Understand the GDPR legitimate interest vs. consent dilemma

Hidden Vulnerability: GDPR Data in Unexpected Places

Scott Laliberte, Managing Director Global Lead, Emerging Technology Group
Katie Stevens, Director Security and Privacy

The European Union (EU) General Data Protection Regulation (GDPR) — one of the most comprehensive data privacy regulations in history — is scheduled to become effective this week (May 25, 2018). This regulation imposes strict requirements on how the personal data of EU subjects is collected, used and stored — both within the EU and by foreign companies doing business within the EU, including small web-based businesses that can be accessed by EU citizens.

Key provisions include explicit consent for some types of data collection, a 72-hour window for data breach notices, data destruction policies, and erasure of data on demand. GDPR represents a sweeping change from previous data privacy regulations, and companies have had a difficult time getting their arms around exactly what they need to do to comply.

A recent report suggests that only 7 percent of affected companies are fully compliant, and less than half expect to be ready by the deadline. We have written extensively about this subject on this blog and have dedicated a page on our website with links to additional references and thought leadership.

The full scope and implications of GDPR are only now becoming apparent as affected parties — the so-called “controllers” and “processors” of data — and their compliance consultants assess operations for potential compliance violations. These violations could expose companies to fines of up to 4 percent of revenue.

If this is not enough pressure, there is another challenging aspect of the compliance many companies are just beginning to discover — the problem of identifying all the places where personal data resides.

Some of the more unusual locations where personal data can be found include activity logs, maps, apps, medical devices, games and even refrigerators, doorbells and thermostats. This personal data, proliferated across multiple user devices and workstations, is estimated to account for more than half of all GDPR data, and as much as 60 percent in the United States.

In our work helping clients prepare for GDPR we have found personal data in all of these places and more, sometimes anonymized, often not.

For example, testing and staging environments, where production data are loaded to support the testing of new software, are common but rarely considered places where personal data can be found. Within these environments, personal data is often freely viewable to quality assurance teams during the testing process and then left forgotten on unprotected servers after implementation, creating GDPR risk. Anonymizing data can be a complicated process, which may be one reason why many organizations aren’t doing a good job of implementing this technique in nonproduction environments. Although this is coming to light within the context of GDPR, it is just good data practice to treat personal data on nonproduction systems with the same care and concern as in the production environment, and ideally consider using synthetically generated data whenever possible for such tests.

Today, the definition of personal data has been expanded, thanks to the Internet of Things, to include data collected and communicated between machines and used to track user movement, consumption and lifestyle. Under GDPR, IP addresses, mobile device IDs, and even “pseudonymous data” and encrypted data, are also in scope. So is security camera footage and electronic badge data, along with data from networked printers, scanners, copiers and even corporate email, and the user/entity behavior analytic (UEBA) programs used in tracking suspicious user behavior.

The challenge here boils down to most organizations not having a comprehensive and clear understanding of all of the ways personal data is being used within their organization, all of the instances of personal data, how it is collected, where it resides and how it is protected. Once they have this understanding, companies need to decide what to collect, what to keep and what to protect.

The three-step process below is a good way to cover the most important aspects of GDPR compliance.

  • Step 1: Inventory. These days it is absolutely essential to maintain an active inventory of personal data, including every instance of it in every department — from marketing, to HR, legal, and all of the business process owners.
  • Step 2: Establish lawful basis. GDPR allows the processing of personal data under certain circumstances, such as to comply with legal obligations, protect the personal interest of the data subject, for criminal and civil law enforcement reasons, public health reasons, and more. To ensure lawful basis, organizations must obtain consent in accordance with GDPR guidelines and, in all cases, maintain meticulous records to prove their right to process the data.
  • Step 3: Protect. Once an organization has identified all instances of personal data and established a lawful basis, then it must protect that data and be able to demonstrate the efficacy of those protection measures.

Organizations that have not yet started this process need to do so immediately. Digital transformation is fundamentally changing the way business is conducted, and governments are scrambling to write new rules to protect consumers. Personal data looms large in the ongoing controversies, such as the debate over the influence of social engineering in global elections. We expect this kind of scrutiny to increase as regulators become more attuned to the risks and potential abuses of data.

Leanne Kaufman, a senior manager with Protiviti’s Data and Analytics practice, contributed to this content.

1 comment