Here’s the problem.
You’re a pub chain, with almost 1000 outlets up and down the UK and Ireland. Over the years you’ve collected masses of data about your curry-loving clientele, or at least those who have bought purchases online, connected to your Wi-Fi, or signed-up for your newsletter.
Why’s that a problem?
Well, that data is toxic if you can’t be confident you’re protecting it properly to keep it out of the hands of hackers.
JD Wetherspoon, better known as “Wetherspoons” to its regulars, seems to be taking matters into its own hands.
The company, which is presumably still nursing something of a hangover after discovering in late 2015 that it had suffered a data breach involving the personal details of some 656,723 customers, has decided to delete its email database.
As Wired reports, JD Wetherspoon sent an email last week to members of its customer database saying that it would no longer be sending out newsletters, and would be permanently deleting their records:
Dear Customer
I’m writing to inform you that we will no longer be sending our monthly customer newsletters by e-mail.
Many companies use e-mail to promote themselves, but we don’t want to take this approach – which many consider intrusive.
Our database of customers’ e-mail addresses, including yours, will be securely deleted.
In future, rather than e-mailing our newsletters, we will continue to release news stories on our website: jdwetherspoon.com
You can also keep up to date by following our Facebook and Twitter pages, using the links below.
Thank you for your custom – and we hope to see you soon in a Wetherspoon pub.
Why doesn’t JD Wetherspoon want to email you anymore?
Well, they might be truthful in saying that recipients find the emails intrusive, and perhaps it’s not proving to be an effective way of promoting their special offers anymore.
But sending email is really cheap, so I find it hard to believe that it would be prepared to switch off the taps like that for those reasons alone.
No, I suspect JD Wetherspoon might have other concerns.
Such as the fines that the Information Commissioner’s Office (ICO) has recently imposed on the likes of Honda and Flybe, after determining that those firms had not properly received users’ consent to be sent marketing emails.
Honda, for instance, was unable to cough up any evidence that its customers had ever given consent to receive emails. Ironically, the car firm was caught out after sending 289,790 emails which attempted to clarify whether customers wanted to receive marketing emails or not.
In the ICO’s view, the firms should already know (and be respecting) that all of the recipients in its email list had knowingly consented to receive emails from them.
So, maybe JD Wetherspoon is worried that it has a huge number of email addresses – which it sends newsletters to on a monthly basis – but has never asked (or simply lost) explicit permission.
In such a scenario, maybe it makes sense to wipe the email database.
And with much tougher data protection regulations coming into force in May 2018 in the form of GDPR, it may be a canny move to securely wipe such information sooner rather than later.
You can hear us discuss more about GDPR, and its impact on businesses around the world, in this recent “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security, Episode 30: GDPR, the Good and the Bad with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, Episode 30, and it is a special Splinter episode. Woo!
Hello, hello, and welcome to another episode of Smashing Security, Episode 30, and it is a special Splinter episode. Woo!
Yeah.
Hello, Carole, as always.
Hello.
Good to see you again.
It's been a while.
It has been a while. And we're joined by a special guest for this episode, Kevin Gorsline from TBG Security. They are a cybersecurity consultancy based in Boston, Massachusetts.
Hi, Kevin.
Hi, Kevin.
Hey, Graham. Hey, Carole.
Hi. How's it going?
Fabulous. Couldn't be better.
That's what we like to hear. Now, Carole has told me that we're having a special subject today, and I have— I've been given— can you hear this?
This is Graham's little sack, and it's his little Scrabble sack, because I've got some letters in here. Okay? So I'm going to pull out—
This is Graham's little sack, and it's his little Scrabble sack, because I've got some letters in here. Okay? So I'm going to pull out—
I'm glad you said Scrabble sack.
I'm going to pull out— How many letters should I pull out, Carole?
I don't know. Four.
Good choice. I'm going to read out the letters, alright?
R.
P.
I can't believe how lame you are.
G. Rocket-propelled grenade. D.
Is that what we're talking about today? RPGD.
