. The requirements will vary by industry and product type. We assume strict adherence to GDPR requirements and deadlines[1]. We focus on companies without a physical EU presence that may currently be doing business with its citizens/residents.

To enter or not…

First, determine the potential amount (volume) and value from existing or future EU customers. This includes residents/citizens that purchase products or services directly or over the internet. You need to determine the total value of EU business. Avoiding accounting details, business value is revenue less the expense and costs associated with product/service creation, demand generation, and delivery, etc. It includes customs, duties or taxes that you may pay to the EU.

BE AWARE THAT YOU MAY HAVE TO INCUR GDPR-RELATED COSTS INDEPENDENT OF ANY DECISION YOU MAKE ABOUT PURSUING EU BUSINESS!

Next, determine (estimate) what it will cost you to comply with the full GDPR. This, along with business value are the critical inputs for the decision. If the business value exceeds GDPR compliance costs, then you may want the business and will comply with GDPR. Done, almost[2].

However, if the compliance costs exceed the projected value, you may want further analysis before deciding. Is it possible to increase the business value with a price increase? Can you reduce compliance costs? Can you amortize costs across your total customer base[3]? Or, you can withdraw and refuse EU purchases. Finally, other relevant factors may affect the decision, so follow your organization’s procedures.[4]

Whatever you decide, you may still be impacted by GDPR, as we reveal below.

So, what’s happening now…

Some US newspapers and magazines, not wishing to conform to GDPR regulations, have terminated EU subscriber subscriptions[5]. Similarly, others may decide to back away from EU business. Note that doing this will still require scrubbing all EU customer information from databases.

In addition, some form of screening will be necessary to prevent EU residents/citizens from subscribing in the future. For example, require new customers to certify non-EU status. This should help to circumvent attempts at concealing actual status.

DETERMINING THE LEGALITY OF ANY ACTION IS BEYOND THE SCOPE OF THIS PAPER. WE ARE PROVIDING INFORMED OPINIONS. WE SUGGEST CONTACTING AN ATTORNEY ABOUT THE LEGALITY OF SPECIFIC ACTIONS IF YOU HAVE QUESTIONS.

On the other hand, withdrawing a popular product from market makes it scarce. Scarcity can increase market value. This happened when government pressure in India forced Coca-Cola to withdraw from the Indian market. Smuggled Cokes became a quite valuable status symbol. Depending on the product, a profitable resale market in the EU could result.

However, a large profit potential can encourage efforts to falsify required certification. Unless actively supported by the US company, we don’t see a risk to the company. If a good faith effort is made to block EU- customers (i.e. requesting certification of non-EU status), a violation may be avoided.

GDPR requires significant customer control over their data. To comply, some companies are proactively requesting customer acceptance and authorization for collecting and storing identification data at login and on a website. If properly worded and presented, this can satisfy the GDPR requirement for consumer authorization. However, it also imposes another GDPR requirement. The collecting entity must respond in a fixed time-period[6] to consumer requests to either provide or eliminate ALL individual information resident in their databases, extending backwards and into the future. More on this later. 

Potentially risky scenarios

Another concern arises when a non-EU citizen customer moves to the EU on an assignment. It may be temporary or permanent[7]; either way, this raises questions. They wish to continue as a customer. If they inform you, you must make a choice. How long is the assignment? Does it qualify them as an EU-resident? If so, and you reject them, you lose a customer. If you keep them, GDPR kicks in. What to do?

First, it is not even obvious how to assure this situation is detected. A change in shipping address would be a clear indicator. Depending on the nature of the product/service, they might not notify or request an address change. Periodic requests for recertification (of non-EU residency) would be cumbersome, and off-putting to customers. Second, once the move is known, you must decide either to keep or terminate them. If you keep them, you become subject to GDPR. If you terminate, the risk is a lost customer upon a return from the EU, inevitably you will be blamed for any inconvenience.

Other questions arise. How long does a “temporary” assignment last before the EU asserts residency applies? What are the ramifications of providing service for “long-term” temporary residents? These need clarification.

A different problem arises for a company doing business with a multi-national firm (MNF). The MNF will fully comply with GDPR. The MNF can request its suppliers certify compliance or intent-to-comply with GDPR with 3^rd party- or self-certification. It may or may not be mandatory, but compliant firms receive preferential treatment. A decision will balance GDPR implementation costs & risk of GDPR violation versus the value of the multi-national as a customer. The effort and cost of compliance involve multiple issues beyond the product/service, including commitments such as warranty support, inquiries to the supplier, special agreements, and so forth.

