Smashing Security, Episode 30: GDPR, the Good and the Bad with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, Episode 30, and it is a special Splinter episode. Woo!

Yeah.

Hello, Carole, as always.

Hello.

Good to see you again.

It's been a while.

It has been a while. And we're joined by a special guest for this episode, Kevin Gorsline from TBG Security. They are a cybersecurity consultancy based in Boston, Massachusetts. Hi, Kevin.

Hey, Graham. Hey, Carole.

Hi. How's it going?

Fabulous. Couldn't be better.

That's what we like to hear. Now, Carole has told me that we're having a special subject today, and I have— I've been given— can you hear this? This is Graham's little sack, and it's his little Scrabble sack, because I've got some letters in here. Okay? So I'm going to pull out—

I'm glad you said Scrabble sack.

I'm going to pull out— How many letters should I pull out, Carole?

I don't know. Four.

Good choice. I'm going to read out the letters, alright?

R.

P.

I can't believe how lame you are.

G. Rocket-propelled grenade. D.

Is that what we're talking about today? RPGD.

Or GDPR. GDPR.

Hey, whoa, whoa, whoa. Whoa, whoa, whoa. Whoa. Stop it. I've heard about this GDPR thing. Something to do with Europe.

Yeah.

I'll be honest with you. Sounds a little bit dull. Do we really want to do this in a podcast?

We— It's very important. I think we have to do it. So I agree. This may not be the most fun podcast we've ever done. Don't say that.

Say that.

It's true. It's true. It may not. We'll do our best. But look, I went looking. I actually went looking for GDPR jokes online. And I've got to say, there are not very many out there.

You surprise me. There aren't many GDPR jokes online.

And they're not funny. So I think if anyone wants to corner the market—

Is there anything else GDPR related? Can you get merchandise? Can you get t-shirts, mugs?

Not yet.

Sea shanty websites? I mean, what is it?

It's a free tip for any enterprising individual out there listening to us right now.

Well, people better— now, if we feel bad about this, how does Kevin feel, right? He's our resident American right now. He's not even— I mean, technically, Carole, you and I, as based in Britain, we're still at the moment part of Europe, right? And so—

We haven't explained what it is yet, but you can ask.

Oh, come on then, tell me. First of all, let's get through this. GDPR, what do the letters flipping well stand for?

Yeah, because we need to explain this. So GDPR stands for General Data Protection Regulation. This is a new European data legislation, and it's all about giving more control to the EU subject, okay, or EU citizen, more control over their personally identifiable information that's stored online all over the web.

Because the concern is amongst European citizens, just as it should be for everyone really all around the world, is what are companies doing to protect my personal information and my personal data? We are having to share so much of it with businesses online, we don't always have great visibility as to what they're planning to do with it or indeed how well they're taking care of it, right?

Oh no, totally. I mean, there was a survey that three-quarters of people took part were like, "I don't trust companies with my personal information." So that's where we're starting from. So back in 2012, this started taking shape, the whole concept behind this. This is really, really massive piece of legislation.

Yeah.

Right, it really is a big overhaul of what was in place beforehand. And it started all the way back in 2012 where they started scoping out the legal requirements of how personal data of EU residents should be handled by companies. And it was only adopted in 2016. And because it's so huge, they gave a two-year post-adoption grace period before it fully comes into effect in May 2018. That's May next year.

Now, what do you mean that GDPR is so huge? You mean it's physically huge or what do you mean?

So we'll provide a link in the show notes, but this is a piece of legislation that has 11 chapters and 99 different components, or what they're calling articles, that all go to tell companies how they have to handle and anonymise and process and store and transmit personal data of EU citizens and residents.

Okay, so this is basically like Lord of the Rings. This is quite a beast.

Well, let me tell you how big it is. It's so big that companies who do not meet the requirements or stipulations and are found guilty can face fines of up to €20 million or 4% of the previous year's turnover, not profits, but turnover. And they will choose whichever one is higher if you're found guilty.

