Much Ado About GDPR
With a renewed interest in personal privacy and cautious trust in the companies that collect it, the world has been abuzz in a myriad of activity and sentiment about the EU's General Data Protection Regulation law becoming enforceable as of May 25th, 2018. While applicable to EU residents' personal data online everyone seems to be a mix of anxious, optimistic, skeptical, and/or completely disoriented relative to where they stand on the matter as an end user who uses applications and services that collect and use personal data or as a company providing services and applications.
Data and privacy are not new topics in the news, so what has everyone so interested in GDPR?
GDPR - A Quick Summary
While the scope of GDPR is focused on EU residents, businesses the world over and even very small operations on the internet have been engulfed in a whirlwind of preparation, doubt, and outright panic. In simple terms, GDPR is a regulation that seeks to give end users - natural persons - more control and fundamental rights to their personal data. GDPR's term for end user is predicated by the definition of "personal data." Personal data under GDPR is far more broad than Personally Identifiable Information (PII) we're more familiar with primarily in the medical industry in the US. Personal data here includes details such as an IP address and geographic coordinates. It also includes certain sensitive things such as gender, sexual orientation, genetic information, religious affiliation, and ethnicity/race. Given the definition of "personal data," GDPR defines the end user/individual as a "data subject" to whom personal data is owned by or attributed to that can be used singularly or with other forms of personal data to identify the individual. The caveat here is a data subject must be a natural person meaning the business law definition of a corporation being a person is not recognized under GDPR. Naturally, this also means corporations do not possess personal data rights as a natural person would in respect to GDPR.
Aside from personal data and data subjects, GDPR introduces two other integral terms to its understanding. These terms are data controller and data processor. A data controller is any entity (individual, organization, etc.) that sets forth how and what personal data is collected and used for what purposes. Data controllers may very well not perform any data collection themselves, but carry a responsibility in setting the conditions of collection, storage, processing, and sharing of data subjects. We'll walk through a simple example in a bit. Data processors, on the other hand, are entities that perform personal data collection, processing, and potentially sharing and storage. In most cases, the vast majority of personal data processed by data processors are returned back to the data controller or stored by the data processor on behalf of the data controller. Let's consider an example of this relationship.
Vivid Co (fictional) provides a web-hosted image gallery for both hobbyist and professional photographers to store and share their pictures and albums. It also serves as a place for interested parties to commission photos from participating photographers. Vivid Co developed the code that powers the web service and also maintains all the hardware needed to keep the service running. However, Vivid Co determined it was too expensive to buy adequate storage hardware and instead decided to use AWS S3 for cloud storage of photographers' submitted images. In this setup, Vivid Co is the data controller on the grounds it decided what personal data was needed from photographers and individuals (the data subjects) looking to commission images through the service. Vivid Co also does most of its own processing. For both types of end user, Vivid Co stores email address, password, name, and several interest descriptor keywords like "nature" or "scenery" that are stored on database servers Vivid Co owns and operates internally. For photographers in particular, Vivid Co also stores the photographers' images in AWS S3 - this means AWS is a data processor of that personal data for Vivid Co. For users who want to commission photos, Vivid Co provides a built in messaging feature that lets those users contact photographers for possible commissions. For successful commissions, Vivid Co connects Paypal accounts, so Paypal is yet another data processor for Vivid Co. Specifically, it's handling monetary transactions between the two types of end user.
From this example we can see that certain types of personal data are shared between different entities for different purposes. In GDPR a very big tenet is that it is the data controller's responsibility to ensure any data processors it associates with are GDPR compliant themselves. This is almost outright saying companies that do business with each other and providing services to one another must form a web of trust to protect personal data and handle it responsibly. Otherwise an incident resulting in punitive fines could result in some form of mutually assured destruction due to the "web of trust" being broken. If a personal data incident occurs that's the fault of the data processor, the associated data controller is also equally responsible for the incident on the basis the data controller did not perform due diligence to ensure the compliance of the data processor - hence the aspect of "mutually assured destruction" (or penalty as it were).