Or GDPR. GDPR.
Hey, whoa, whoa, whoa. Whoa, whoa, whoa. Whoa. Stop it. I've heard about this GDPR thing. Something to do with Europe.
Yeah.
I'll be honest with you. Sounds a little bit dull. Do we really want to do this in a podcast?
We— It's very important. I think we have to do it. So I agree. This may not be the most fun podcast we've ever done. Don't say that.
Say that.
It's true. It's true. It may not. We'll do our best. But look, I went looking. I actually went looking for GDPR jokes online. And I've got to say, there are not very many out there.
You surprise me. There aren't many GDPR jokes online.
And they're not funny. So I think if anyone wants to corner the market—
Is there anything else GDPR related? Can you get merchandise? Can you get t-shirts, mugs?
Not yet.
Sea shanty websites? I mean, what is it?
It's a free tip for any enterprising individual out there listening to us right now.
Well, people better— now, if we feel bad about this, how does Kevin feel, right? He's our resident American right now.
He's not even— I mean, technically, Carole, you and I, as based in Britain, we're still at the moment part of Europe, right? And so—
He's not even— I mean, technically, Carole, you and I, as based in Britain, we're still at the moment part of Europe, right? And so—
We haven't explained what it is yet, but you can ask.
Oh, come on then, tell me. First of all, let's get through this. GDPR, what do the letters flipping well stand for?
Yeah, because we need to explain this. So GDPR stands for General Data Protection Regulation.
This is a new European data legislation, and it's all about giving more control to the EU subject, okay, or EU citizen, more control over their personally identifiable information that's stored online all over the web.
This is a new European data legislation, and it's all about giving more control to the EU subject, okay, or EU citizen, more control over their personally identifiable information that's stored online all over the web.
Because the concern is amongst European citizens, just as it should be for everyone really all around the world, is what are companies doing to protect my personal information and my personal data?
We are having to share so much of it with businesses online, we don't always have great visibility as to what they're planning to do with it or indeed how well they're taking care of it, right?
We are having to share so much of it with businesses online, we don't always have great visibility as to what they're planning to do with it or indeed how well they're taking care of it, right?
Oh no, totally.
I mean, there was a survey that three-quarters of people took part were like, "I don't trust companies with my personal information." So that's where we're starting from.
So back in 2012, this started taking shape, the whole concept behind this. This is really, really massive piece of legislation.
I mean, there was a survey that three-quarters of people took part were like, "I don't trust companies with my personal information." So that's where we're starting from.
So back in 2012, this started taking shape, the whole concept behind this. This is really, really massive piece of legislation.
Yeah.
Right, it really is a big overhaul of what was in place beforehand.
And it started all the way back in 2012 where they started scoping out the legal requirements of how personal data of EU residents should be handled by companies.
And it was only adopted in 2016. And because it's so huge, they gave a two-year post-adoption grace period before it fully comes into effect in May 2018. That's May next year.
And it started all the way back in 2012 where they started scoping out the legal requirements of how personal data of EU residents should be handled by companies.
And it was only adopted in 2016. And because it's so huge, they gave a two-year post-adoption grace period before it fully comes into effect in May 2018. That's May next year.
Now, what do you mean that GDPR is so huge? You mean it's physically huge or what do you mean?
So we'll provide a link in the show notes, but this is a piece of legislation that has 11 chapters and 99 different components, or what they're calling articles, that all go to tell companies how they have to handle and anonymise and process and store and transmit personal data of EU citizens and residents.
Okay, so this is basically like Lord of the Rings. This is quite a beast.
Well, let me tell you how big it is.
It's so big that companies who do not meet the requirements or stipulations and are found guilty can face fines of up to €20 million or 4% of the previous year's turnover, not profits, but turnover.
And they will choose whichever one is higher if you're found guilty.
It's so big that companies who do not meet the requirements or stipulations and are found guilty can face fines of up to €20 million or 4% of the previous year's turnover, not profits, but turnover.