Oh, so there's not a cap of maximum €20 million, which frankly, wouldn't be a pinprick for some humongous internet companies, would it?

That's right, yeah.

But 4%, now everyone's going to feel the pinch at that, aren't they? They're not going to be pleased with that.

I mean, this could go into the billions for the big giants out there.

Ooh, ah.

Yeah.

But I imagine, I mean, maybe Kevin, you've got a view on this as well. I would imagine that having to deal with this piece of legislation is probably better than having to deal with the different data protection legislation, the alternative, which could be — I mean, how many EU member states are there? Something like 28 or something like that, right?

28.

Yeah, there's 28. So it's better than having to deal with each of those individually and making sure that you're handling all of those.

I think the challenge there is that, so you have to deal with GDPR, but the individual EU states still have privacy laws that you have to basically comply with as well, right?

Yeah, it's a bit—

So it's in addition to the existing regulations that are out there. So it's even more complicated when you start layering that on top.

And I mean, frankly, you don't want to make the choice that you're not going to provide services to people in the EU. I mean, that would be one option, wouldn't it? Just forget about Europe, too much of a hassle, right? No internet company's likely to do that. And it's not just internet companies, of course, but—

Okay, so I don't, so if for instance I've been filling in forms on websites, I would never do this by the way, but if I were downloading white papers from a website and I regularly said that my name was Arnold Aardvark at aardvark.com.

Right.

I don't obviously have to worry about that

I think they're focused— from what my reading of this— and I mean, I should— I'm not a lawyer and I'm not a GDPR expert, right?

because that's not going to identify me.

But from my reading of the legislation, they seem to be focused on firms that have 250 employees or more, or companies that manage personal identifiable data on a regular basis, right. So if you're doing that and you're a smaller company, you need to pay attention to GDPR.

I haven't been sharing anything that way.

So those two caveats make it almost virtually anybody that's handling EU data, because if it's a small company, if I've got 5 employees, so at some point I'm probably handling that data on a daily basis, whether I'm backing it up, does that constitute handling that data?

Well, that's the thing, you know, this is the thing that you need to think about when you do an information audit, I think. It's like, think of all the forms, the web forms that are filled in, the geolocation you might have with cookies. You know, how GDPR is defining what personal information is, or personally identifiable information is, is perhaps broader than current legislation in your neighborhood. Well, not internet companies, but smaller companies, right? So companies maybe around the 500-employee mark, might be looking at how much return they get from providing services and products to EU citizens, right?

And frankly, if your company is, you know, slightly smaller than maybe and doesn't have to worry quite so much about these things, maybe you should be thinking about your future ambitions and the growth of your company. And wouldn't it make sense to follow these sort of guidelines which GDPR is proposing because of the general health of your company? All right, okay. Because you never want some bad— you know, these rules are being introduced in order to protect people your customers. You should be doing these kind of things anyway. And it's much easier to build this in from early on in your company rather than waiting until you get big, whereupon it's a huge overhaul of your organization.

Does that work? 'Cause it is complicated.

That sounds good.

But you know what? It's still, it's going to be a really big pain in the butt, right? So who are the affected companies, right? For, I feel for companies that have to do this because some companies have been running systems for 20, 30 years, have been processing data in a specific way, and they have to kind of do a huge overhaul. And not all, I mean, let's just think about what GDPR means. Now the whole thing, everything about GDPR is about identifiable personal data. I don't think we've actually defined, there's a few mega, you know, big things that it does, right? So data that it's already anonymized, right?

Go on, you tell us.

OK, so it needs to get clear consent, OK, clear and explicit consent from the user to process personally identifiable information, OK? Obviously, if someone is not of consent-giving age, so a child, they need to get parent consent from that. EU residents have a lot more control over data in this case. Where the European subject cannot in any way be identified to the data and correlated to the data, this falls outside the scope of this legislation, okay? So for example, a EU resident can request that their data be sent to them in a common format, that it can be sent to a third party if they want to transfer their data from one enterprise to another, or that all their personal data be erased. They can make that request anytime and you're not allowed to kind of dilly-dally on getting that done. You've got to move quite quickly. And you have to bake in obviously data protection capabilities into the system, right? So this means things encryption and what this word that they use everywhere, pseudonymization. It's a very difficult word to say. It's not so much about the data you provide as a user, but how the company actually processes and handles that data so that it can't be easily correlated to the person, to the identity. Pseudonymization is probably the easiest way to say it. And if you do have a breach, right, you have 72 hours to report it, right?