In another case. The MNF does not require GDPR certification but provides your product to employees worldwide. If there is never contact with EU-resident employees, no problem. If there is direct contact[8], retaining any information on them violates GDPR. One solution, if the MNF routes EU-resident employee queries through a non-EU resident who then handles all communication, then all is well. Still, if any MNF EU-employee’s information, telephone number[9] or email address, is entered into any of your corporate systems, a potential problem is created. A process to avoid storing any identifying information is needed.

Depending on your situation you may need to restrict customers from exporting your product to EU countries. One can imagine situations where a lifesaving product would be blocked from sale in the EU.  When this situation arises, the GDPR policy will have a problem.

Another challenge occurs in handling EU citizen/resident walk-in business. A cash purchase is no problem, a credit card purchase is. Retaining their name and credit card information invokes GDPR rules. Our recommendation is to delete all information about that customer as soon as possible. Potentially, there is the option of refusing use of a credit card; but you need to carefully consider this case and the potential negative effect on business.

Unfortunately, some firms, say an airline like JetBlue, must retain information on all customers until after the product/service is delivered. JetBlue must retain passenger identity information until the flight completes. They will have to comply with GDPR or ban EU residents/citizens from their flights.

One further regulation issue relates to erasure of an individual’s data including archived data. Companies may not have considered this when setting up their databases. Even companies deciding against FUTURE business with EU customers, but with past data on their systems are subject to this. We are convinced this will be costly to implement. Thus, GDPR has created a situation where you must comply with one of its most costly requirements, even as you try to avoid its clutches.

Finally, many companies will need a process to handle questions from EU-citizens/residents. You will want a professional response to such communications. However, to avoid GDPR requirements, you cannot retain any identifying information on the person requesting information. A process is needed. Since many of these communications will come by email, you now need a procedure to delete their information from your email system. You probably want a procedure to notify the sender that this is happening because of GDPR. 

Summary

We are not foolish enough to believe that we have exhausted this topic. Over time many other situations will arise. We have focused on some key points to consider in developing a response to GDPR. Let us recap.

•          Some form of GDPR is coming worldwide. The massive disclosure of people’s information will not be allowed to continue. Therefore, tightening-up security along with similar GDPR policies makes sense. It is better to do something in a planned manner rather than wait until it becomes a requirement with possible penalties for non-compliance.
•         The EU will attempt to enforce GDPR against companies on a worldwide basis. We assume that they will, at least partially, succeed. Therefore, it is prudent to act to avoid falling afoul of the regulations. It is possible that this effort will fail in some jurisdictions[10].  In that case, we believe a local form of GDPR will still be enacted. 
•          Even without an EU presence, there are business decisions to make. You must determine how much business you currently have with EU citizens/residents. You need to decide the value of this business versus the cost of complying with the GDPR. There exists the complication of doing business with a multi-national company that wishes GDPR compliance.
•           If you decide that you want to avoid the cost of GDPR compliance, there are still some steps to take to ensure that corporate systems do not contain any EU resident/citizen information. Remember; this is not just a one-time effort; it must be continuous.
•           Finally, prudent business managers will take account of GDPR requirements and their inevitable spread in planning for the future.

Our research convinces us that some GDPR policies, especially those recognized as Best Practices, will prove beneficial. The unrealistic and awkwardly articulated parts will likely be resolved over time. We advise IT and business managers to work together to identify and implement relevant requirements.

Publication Date: June 24, 2018

This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC. 

To obtain reprint rights contact associates@ptakassociates.com

All trademarks are the property of their respective owners.

---

[1] Although we believe that due to real-world limitations there will be interpretive leeway in GDPR requirements.

[2] A decision to comply with GDPR means it is necessary to comply with requests to completely erase any current and prior information on an individual. This may mean going to backup tapes and erasing this information. This raises some questions. How far back? Erasing may be very expensive in practice.  

[3] If a very high probability exists that GDPR-like requirements will be enacted, this becomes obvious.

[4] Keep in mind a decision to withdraw is reversible. Rules may be relaxed, or the US may implement similar ones. At that time, reentry difficulty and costs may be higher or lower.

[5] It is worth noting that communication with EU customers may itself be subject to GDPR rules. So, the sending company could not keep their names and addresses in its databases, including in email, or other electronic form. This is another example of a potential GDPR Catch 22 whereby an attempt to avoid it can itself backfire.