In a related example, let's pretend Vivid Co didn't use Paypal for handling commissions transactions securely and with respect to end user personal data. Instead they use a fictional service called Pay.me that isn't GDPR compliant and let's say Vivid Co didn't bother to check if that was the case or not. When commission transactions are passed from Vivid Co to Pay.me, it may be the case Pay.me is recording and selling transaction data to another organization who is profiling users for targeted advertising without disclosing this practice back to Vivid Co. Pay.me sells this organization the email address of the user, transaction amount, and the transaction description of "photography purchase." With this example, it's quite reasonable to feel a bit creeped out that companies might do such a thing when we don't expect or want them to. In this variation, if a personal data incident were to occur tied to Pay.me, Vivid Co would also be punished for its relationship with Pay.me.
Personal Data as a Liability, Not Value
Just the definition of data subjects alone is enough to make businesses of all sizes and industries reel. For most, privacy is something that is reasonably respected and the collection of personal data is generally covered under Terms of Service agreements and Privacy Policies, though not always in easily understood or terse language. Until GDPR, that was largely handled on a "this is what we do or use that data for, take it or leave it - just hit 'agree' and you can proceed to view this website, use this application, or access this service." While the majority of businesses collect personal data to enable useful features, such as taking your geolocation data to provide relevant weather forecasting, they also have a bad habit of taking a wholesale approach to that data. That is, it may not have a real legitimate purpose at this moment, but it may be useful later on for other reasons yet to be identified. Previously data siloing was never given much thought or worry since it mostly amounted to data that's been placed somewhere to exist for records, but GDPR is forcing businesses to see holding onto too much personal data without legitimate reason or consent as a liability rather than a potential value.
As we discuss how data is potentially used within any given system, we naturally form a spectrum of what's fair and reasonable to collect, store, and process relative to the data subject's ownership of the personal data and their rights. In most cases, the personal data needed to reliably use an application or service is essential - GDPR recognizes this use of personal data as a legitimate interest. Legitimate interest can also extend to other legal and regulatory obligations relative to the individual company, such as maintaining complete records for periodic required audits. However, it's possible to think oneself into the extreme end of personal data ownership and rights deferring control to the data subject. Take for example a business that regularly ships products to customers across the world. Such a business with no data privacy expertise might worry about how they may reliably ship products to customers who refuse to allow them to know, use, or save the relevant personal data such as shipping address and recipient name. In this case, not being aware of the legitimate interest basis for collecting and processing personal data in GDPR can potentially lead to the misconception end users can unilaterally exercise absolute ownership and right to personal data while the company still bears the burden of delivery of services that have become impossible to provide. For such businesses, it's the sudden and unfounded belief that personal data can no longer be collected and processed that may mistakenly cause the perception of personal data as a liability when very little may change in actual practice.
How Your Online Experience and the World May Change
If GDPR is forcing businesses to take personal privacy seriously, what's changing for us when accessing their services, sites, and applications? GDPR's core tenet to personal data is transparent informed consent. What this looks like in practice can vary wildly by the business/application, but generally includes one or more of the following things you may experience:
- If personal data is collected, processed, and potentially shared; the end user must be informed of this intent in plain language and given the choice to accept the terms and opt in at the time of data collection.
- Personal data collection opt in cannot be blanketed and must designate what personal data is being requested for collection and processing at the time of collection or processing.
- End users can exercise various rights related to their personal data that is collected and processed, but not all invocations of those rights need to be accommodated based on a limited set of circumstances.
- Changes to how you can be contacted for marketing purposes both through direct marketing and cold calling.
- Changes to advertising behavior - particularly to targeted advertising and tracking cookies. Expect to see more randomized ads that don't seem to somehow know about things you like.
