“The revelation of identifying information, such us your email, can unlock other private online information, potentially hurting your social-economical life”
In 2016, the EU adopted the General Data Protection Regulation (GDPR), introducing updated and tighter requirements on privacy protection. GDPR, actually, replaces the 1995 Data Protection Directive and it will be applicable on 25 May 2018. The regulation introduced several new requirements that are aiming to enforce the online service providers to ensure their users’ privacy. The aim of this article is to provide an introductory and informative content regarding the GDPR, that could be easy-to-read by every individual or company.
GDPR is a game changer in privacy protection
The GDPR defines which are the controllers and the processors of personal data. More specifically, according to Article 4, the different roles are the following:
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The GDPR brings more responsibilities to controllers and processors that change the grounds of processing of personal data. It is almost impossible to summarize in a paragraph the numerous functional and nonfunctional requirements of GDPR. Nevertheless, we will briefly refer to some of them.
Personal data i.e. the name, the email or the device ID of a user must be protected accordingly and its processing must take place with several security measures, such as encryption and pseudonymization techniques. Moreover, GDPR focuses to the necessity of the collection of personal data from a data subject and the lawfulness and purposefulness of the data processing. We could say that the regulation drives us to the ‘digital age of consent’, where no personal data can be used without the consent of the data subjects, which can be revoked, as well as the justification of why they have to be collected. Of course, not to forget the right that the users will have to request the deletion of all of their personal data under the Article 17 and the Right to erasure (‘right to be forgotten’), a right that will have the ability to exercise after 25 May 2018.
Moreover, there is a growing concern regarding the governance of the shared/submitted personal data. In many cases, users do not have any idea who is behind an online service, with whom is the service also sharing their users’ data, in which countries or which is the scope of the processing. Arguably, many of the users do not have the complete control over the data that i.e. they are sharing with third parties.
At the same time, due to the use of several third party software solutions (i.e. CDN or marketing related software), we can say that in many occasions a controller is not able to know where their users’ data are hosted at any given time. As a result, the complexity of just some of the numerous requirements of the upcoming enforcement of GDPR is rather high and all of the interested parties must start working on those tasks very carefully. A first good step for the controllers is to only choose and implement third party services that are compliant with the upcoming regulation.
Web applications privacy risks and GDPR requirements
In this section we firstly focus on the web application side and its related privacy risks. When we are confronting so many web related risks we must examine which are the potential privacy risks that the web applications is exposed to and follow the organizational and technical measures to minimize the risks of unauthorized (or without users’ consent) personal data disclosure to third parties.
The list of the Open Web Application Security Project (OWASP) was first published in 2014 and is still a very good reference. According to OWASP, the top 10 privacy risks in web applications are as follows:
- Web Application Vulnerabilities
- Operator-sided Data Leakage
- Insufficient Data Breach Response
- Insufficient Deletion of personal data
- Non-transparent Policies, Terms and Conditions
- Collection of data not required for the primary purpose
- Sharing of data with third party
- Outdated personal data
- Missing or Insufficient Session Expiration
- Insecure Data Transfer
Without having a legal background, below we try to map the top privacy risks published by OWASP and only some examples of the upcoming GDPR requirements.
|OWASP Top 10 privacy risk||GDPR requirements ref. examples|
|Web Application Vulnerabilities||For example in Article 32 the regulation describes the security of processing to minimize the risk of a potential data breach.|
|Operator-sided Data Leakage||Also in Article 32 the regulation describes the security of processing to minimize the risk of a potential data breach.|
|Insufficient Data Breach Response||Articles 33 and 34 are specify the data breach notification procedure and the 72 hours limit.|
|Insufficient Deletion of personal data||Article 17 analyses the right to erasure (right to be forgotten). Also Recital 65 provides such an information.|
|Non-transparent Policies, Terms and Conditions||Article 13 and the definition of consent in Article 4 (11) provide many of the new requirements.|
|Collection of data not required for the primary purpose||Recital 32 and Article 5 (1) and 13 are a good starter point for reading.|
|Sharing of data with third party||Articles 21 and 22 analyze many of the upcoming requirements while Articles 6 and 7 also provide complementary content.|
|Outdated personal data||Recital 63 and Article 15 contain some of the new requirements.|
|Missing or Insufficient Session Expiration||This item refers to the potential collection of personal data without the user’s consent and awareness. So, Article 7 is a good source to start.|
|Insecure Data Transfer||Article 32 contains many of the upcoming requirements.|
Now, if anyone read the Top 10 Privacy Countermeasures and additionally go through the above experimental mapping between the documented by OWASP web applications’ privacy risks and the GDPR content, illustrates the need of the majority of the upcoming requirements. At the same time, it is a common view, by the majority of the parts that are trying to comply with GDPR, that this is definitely not the most simple and easy task. On the contrary in most of the cases GDPR, also, requires organizational/culture changes and technical implementations towards a successful compliance.
The (potential) impact of a privacy breach incident
So, what is the risk by the useless and unsecure sharing of personal data? After May 25th 2018 a privacy breach may lead to huge economical penalties. However, a data breach can lead to many different risks for their private users’ lives. Some examples of the impact that a data breach could have for the users can be summarized as follows:
- Financial impact, i.e. by the use of the data for financial transactions.
- Reputation or/and social impact, i.e. by the use of data that connects a user with a non-society accepted activity for his profile (adult only content, casino, the disclosure of a person’s sexual life etc).
- Reputation attacks, i.e. by making public that a user is suffering by a specific disease and get silently rejected by a job opportunity.
- Identity theft, i.e. malicious users can use personal data in order to pretend another user and disclose private information for several malicious actions.
Towards the above assumptions and the privacy risks on the web, we can realize that due to the huge amount of personal data that is being transmitted and collected online, businesses must put in first place the protection of their users’ personal data and become GDPR compliant. While the upcoming regulation can be considered as a great improvement towards the protection of the data subjects, it is commonly accepted that is a complicated task for the companies (data controllers/processors) as it may require more effort than they actually realize.
In any case, the online service providers must be highly responsible regarding the way they request, transfer, share or process users’ personal data. There are many risks that can arise by the useless and insecure protection of personal data. Thus, bad protection practices can lead to data breaches and as a result to unauthorized and malicious use of personal data.
Legal disclaimer: This article contains general information about legal matters. The information is not advice, and should not be treated as such. You should not rely on the information on this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.
This article is part of the "GDPR overview: Decrypting the regulation in series".