And if you think about that, so the company is not going to know that that's not you, Graham. So the company has to make the assumption that every bit of data that gets entered on one of those forms is actually legitimate, that you're not using some anonymous name for yourself. And of course, there are companies I deal with where I give my real details. I mean, understandably, because otherwise I can't do very much business with them.

Okay, so we know that we're talking about people that are processing identifiable personal data, okay? Now, one big misnomer about this whole thing is people think, oh, that's an EU regulation. It doesn't affect my company. I don't have any office or establishment inside the EU. Well, wait, wait, wait. That's not true. It impacts any firm that processes in a large scale or has a focused process on EU subjects. And that they process personally identifiable information.

Looking at it from a US perspective, Carole, you mentioned before that small companies may look at alternatives to this. But I mean, we have to look at— define a small company.

So pseudonymization.

Pseudonymization.

It is hard, isn't it? Say that 3 times fast.

If it's 500 individuals in the company, they're going to be subject to it. If I'm 250 or less, I'm not subject to this legislation, right?

So what that is, is where rather than using your name there, so it can't be identified.

So I don't have to worry about it quite as much.

You have separate databases effectively. So you have, here is my identity and here is the personally identifiable information and the never the twain shall meet. So think ID numbers, you know, but it's very separate so that if, for example, you did get breached and they managed to crack the encryption, they wouldn't be able to easily tie it all together.

Oh, okay. And that's interesting, 'cause of course we've seen some breaches in the past where companies have sent CDs through the post of their customer database, including all kinds of information, personally identifiable information, which wasn't actually necessary for the person who was receiving the CD to process. They only wanted some of the columns. So that's interesting, isn't it, that they would be planning to do that? It sounds it makes sense.

Yeah, there's a real push here about process as little information as necessary for the job that you have specified, you know, and you've gotten consent from the user about. So you have to tell the user why you want to use their data. And this makes things complicated because lots of companies obviously collect data and then sell it on for the third party.

But think about the millions of web forms out there right now where we collect data. And so, we're going to have to put some kind of disclaimer on those, right?

Yes.

We're going to have to put some kind of acceptance criteria linked back to a big fat policy that says, here's all the things we're going to do with your data if we're going to do anything at all with it.

But hang on, no one's going to read those, are they?

Exactly.

This is my big beef with this whole thing. So they have to update their privacy policies. You're going to see a big change in privacy policy come May 18th on them begging to be able to use your personally identifiable data in a very explicit way, hopefully. If they want to comply with the rules. And you have to explicitly say yes or no, and it can't be a pre-ticked box. You have to click yes. But as you've just mentioned, how often is that situation happening when people download apps today, right? And when they're buying services, they're like, you know, have you agreed to the agreement? Yes, I have. Carry on. And I think, you know, if we move on to what this means for end users or for EU citizens and subjects here, it's kind of like they're, you know, they have a job to maybe not click yes if they don't want to be personally identified with this information. They'd all be more careful with it. They'd actually — businesses would have to change the way in which they collect information, right?

Yeah, but the thing is, when you want that service, when you want access to that site, when you want to buy that particular product or whatever it is, that actually is the more pressing thing on your mind right then than your data privacy, isn't it? I mean, that's a cold — I mean, I don't read — dare I say it? I don't read all the legalese. I don't read all the terms and conditions. I just think, yes, yes, yes, I need to buy this thing. I need it delivered, you know, next Tuesday. And the other thing is, I mean, sometimes I make those sort of decisions based upon the site and the company and how established it is. However, it may not actually be the company which is processing my data. They may have farmed that out to third parties, right, who are doing the actual processing. And those companies are going to have to be on board with GDPR as well, aren't they? I think there's this difference between, is it the controller and the processor of the data?