- Less "unsubscribe" or "forget my preferences" options and more "I consent to the collection of X" for things like mailing lists, personal preference features, social networks, and social integrations like comment sections. Choosing not to re-opt in for mailing lists may cut down on your clutter of forums, sites, and news you no longer care to read or stay informed about.
- Businesses that utilize third parties for services (such as AWS or Google Cloud for storage) are required to assess GDPR compliance of the third parties or they can be punished with the third party provider for an incident occurring on the third party. This generally means better secured personal data that's shared between multiple entities.
- Some services and applications simply shuttering up and closing down out of fear of punitive fines if an incident occurs.
- Services and applications shifting toward to subscription only or paywalled premium content to offset lost revenue from advertising.
- Services and applications that are inherently not for profit shifting to a crowdsourced donation model to offset lost operating revenues from advertising.
- Businesses changing vendors for productivity tools due to current vendor's non-compliance with GDPR.
Of course, when I say "you" it presumes you are a data subject to whom the law applies. While this is true and GDPR is focused strictly on EU residents' personal data, we cannot ignore the fact we live in an incredibly interconnected world. For example, many organizations may use Atlassian Confluence, Jira, or BitBucket. Atlassian is an Australia-based company and the listed products have customers worldwide on both a business and personal basis. Many people and businesses use Amazon for shopping, which is US-based but the customers are global. More so than ever before, it's simple for a business to have as many foreign customers as domestic. This fact has caused many businesses to conclude applying GDPR compliance to all users is the safest path forward rather than attempting to segregate EU customers and users specifically and have a completely different operating procedure - especially given the possibility other nations may adopt similar regulation to GDPR in the reasonable future.
As non-EU residents, we can enjoy many of the fringe benefits of having easier to read, straightforward privacy policies, having the ability to potentially port our account information from one service provider to another, and being able to view, verify, and correct on-record data. In our humble view, the rest of the world is erring toward reclaiming privacy rights in light of the numerous data breaches and privacy scandals that have occurred in even the last 2 years. Incidents such as the Facebook/Cambridge Analytica scandal, Equifax's massive data breach, and Twitter's own "we accidentally stored passwords in plaintext briefly" gaffe come to mind very quickly. Each of these incidents affected millions of individuals in non-trivial ways costing the respective organizations resources to address, revenue loss, and loss of trust and favor of the established brand.
But what could the price as of May 25th be for such incidents? Possibly a fine of up to 20 million EUR or 4% of global turnover (revenue), whichever is greater plus potential additional penalties based on factors such as whether or not the incident occurred as a result of willful ignorance or gross negligence as well as how cooperative the company or companies in question are in investigation and remediation. So if we use Facebook as an example and pretend the Cambridge Analytica scandal occurred on May 26th, Facebook could have seen a fine of about 1.6 billion EUR. GDPR carries a potential punitive aspect to make it compelling to not view the risk of noncompliance as a sound decision regardless of size or success of the company in question.
Certainly, the price of an incident or breach with GDPR looming over the horizon is terrifying to just about any business, but perhaps more so than the knowledge of how much an incident could cost a business, it's the fear of not knowing whether compliance efforts are satisfactory. Larger enterprises and corporations and businesses operating in certain markets and sectors expect security compliances such as NIST, HIPAA, and PCI. These compliances are always a moving target as circumstances and standards change in time. GDPR compliance is very similar, but an initial enforcement date with no precedents of the law in practice have left many anxious as to whether their efforts are really robust or as effective as installing brakes on a race car without having tested them prior to the race. Without precedent that helps define correct interpretation, many are simply uncertain how well their efforts will stand up in the event of an incident. This anxiety isn't helped either given the many different and often unique ways companies develop their operations and services practices. Finally, for small businesses that would normally not need to concern itself with compliance, GDPR comes as a very big looming challenge many are unsure they can surmount.
