GDPR and Data Breach Risks: An Interview with Bogdan Manolea of ApTI
GDPR One Year Later – How Well Was It Implemented?
May 2018 brought on the mandatory implementation of GDPR regulations for Europe, but, de facto, for the entire world since European users can freely roam across the internet of pretty much all countries.
Much to the fretting of virtually everyone else around the world, lots of companies and websites located outside of EU had to review and restructure not just the text from their privacy policies, but their actual data collection practices.
GDPR One Year Later: An Interview with Bogdan Manolea
Now, a year later, on the law’s 1st anniversary since its implementation, I decided to have a talk with someone who understands much more about it than me, namely with Bogdan Manolea from the Romanian Association for Technology and Internet (APTI) and from Trusted.ro (the 3rd party seal of approval for e-commerce websites, vouching for their safety and honesty following independent tests).
Bogdan Manolea delivering a conference talk. Photo credit: CristalStudio.ro
He doesn’t like the word expert, but I don’t really know how to introduce him avoiding the word. Let’s just say he’s the first person who comes to my mind whenever I have some issues and doubts regarding digital rights in general (not just the very recent GDPR).
Here’s what we talked about and what his answers were. [The interview was a bit edited for length and clarity.]
1. As a GDPR expert, what’s your take on how this law was implemented in Europe and beyond, now, almost one year later since its principles became enforced?
First, I hate the words “GDPR expert”. I don’t understand how you can be an expert in a law that was adopted three years ago and it started to be implemented one year ago. This is just marketing bullshit, IMHO.
Moreover, the truth is that data protection existed for a long time in Europe as a specific domain and the Council of Europe Convention 108 on automatic processing of personal data exists from 1981. Even the first EU directive exists from 1995.
So, the fact that some media picked up the subject only recently or that companies have become much more aware since the huge fines from GDPR were advertised, that is just their problem.
But the concern for privacy and personal data protection, including specific legislation on the matter, have existed in Europe for decades. Even the principles are almost the same from 1981.
The need for a law more in line with the digital processing of personal data has been discussed for years and the digital rights groups from Europe (including myself from APTI in Romania) have been active in pinpointing the limits of the previous directive from 1995 and asking for a better legislation that is unique at the entire EU space level. This is why GDPR was adopted in 2016 and it started being applied in 2018.
So the principles should have been enforced for some time, actually. The fact that we are still discussing how companies are implementing the data protection principles after decades of laws in this domain shows us that the legislation was basically inefficient, to a large extent.
2. Do you think companies have mostly adapted to this new framework, by and large? Have you noticed a great array of differences between various categories of businesses implement GDPR? For example, companies from a certain niche versus others in a different niche, or based on company size, or on their location?
It would be almost impossible for one person to have a pan-European overview of how GDPR was implemented so far. The situation depends on so many factors – size, niche, location, country, compliance with previous legislation, the quantity of data collected, etc.
From my empiric evidence, there is a huge wide range of compliance – from a high level of compliance in multinationals that are more used to compliance mechanisms and new regulations, especially if they come from countries with traditional strong data protection regimes (e.g. Germany) to no compliance at all in SMEs [n. a – Small to Medium Enterprises] that do not use digital tools and are in one of the countries where the DPA (Data Protection Authority) is very weak in its enforcement.
3. So what would be in your opinion the good and bad in GDPR implementation so far?
The good thing with GDPR is that it forced companies to think more (in depth) about the personal data they are collecting in order to answer the basic questions posed by GDPR (What data? How do we collect it? For what purposes? For how long? Etc.)
There are several bad things that are worrying me:
- The risk of missing the purpose and scope of GDPR. Instead of protecting the personal data of European citizens, we might create a layer of bureaucracy which does little for achieving this aim;
- The absolute need for simplification and guidance for SMEs in understanding the exact steps to be done for compliance on data protection;
- The crucial role of the DPAs in implementing the GDPR. With a dormant DPA, all the while GDPR seems like just a nice story, with no real effects.