Exactly, yeah. So yeah, it seems right now that one of the big changes in this is that they're going to give a lot more responsibility. And by that, I'm reading liability to the controller, right? So the controller has to stipulate the, you know, the contract and the agreement that it makes with a third-party processor. And they are responsible for making sure they cover all their bases, as I read it. So, there's a lot more responsibility for the controller here in managing the data.

Think about the cloud providers in this picture, right? So, the cloud providers, what's their culpability? How much responsibility do they bear in this model now going forward? So, they're providing a managed service or in some cases a self-managed service so that the controller is actually managing their own service, but the cloud provider is providing the infrastructure. In the case of a breach, who's going to wind up picking up the check for the $20 million? Is it both of them? Do they both get hit for $20 million, or does one or the other get hit for the $20 million?

Yeah. And I wonder if people are going to play around in that potentially gray area until a victim is brought before the courts, and then they go, "Oh, wow. Okay, now I understand how it works and what can happen."

Well, it's funny because we see from our clients, and we provide services to a couple of different cloud provider services, and the contracts that we're seeing come in from EU companies or companies that are handling EU resident data now are just a wide spectrum of legalese is coming into play now. It's funny, from some that are just not very well defined and putting responsibility back on themselves rather than the processor. And then there's others that want to shirk that responsibility and shuffle it all over to the processor. So your response, even if you're not basically doing more than storing the data. So I mean, I think there's a lot of things that are going to come into play contractually.

So here's what I think, right? I think for citizens, for people who live in Europe, this is fantastic, you know, because there have been too many data breaches and it sounds like companies are going to have to buck their ideas up in terms of protecting data considerably. You know, this is a real scare for companies and they— this is coming in in May 2018, right?

That's right.

Right. You've got to be ready for it.

Yeah. They'll even— individuals will even be able to sue for compensation from companies that they feel have not complied with GDPR in terms of their information. How they process their information.

So I think from their point of view, this is fantastic. And, you know, I'm all for it. I think it's terrific. Anything which gives people better privacy, fantastic. However, if I put company shoes on, I have to say, wow, this is a big pain up the bottom, isn't it? Quite frankly.

And most companies have been dealing with this. So I think if you work in a company, 500, 1,000 employees, you're gonna be, you're gonna have seen, you know, the senior stakeholders, the IT guy, the legal guys, all in a room huddled up every week, and this is probably what they're discussing because it's big.

Who would want to be one of these firms which is processing data? Some of those firms must be quite small who are doing it for the very big firms.

Yeah, right? Yeah, it's a good point.

You know, and I'm sure the big firms are going to have in their contract, this is how it's going to work. And if we get in trouble, you are going to end up paying. You know, it's a risky field to be working in.

But maybe that's why the onus is more on the controller for exactly that reason. So there can't be that kind of offset of responsibility to a small firm. Smaller, less lucrative.

I think it's all going to come down to the contract between the two entities, between the controller and the processors, how much of their responsibility they can shift off to the processor.

Oh, yeah. Data protection lawyers right now are certainly going to come out at trumps on this one.

Well, insurance attorneys or insurance firms are going to come out of the woodwork for this too. Everybody's going to be writing a new policy for cyber insurance for GDPR.

Yeah, let's hope they process that data very carefully.

Well, who's gonna want to cover a €20 million loss though, right, from an insurance company? Because for years we've been collecting this data. Honestly, I would bet that there's a huge percentage of these firms that have no idea where this data lives within their environment.

Exactly.

So going back and cleaning all that up or pseudonymizing that data is going to be almost an impossible task. So you're almost at encryption. You know, I think that when you said that, people are holed up in the corner trying to figure out what's the policy and what's the protection around this, everybody's looking at wrapping the data and protecting it so that the breach doesn't occur. Yay team for that. But we should be looking at how we're gonna categorize this information and the documentation that's gonna go, that has to be acquired for us to support any of these cases that we're gonna make going forward after we get bagged for personal data escaping or data leakage in any environment, right?