Fortunately, the Information Commissioner's Office (ICO) has released a draft outlining their action policy, which indicates levying fines or sanctions against a business is considered a last resort. More often than not, the ICO appears to want to advise and help correct operations that do not meet compliance where there is not clear willful negligence or gross misconduct. However, this does not mean businesses can simply procrastinate adapting operations expecting a tap on the wrist or hoping the excuse of organization size and relative lack of in-house expertise (or the ability to afford it) will allow them to duck under the radar.
While these potential changes generally mean good things, there are some aspects of the future that are further complicated. Advanced biometrics is one field that may see new challenges arise in regard to privacy as biological data is used to authenticate a user on the basis it is unique to yourself. Your smartphone might have a fingerprint sensor that lets you unlock the device without inputting a PIN or drawing a pattern. However, in order for that feature to work, your fingerprint must be stored and then referenced when the sensor is used. The same premise holds true for devices that authenticate using your face. Neural networks, deep learning, machine learning, and artificial intelligence are other areas where data privacy and identification can become a concern - perhaps even controversial life or death matters. These advanced computing topics and techniques "teach" systems by providing training samples to then evaluate, identify, remember, and/or relate. An example of this is voice recognition. Advanced voice recognition generally works by getting a clear sample of your voice which is analyzed and stored to be identified correctly so only the authorized individual(s) may issue commands. When a microphone is used for audio interfacing, the system listens and evaluates the voice (or voices) being picked up and attempts to identify you - potentially from within a group of people talking at once or in a crowded area with a lot of ambient murmur. This also helps protect against annoying but inane issues of a friend shouting "Hey, Siri!" followed by something inappropriate. Voice recognition is already somewhat of a hot topic in personal privacy as not everyone is comfortable with a running history of searches and commands made to in-home and mobile assistants like Alexa, Siri, Cortana, and Google being stored and processed in the internet. Not to mention the potential risks of having a device that's nearly always listening that fosters the reasonable paranoia of not fully knowing you have privacy anywhere such "listening" devices are located that may see remote exploits similar to baby monitors or collection of speech data unaware to the owner.
Your Data, Privacy, and NocTel
If you're reading this, you're likely a NocTel customer or user or even someone nominally interested in GDPR. Naturally you may be wondering what NocTel is doing to protect and respect personal data and privacy.
GDPR and the question of compliance has been something we've had to give deep thought to even though the vast majority of our customers are not located in the EU or regularly interface with EU residents. NocTel's services are strictly limited to businesses and organizations, so we do not have the risk associated with collecting large amounts of personal data or any good reason to process it for purposes not associated with feature delivery. While it looks like there is still quite a bit of personal data that's collected, it's all necessary for NocTel's functionality to work reliably and to improve account management for administrators. In most cases NocTel acts as a Data Processor for our customers. The "end users" are often staff of our customer organizations, which makes the customer organizations themselves Data Controllers relative to their own staff and to the individuals and organizations being contacted through their NocTel VoIP phone system or NocTel Flow contact center.
In the spirit of respecting personal data and privacy, NocTel is committed to making the following changes and making available numerous resources for learning as well as keeping you informed whenever things change:
- A GDPR primer reference on our online knowledge base to help learn and understand terms and interpretations of GDPR law and how it relates to NocTel's handling of your data.
- Blog entries like this one to provide disclosure, explanation, and evoke discussion.
- Personal data collection, processing, and storage template form for existing and prospective customer organizations to provide transparency on what personal data NocTel collects and processes as a VoIP service provider in the role of Data Processor, which can be requested from NocTel by emailing firstname.lastname@example.org.
- One-time notification of requirement to opt-in for receipt of communications from NocTel. Non-response is treated as a decision to opt out.
- Re-consent for NocTel's newsletter mailing list.
While all of these things may not be fully implemented by May 25th and that list may grow in time as the world rethinks how personal data should be handled appropriately, we want you to know we cherish the trust placed in NocTel and our employees to always do the right thing in regard to your personal data. As always, we welcome your questions, comments, and concerns - just drop us a line and we'll get back to you.