4. What’s the no #1 mistake companies can do when it comes to preventing data breaches?
There are a lot of actions that can be done and it depends on the size of the company and the importance of the data that is being processed.
But one thing that strikes me personally, in almost all companies, as a measure that is easy to do and could save a lot of hassle later, is disk encryption by default (before booting the OS) of all mobile devices (laptops, mobile phones, and tablets).
I mean, these types of devices are being lost or stolen regularly all over the world. This is just human nature and it is very possible to happen to your company sooner or later. It’s almost impossible not to have any personal data on them. But still, very few companies have a mandatory policy of having all their mobile devices encrypted by default.
Bogdan Manolea delivering a conference talk. Photo credit: CristalStudio.ro
5. How about the no #1 mistake they may do once a data breach already occurs?
Probably to panic. 🙂
This is why it is helpful to have a data breach procedure and to test it from time to time. Especially in big companies, this should be a must.
6. I don’t mean to sound fatalistic, but do you think there’s a certain unavoidable component to data breaches in this new law framework? Can a company avoid penalties with a certainty of 100% through preparation? I, for one, certainly hope so & think so, but I think there are a lot of defeatist voices among company reps having a hard time adapting to the new rules.
Of course, it is unavoidable. The question about data breaches is when it will happen, not if it will happen. If it never happens, then you’re very, very lucky or you just don’t know about it.
But this is why if you report a data breach, it doesn’t automatically mean that you will be fined. Look at the numbers compiled by our colleagues from civil society (based on FoI requests to DPAs) from all over the EU and you will see this is true. But it also shows that probably the level of reporting is very different from one country to another.
You can see the table of facts and figures here.
So, in Romania, for example, by March 2019 there were reported 414 data breaches and, as far as we know, there wasn’t any fine yet.
7. Do you know if the position of Data Protection Officer was actually created within companies, on a significant scale? As in, did companies really hire a person to fulfill this role alone, without other ‘merry weather’ responsibilities?
First, let me emphasize again that not all companies need a DPO. The art 37 of the GDPR makes it clear that only in two situations private companies must employ a DPO:
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.
Also, the DPO can be external, you don’t have to have an internal staff role for this.
Moreover, GDPR doesn’t say that it must do only that – however, it is worth emphasizing that a DPO may have other tasks that are in a conflict of interest with this position – for details see Art 29 with regards to DPOs – Chapter 3.5.
8. What do you think of the new laws the US authorities are striving to adopt soon regarding data protection? I know there are some debates within the US to adopt new laws, but EU representatives are a bit critical of American efforts so far.
I haven’t followed the topic too closely, but I can point out is that EU is actually the most advanced globally in the field of data protection legislation, so it starts to “export” this legislation in several other areas, not just to the US.
Also, I think that California, with this act, may be more advanced than other US states in these activities.
9. What’s your no #1 advice to companies trying to navigate the post-GDPR framework of digital consumer rights?
From a privacy advocate perspective, I think there are two basic things all companies should do:
- Do an analysis on what data you collected and if you can live without it (thinking about your users and their rights, not with the idea “it might be helpful in the future, who knows?”). This is part of the “data minimization” direction within GDPR and if you do it properly you can actually collect less data (renouncing those bits that might have been collected for an unclear purpose anyway.)
- Keep your users informed about what you do with their data. Article 29WP has a pretty simple table as an Annex to their Opinion on transparency, which is a great guide.
For Romanian readers, I’ve written a very user-friendly guide here, on the topic of protecting yourself from conflicts with your consumers over data privacy.
10. Finally, do you have a remarkable data breach story to share, one which we could all learn a bit from? What’s the most interesting/crazy/serious/impressive case of data breach fulfilled (or averted) that you heard of?
What is remarkable for me is the long history of Facebook data breaches from the past couple of years (see the latest), some with ridiculous mistakes (Plaintext passwords? Really?) and how they got away with it. So far, at least…
Thank you, Bogdan, for your time and answers.