And they will choose whichever one is higher if you're found guilty.
Oh, so there's not a cap of maximum €20 million, which frankly, wouldn't be a pinprick for some humongous internet companies, would it?
That's right, yeah.
But 4%, now everyone's going to feel the pinch at that, aren't they? They're not going to be pleased with that.
I mean, this could go into the billions for the big giants out there.
Ooh, ah.
Yeah.
But I imagine, I mean, maybe Kevin, you've got a view on this as well.
I would imagine that having to deal with this piece of legislation is probably better than having to deal with the different data protection legislation, the alternative, which could be — I mean, how many EU member states are there?
Something like 28 or something like that, right?
I would imagine that having to deal with this piece of legislation is probably better than having to deal with the different data protection legislation, the alternative, which could be — I mean, how many EU member states are there?
Something like 28 or something like that, right?
28.
Yeah, there's 28. So it's better than having to deal with each of those individually and making sure that you're handling all of those.
I think the challenge there is that, so you have to deal with GDPR, but the individual EU states still have privacy laws that you have to basically comply with as well, right?
Yeah, it's a bit—
So it's in addition to the existing regulations that are out there. So it's even more complicated when you start layering that on top.
And I mean, frankly, you don't want to make the choice that you're not going to provide services to people in the EU. I mean, that would be one option, wouldn't it?
Just forget about Europe, too much of a hassle, right? No internet company's likely to do that. And it's not just internet companies, of course, but—
Just forget about Europe, too much of a hassle, right? No internet company's likely to do that. And it's not just internet companies, of course, but—
Well, not internet companies, but smaller companies, right?
So companies maybe around the 500-employee mark, might be looking at how much return they get from providing services and products to EU citizens, right? And residents.
I keep saying citizens. It is any EU subject. So for the future of the podcast, if I can say it wrong. So not everyone in the world is affected by this legislation.
So maybe we need to define, okay, so how about we talk about how companies are affected and then what does this mean for the actually individuals? Right?
So companies maybe around the 500-employee mark, might be looking at how much return they get from providing services and products to EU citizens, right? And residents.
I keep saying citizens. It is any EU subject. So for the future of the podcast, if I can say it wrong. So not everyone in the world is affected by this legislation.
So maybe we need to define, okay, so how about we talk about how companies are affected and then what does this mean for the actually individuals? Right?
All right, okay.
Does that work? 'Cause it is complicated.
That sounds good.
So who are the affected companies, right? Now the whole thing, everything about GDPR is about identifiable personal data. So data that it's already anonymized, right?
Where the European subject cannot in any way be identified to the data and correlated to the data, this falls outside the scope of this legislation, okay?
Where the European subject cannot in any way be identified to the data and correlated to the data, this falls outside the scope of this legislation, okay?
Okay, so I don't, so if for instance I've been filling in forms on websites, I would never do this by the way, but if I were downloading white papers from a website and I regularly said that my name was Arnold Aardvark at aardvark.com.
Right.
I don't obviously have to worry about that because that's not going to identify me. I haven't been sharing anything that way.
It's not so much about the data you provide as a user, but how the company actually processes and handles that data so that it can't be easily correlated to the person, to the identity.
And if you think about that, so the company is not going to know that that's not you, Graham.
So the company has to make the assumption that every bit of data that gets entered on one of those forms is actually legitimate, that you're not using some anonymous name for yourself.
So the company has to make the assumption that every bit of data that gets entered on one of those forms is actually legitimate, that you're not using some anonymous name for yourself.
And of course, there are companies I deal with where I give my real details. I mean, understandably, because otherwise I can't do very much business with them.
And they are going to have to take proper care to ensure that identifiable information about me doesn't fall into the wrong hands and that they are properly protecting it so it can't easily fall into the hands of hackers.
And they are going to have to take proper care to ensure that identifiable information about me doesn't fall into the wrong hands and that they are properly protecting it so it can't easily fall into the hands of hackers.