[6] From what we know, the GDPR allowed times for full compliance are too short. 

[7] The issue of when a tourist becomes a resident for GDPR purposes is sure to arise at some point.

[8]Any information that even potentially identifies an individual, a telephone number, email address, job title, or URL can present a problem.

[9] It is unclear if the retention of information on a phone call with an EU citizen/resident is subject to GDPR.

[10] One can imagine that some rogue MNFs may find a jurisdiction outside the EU that will refuse to enforce GDPR. They will move all their EU business to that place and attempt to defy the EU.

Risky Data 3 – Planning & Strategy as GDPR goes live!

By Bill Moran and Rich Ptak


GDPR has gone into effect unleashing a flood of commentary, proposals for solutions, and tons of advice, some very good as well some not so good or even bad. It’s time to discuss planning and strategy for enterprises moving forward.

Image courtesy of European Commission 

As stated earlier, the status of GPDR in non-EU jurisdictions is unclear. Still, it is important to understand it and consider its potential to impact your operations. This is vital because of the highly likely proliferation of GDPR-type regulations. There have been too many violations of people’s private data for the current laissez-faire approach to handling personal data to continue. It is doubtful this will happen tomorrow. It is, however, unrealistic to think it will never happen. Or, that it will occur in some distantly, vague future.

In fact, many companies already are taking action as they anticipate some version of GPDR being at least partially enacted, if not imposed in developed countries including the US. These may be initially presented as recommendations before taking on the form of federal regulations or laws, state laws or some mixture of the two. Current actions include limiting or even completely eliminating EU consumers access to services, publications or products.

In any case, hacker-driven incidents will continue. The risks, full costs and fines of Facebook-type occurrences are far from settled, and similar infractions are distinctly possible. Consumers and organized consumer interest groups can be expected to drive regulatory action by pressuring governments “to do something”.

How to Prepare
The question is what should a small and medium(SME) enterprise without a physical presence in the EU do? The first step is to determine which, if any, enterprise activities and actions will be potentially affected by a GDPR-like regulation. Then, develop a strategy. Here we are going to discuss general steps that all enterprises should take. In our next version of this report, there will be more specifics. None of the following should be considered to be or substitute for professional legal advice. It is intended for guidance and information purposes.

Enterprises need to examine their internal processes to consider how they could be changed or improved to align with GDPR principles. In some cases, this will mean incurring additional significant costs. Therefore, management oversight is critical. Pro-active activities are prudent. Waiting until there is external compulsion usually results in ballooning costs. Planning for necessary changes in advance means work can be done in a non-crisis, phased mode.

Initial action - Security
The first area to address is security. Given the level of criminal attacks, it is common sense to have ongoing efforts in this area. Evidence indicates that most companies have failed to take the threat of criminal hacking seriously enough. Virtually any company would be damaged and thrown into management turmoil if hackers penetrate their systems. Critical payroll data, personal data, and sensitive customer information are all at risk. Consider what happened to Sony when hackers penetrated their email system. That attack might have been North Korean hackers, but the results might have been worse if criminal hackers had been involved. The North Koreans’ apparent incentive was to disclose email contents to embarrass and punish Sony for making a movie that mocked their leader. Criminal hackers would not necessarily disclose the penetration. Instead, they could monetize the information for use in identity theft or other costly criminal purposes.

The prudent course is to begin with a security audit. In some cases, involving an outside consultant would be necessary. However, in many cases, it could be performed by internal auditors at relatively low cost. For example, investigations reveal that many systems operate with default ids and passwords. Critical systems, installed years ago, with these exposures were never corrected. Such security risks can be uncovered and fixed without expensive auditors by using someone with authorized access to the system. Another common problem occurs when the ids and accounts of ex-employees are not deleted. There are numerous other such security violations well documented. The point is to review and assure that proper polices have been implemented to fix such problems and prevent their recurrence.

There is another class of problems that demand more work to detect and fix. For instance, handy tools installed by IT to make their jobs easier might be applied to a criminal purpose in the hands of a hacker. Policies must be developed to avoid this situation. Sometimes, the solution is simple, i.e. removing tools from the system when not in use. In other cases, the tool might be critical for production. In such cases, it might be necessary for ongoing code audits to see that what it is doing is necessary. Anytime new software is installed on a system, it should be verified and checked to avoid introducing rogue code or viruses.