Because I see it there's three choices, you know, in front of companies right now. So one is they stop processing data from EU subjects. EU subjects, right? So some will either stop processing data from EU subjects and dump the data they currently have, or they could separate out the EU subjects into two different databases and treat them differently according to the laws of the land. Or three, they review and revamp exactly the whole systems. And you would do that because you think the world's going this way, right? This is going to be bigger and bigger, and it's not just going to impact on EU citizens. We expect this to move to the US, UK, and US, etc. Australia.

I have another alternative.

Okay.

I'm thinking that maybe the United States could launch a small tactical nuclear missile at Brussels. If they knocked out Europe, or at least the legislative part of it, maybe that would be the simplest thing to do. I mean, if this is really going to be a big pain.

I'm pretty sure Donald Trump's lined up for that.

Let's not get political. We had a bad iTunes review the other day.

You're telling him not to be political? Right.

Oh yeah.

Yeah.

Kevin, tsk, tsk.

Bad on me.

Bad on you.

Exactly. Yeah. We would never say things like that. We'd never do that. No. Well, it seems like a— okay, so GDPR, you've sold me. It's a big deal. It's a big fricking deal, as some people say. So where can people read more about this? Because I mean, obviously we've only been able to skim the surface of this, but there must be places where people can go, where they can read more. I imagine many companies are dealing with this.

Well, let me plug, I've been working with Kevin on a GDPR guide. So we can, we'll provide a link to that and other really useful resources inside the show notes. There's a number of places because when you look at the actual legislation, and you scroll through the hundreds of pages that it takes, you know, in size 8 font, it can lose your will to live. So there are a lot of places that have distilled the information in a more manageable way so people can introduce themselves. I suggest introduce yourself gently.

Well, thank you. It's actually been quite interesting, you know. When I drew out those letters from my little Scrabble sack of GDPR— yes, I know, it was a strange coincidence— I wondered, you know, is this an interesting subject actually. It's obviously important. There's so much hacking going on. There's so many data breaches going on. Organizations have to do it. And oh, just one other thing, of course, reaching, you know, fulfilling these requirements isn't necessarily the end of the road for companies, is it? I mean, I guess you should really view this as a minimum that your company should be doing. And maybe if you really want to stand out from the crowd in terms of protecting your users, maybe you should go even further.

I think if they can get to the finish line, you know, by May 2018, I think it's going to be quite an amazing feat because most companies are saying right now, we ain't ready. We are not ready.

Oh my word. Yeah, it's going to be a Herculean task to meet that date for a lot of guys.

If you haven't started already, yeah.

Yeah, if you haven't started, you're in doo-doo shape.

Yeah, get help. Get help. Get help quick. Expert help quick if you need it.

Perfect.

Okay, guys, it's been great. I think that just about wraps it up. Thank you for tuning in. Thank you, Kevin, as well for joining us on the podcast. It's a real pleasure having you here.

Thanks for having me.

If you like the show, tell your friends. We'll be back again next week.

Week.

And let us know what you think by leaving us a review on iTunes. Don't leave us a 1-star review. Don't leave us a 2-star review. Go on, leave us a 5-star review. I'll tell you why, because if you do that, it actually helps more people find out about the podcast and it makes us feel loved and wanted, which is really important to me at least. I don't know if it matters to Carole or not.

It matters.

Okay.

It matters.

Go to www.smashingsecurity.com and you'll find other ways to get in touch with us and listen to our other podcast as well. And until next time, toodle-oo, bye-bye. Bye.

Cheers.

Kevin is just so cool, isn't he? Isn't he cool? He's so laid back and cool.

You were, I think, the coolest cucumber we've had. Wow.

Maybe he just doesn't realize what a big freaking deal it is to be on the Smashing Security podcast.

It's good. Good.

I realized what a big deal it was.

It is huge.

This could be— this is a career maker for me. Absolutely. I've told all 3 of my friends. It's gonna be huge.