Okay, so we know that we're talking about people that are processing identifiable personal data, okay?
Now, one big misnomer about this whole thing is people think, oh, that's an EU regulation. It doesn't affect my company. I don't have any office or establishment inside the EU.
Well, wait, wait, wait. That's not true. It impacts any firm that processes in a large scale or has a focused process on EU subjects.
And that they process personally identifiable information.
Now, one big misnomer about this whole thing is people think, oh, that's an EU regulation. It doesn't affect my company. I don't have any office or establishment inside the EU.
Well, wait, wait, wait. That's not true. It impacts any firm that processes in a large scale or has a focused process on EU subjects.
And that they process personally identifiable information.
Looking at it from a US perspective, Carole, you mentioned before that small companies may look at alternatives to this. But I mean, we have to look at— define a small company.
If it's 500 individuals in the company, they're going to be subject to it. If I'm 250 or less, I'm not subject to this legislation, right?
So I don't have to worry about it quite as much.
If it's 500 individuals in the company, they're going to be subject to it. If I'm 250 or less, I'm not subject to this legislation, right?
So I don't have to worry about it quite as much.
I think they're focused— from what my reading of this— and I mean, I should— I'm not a lawyer and I'm not a GDPR expert, right?
But from my reading of the legislation, they seem to be focused on firms that have 250 employees or more, or companies that manage personal identifiable data on a regular basis, right.
So if you're doing that and you're a smaller company, you need to pay attention to GDPR.
But from my reading of the legislation, they seem to be focused on firms that have 250 employees or more, or companies that manage personal identifiable data on a regular basis, right.
So if you're doing that and you're a smaller company, you need to pay attention to GDPR.
So those two caveats make it almost virtually anybody that's handling EU data, because if it's a small company, if I've got 5 employees, so at some point I'm probably handling that data on a daily basis, whether I'm backing it up, does that constitute handling that data?
Well, that's the thing, you know, this is the thing that you need to think about when you do an information audit, I think.
It's like, think of all the forms, the web forms that are filled in, the geolocation you might have with cookies.
You know, how GDPR is defining what personal information is, or personally identifiable information is, is perhaps broader than current legislation in your neighborhood.
It's like, think of all the forms, the web forms that are filled in, the geolocation you might have with cookies.
You know, how GDPR is defining what personal information is, or personally identifiable information is, is perhaps broader than current legislation in your neighborhood.
And frankly, if your company is, you know, slightly smaller than maybe and doesn't have to worry quite so much about these things, maybe you should be thinking about your future ambitions and the growth of your company.
And wouldn't it make sense to follow these sort of guidelines which GDPR is proposing because of the general health of your company?
Because you never want some bad— you know, these rules are being introduced in order to protect people your customers. You should be doing these kind of things anyway.
And it's much easier to build this in from early on in your company rather than waiting until you get big, whereupon it's a huge overhaul of your organization.
And wouldn't it make sense to follow these sort of guidelines which GDPR is proposing because of the general health of your company?
Because you never want some bad— you know, these rules are being introduced in order to protect people your customers. You should be doing these kind of things anyway.
And it's much easier to build this in from early on in your company rather than waiting until you get big, whereupon it's a huge overhaul of your organization.
But you know what? It's still, it's going to be a really big pain in the butt, right?
For, I feel for companies that have to do this because some companies have been running systems for 20, 30 years, have been processing data in a specific way, and they have to kind of do a huge overhaul.
And not all, I mean, let's just think about what GDPR means. I don't think we've actually defined, there's a few mega, you know, big things that it does, right?
For, I feel for companies that have to do this because some companies have been running systems for 20, 30 years, have been processing data in a specific way, and they have to kind of do a huge overhaul.
And not all, I mean, let's just think about what GDPR means. I don't think we've actually defined, there's a few mega, you know, big things that it does, right?
Go on, you tell us.
OK, so it needs to get clear consent, OK, clear and explicit consent from the user to process personally identifiable information, OK?