In the Equifax penetration, improperly maintained open source software caused the problem. A maintenance audit can uncover this problem. The institution of a rigorously enforced policy of careful maintenance for operating system, open source and all vendor supplied software, will help avoid the problem. When a vendor announces a flaw in their system (with or without a fix) one can guarantee that hackers are aware of the situation and will begin probing to find systems without the fix installed.

Despite taking all reasonable precautions, an installation might still be penetrated. Studies have shown that companies are very slow in detecting such events. There may be reasonable ways to improve this response. These should be standard practice.  Clearly, once a penetration is detected corrective action should be taken immediately to limit damage.

If immediate detection is impossible or not feasible, full or partial encryption of data can be an alternative solution. The cost and overhead associated with encryption has dropped dramatically recently. It may not always be practical, or financially feasible, but it is worth investigating. As an aside, IBM provides pervasive encryption on mainframe Linux systems. Encryption needs to be evaluated in other environments.

In summary, most IT installations need to tighten their security. GPDR imposes rather severe penalties for disclosing confidential and personal information. It is good practice to take practical steps now. Let’s look at another area of enterprise risk not necessarily as obvious, but one that needs attention, personal data.

Personal data protection 
GDPR privacy legislation intends to give citizens ownership and control of their personal data. This includes: 1) knowledge of what personal data is in a system 2) an ability to correct any errors, 3) ability to remove data, 4) information about when a data breach occurs and what was exposed, 5) ability to review data stored in the past upon request. Such past data might be important in tax, criminal or judicial matters or contract disputes. Consideration has to be given to how the data is protected, stored, and for how long it must be retained. All are a normal part of data storage and archival. GDPR sets some restrictive requirements on how quickly these must be available, and notifications sent. AND, penalties for non-compliance are high.

This raises the question about what happens when data retrieval isn’t possible from the current system. For instance, it has been corrupted in some way. System backups will need to be accessed. For historical data, the storage media is typically on tape.

Here is a cautionary tale from real-life. Several years ago, a colleague of ours started a company to update backup tapes. Old backup tapes were to be converted to CD or DVD format. The processed tapes were from a variety of companies and government agencies. He found that about ¼ (25%) of the tapes were bad. There were spots on the old, open reel tapes that were unreadable.

Unfortunately, the situation was actually somewhat worse. His process would only detect unreadable spots. In addition, there were readable records that were still wrong because they had been corrupted.

This story demonstrates the need to examine the process for controlling backups. This should not surprise anyone. Most of us have had the experience of trying to use a PC backup only to  discover that the backup does not work. Failing to check a backup process, means that a failed process is revealed when most damaging. Most organization have a backup process that periodically ships tapes offsite; then forgets them. GDPR-type regulations mean it is wise to take steps to test  that the backups work, and provide valid information. Addressing these issues will improve current operations while preparing for their critical need when some form of GPDR arrives.

We recognize neither of these issues were covered in great detail. Our goal has been to make the point that these and other areas need to be carefully examined along with privacy policies, data movement, network issues etc. There is a great deal of work to do here.

Summary
The likely arrival of GPDR-like regulations ought to make companies review and reconsider their policies in areas involving the acquisition, storage, use and protection of customer data. All of these will be impacted by such regulations. It is foolish to wait until the arrival of regulations that force mandatory change in a limited time period. Such a delay will likely raise the costs of review and remediation as well as risk costly fines for missing deadlines if breach is experienced. Of course, some flexibility is needed since the exact details of such regulation are not known currently.

Many vendors, including Compuware, IBM, Microsoft, HPE, BMC etc. are offering services and solutions (partial or comprehensive) that include process review definition, evaluation and planning services. Most recognize the need for implementation flexibility and openness to allow for advances in technology and regulatory changes. Be sure to verify this if you decide to employ a partner in your effort. Whatever you do, remember regulatory details will change and you must be able to adapt.

By starting today, enterprises and companies will have adequate time to study this issue and determine the best way forward. Finally, we are convinced there is no reasonable excuse to delay or wait for regulations to take steps to strengthen existing security. For most, there is much work to do. The best thing is to get started now.

In the next edition of this report we will discuss specific steps that companies without a physical presence in the European Union need to take to steer clear of being entrapped in the GPDR web.
 
Publication Date: June 4, 2018
This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC.  

To obtain reprint rights contact associates@ptakassociates.com 

All trademarks are the property of their respective owners.

While every care has been taken during the preparation of this document to ensure accurate information, the publishers cannot accept responsibility for any errors or omissions.  Hyperlinks included in this paper were available at publication time.