Obviously, if someone is not of consent-giving age, so a child, they need to get parent consent from that. EU residents have a lot more control over data in this case.
So for example, a EU resident can request that their data be sent to them in a common format, that it can be sent to a third party if they want to transfer their data from one enterprise to another, or that all their personal data be erased.
They can make that request anytime and you're not allowed to kind of dilly-dally on getting that done. You've got to move quite quickly.
And you have to bake in obviously data protection capabilities into the system, right? So this means things encryption and what this word that they use everywhere, pseudonymization.
It's a very difficult word to say. Pseudonymization is probably the easiest way to say it. And if you do have a breach, right, you have 72 hours to report it, right?
Obviously, if someone is not of consent-giving age, so a child, they need to get parent consent from that. EU residents have a lot more control over data in this case.
So for example, a EU resident can request that their data be sent to them in a common format, that it can be sent to a third party if they want to transfer their data from one enterprise to another, or that all their personal data be erased.
They can make that request anytime and you're not allowed to kind of dilly-dally on getting that done. You've got to move quite quickly.
And you have to bake in obviously data protection capabilities into the system, right? So this means things encryption and what this word that they use everywhere, pseudonymization.
It's a very difficult word to say. Pseudonymization is probably the easiest way to say it. And if you do have a breach, right, you have 72 hours to report it, right?
So pseudonymization.
Pseudonymization.
It is hard, isn't it? Say that 3 times fast. So what that is, is where rather than using your name there, so it can't be identified.
You have separate databases effectively. So you have, here is my identity and here is the personally identifiable information and the never the twain shall meet.
So think ID numbers, you know, but it's very separate so that if, for example, you did get breached and they managed to crack the encryption, they wouldn't be able to easily tie it all together.
So think ID numbers, you know, but it's very separate so that if, for example, you did get breached and they managed to crack the encryption, they wouldn't be able to easily tie it all together.
Oh, okay.
And that's interesting, 'cause of course we've seen some breaches in the past where companies have sent CDs through the post of their customer database, including all kinds of information, personally identifiable information, which wasn't actually necessary for the person who was receiving the CD to process.
They only wanted some of the columns. So that's interesting, isn't it, that they would be planning to do that? It sounds it makes sense.
And that's interesting, 'cause of course we've seen some breaches in the past where companies have sent CDs through the post of their customer database, including all kinds of information, personally identifiable information, which wasn't actually necessary for the person who was receiving the CD to process.
They only wanted some of the columns. So that's interesting, isn't it, that they would be planning to do that? It sounds it makes sense.
Yeah, there's a real push here about process as little information as necessary for the job that you have specified, you know, and you've gotten consent from the user about.
So you have to tell the user why you want to use their data.
And this makes things complicated because lots of companies obviously collect data and then sell it on for the third party.
So you have to tell the user why you want to use their data.
And this makes things complicated because lots of companies obviously collect data and then sell it on for the third party.
But think about the millions of web forms out there right now where we collect data. And so, we're going to have to put some kind of disclaimer on those, right?
Yes.
We're going to have to put some kind of acceptance criteria linked back to a big fat policy that says, here's all the things we're going to do with your data if we're going to do anything at all with it.
But hang on, no one's going to read those, are they?
Exactly.
This is my big beef with this whole thing. So they have to update their privacy policies.
You're going to see a big change in privacy policy come May 18th on them begging to be able to use your personally identifiable data in a very explicit way, hopefully.
If they want to comply with the rules. And you have to explicitly say yes or no, and it can't be a pre-ticked box. You have to click yes.
But as you've just mentioned, how often is that situation happening when people download apps today, right?
And when they're buying services, they're like, you know, have you agreed to the agreement? Yes, I have. Carry on.
And I think, you know, if we move on to what this means for end users or for EU citizens and subjects here, it's kind of like they're, you know, they have a job to maybe not click yes if they don't want to be personally identified with this information.
They'd all be more careful with it. They'd actually — businesses would have to change the way in which they collect information, right?
You're going to see a big change in privacy policy come May 18th on them begging to be able to use your personally identifiable data in a very explicit way, hopefully.
If they want to comply with the rules. And you have to explicitly say yes or no, and it can't be a pre-ticked box. You have to click yes.
But as you've just mentioned, how often is that situation happening when people download apps today, right?
And when they're buying services, they're like, you know, have you agreed to the agreement? Yes, I have. Carry on.
And I think, you know, if we move on to what this means for end users or for EU citizens and subjects here, it's kind of like they're, you know, they have a job to maybe not click yes if they don't want to be personally identified with this information.
They'd all be more careful with it. They'd actually — businesses would have to change the way in which they collect information, right?
Yeah, but the thing is, when you want that service, when you want access to that site, when you want to buy that particular product or whatever it is, that actually is the more pressing thing on your mind right then than your data privacy, isn't it?
I mean, that's a cold — I mean, I don't read — dare I say it? I don't read all the legalese. I don't read all the terms and conditions.
I just think, yes, yes, yes, I need to buy this thing. I need it delivered, you know, next Tuesday.
And the other thing is, I mean, sometimes I make those sort of decisions based upon the site and the company and how established it is.
However, it may not actually be the company which is processing my data. They may have farmed that out to third parties, right, who are doing the actual processing.
And those companies are going to have to be on board with GDPR as well, aren't they? I think there's this difference between, is it the controller and the processor of the data?
I mean, that's a cold — I mean, I don't read — dare I say it? I don't read all the legalese. I don't read all the terms and conditions.
I just think, yes, yes, yes, I need to buy this thing. I need it delivered, you know, next Tuesday.
And the other thing is, I mean, sometimes I make those sort of decisions based upon the site and the company and how established it is.
However, it may not actually be the company which is processing my data. They may have farmed that out to third parties, right, who are doing the actual processing.
And those companies are going to have to be on board with GDPR as well, aren't they? I think there's this difference between, is it the controller and the processor of the data?
Exactly, yeah. So yeah, it seems right now that one of the big changes in this is that they're going to give a lot more responsibility.
And by that, I'm reading liability to the controller, right?
So the controller has to stipulate the, you know, the contract and the agreement that it makes with a third-party processor.
And they are responsible for making sure they cover all their bases, as I read it. So, there's a lot more responsibility for the controller here in managing the data.
And by that, I'm reading liability to the controller, right?
So the controller has to stipulate the, you know, the contract and the agreement that it makes with a third-party processor.
And they are responsible for making sure they cover all their bases, as I read it. So, there's a lot more responsibility for the controller here in managing the data.
Think about the cloud providers in this picture, right? So, the cloud providers, what's their culpability? How much responsibility do they bear in this model now going forward?
So, they're providing a managed service or in some cases a self-managed service so that the controller is actually managing their own service, but the cloud provider is providing the infrastructure.
In the case of a breach, who's going to wind up picking up the check for the $20 million? Is it both of them?
Do they both get hit for $20 million, or does one or the other get hit for the $20 million?
So, they're providing a managed service or in some cases a self-managed service so that the controller is actually managing their own service, but the cloud provider is providing the infrastructure.
In the case of a breach, who's going to wind up picking up the check for the $20 million? Is it both of them?
Do they both get hit for $20 million, or does one or the other get hit for the $20 million?
Yeah. And I wonder if people are going to play around in that potentially gray area until a victim is brought before the courts, and then they go, "Oh, wow.
Okay, now I understand how it works and what can happen."
Okay, now I understand how it works and what can happen."
Well, it's funny because we see from our clients, and we provide services to a couple of different cloud provider services, and the contracts that we're seeing come in from EU companies or companies that are handling EU resident data now are just a wide spectrum of legalese is coming into play now.
It's funny, from some that are just not very well defined and putting responsibility back on themselves rather than the processor.
And then there's others that want to shirk that responsibility and shuffle it all over to the processor.
So your response, even if you're not basically doing more than storing the data. So I mean, I think there's a lot of things that are going to come into play contractually.
It's funny, from some that are just not very well defined and putting responsibility back on themselves rather than the processor.
And then there's others that want to shirk that responsibility and shuffle it all over to the processor.
So your response, even if you're not basically doing more than storing the data. So I mean, I think there's a lot of things that are going to come into play contractually.
So here's what I think, right?
I think for citizens, for people who live in Europe, this is fantastic, you know, because there have been too many data breaches and it sounds like companies are going to have to buck their ideas up in terms of protecting data considerably.
You know, this is a real scare for companies and they— this is coming in in May 2018, right?
I think for citizens, for people who live in Europe, this is fantastic, you know, because there have been too many data breaches and it sounds like companies are going to have to buck their ideas up in terms of protecting data considerably.
You know, this is a real scare for companies and they— this is coming in in May 2018, right?
That's right.
Right. You've got to be ready for it.
Yeah. They'll even— individuals will even be able to sue for compensation from companies that they feel have not complied with GDPR in terms of their information.
How they process their information.
How they process their information.
So I think from their point of view, this is fantastic. And, you know, I'm all for it. I think it's terrific. Anything which gives people better privacy, fantastic.
However, if I put company shoes on, I have to say, wow, this is a big pain up the bottom, isn't it? Quite frankly.
However, if I put company shoes on, I have to say, wow, this is a big pain up the bottom, isn't it? Quite frankly.
And most companies have been dealing with this.
So I think if you work in a company, 500, 1,000 employees, you're gonna be, you're gonna have seen, you know, the senior stakeholders, the IT guy, the legal guys, all in a room huddled up every week, and this is probably what they're discussing because it's big.
So I think if you work in a company, 500, 1,000 employees, you're gonna be, you're gonna have seen, you know, the senior stakeholders, the IT guy, the legal guys, all in a room huddled up every week, and this is probably what they're discussing because it's big.
Who would want to be one of these firms which is processing data? Some of those firms must be quite small who are doing it for the very big firms.
Yeah, right? Yeah, it's a good point.
You know, and I'm sure the big firms are going to have in their contract, this is how it's going to work. And if we get in trouble, you are going to end up paying.
You know, it's a risky field to be working in.
You know, it's a risky field to be working in.
But maybe that's why the onus is more on the controller for exactly that reason. So there can't be that kind of offset of responsibility to a small firm. Smaller, less lucrative.
I think it's all going to come down to the contract between the two entities, between the controller and the processors, how much of their responsibility they can shift off to the processor.
Oh, yeah. Data protection lawyers right now are certainly going to come out at trumps on this one.
Well, insurance attorneys or insurance firms are going to come out of the woodwork for this too. Everybody's going to be writing a new policy for cyber insurance for GDPR.
Yeah, let's hope they process that data very carefully.
Well, who's gonna want to cover a €20 million loss though, right, from an insurance company? Because for years we've been collecting this data.
Honestly, I would bet that there's a huge percentage of these firms that have no idea where this data lives within their environment.
Honestly, I would bet that there's a huge percentage of these firms that have no idea where this data lives within their environment.
Exactly.
So going back and cleaning all that up or pseudonymizing that data is going to be almost an impossible task. So you're almost at encryption.
You know, I think that when you said that, people are holed up in the corner trying to figure out what's the policy and what's the protection around this, everybody's looking at wrapping the data and protecting it so that the breach doesn't occur.
Yay team for that.
But we should be looking at how we're gonna categorize this information and the documentation that's gonna go, that has to be acquired for us to support any of these cases that we're gonna make going forward after we get bagged for personal data escaping or data leakage in any environment, right?
You know, I think that when you said that, people are holed up in the corner trying to figure out what's the policy and what's the protection around this, everybody's looking at wrapping the data and protecting it so that the breach doesn't occur.
Yay team for that.
But we should be looking at how we're gonna categorize this information and the documentation that's gonna go, that has to be acquired for us to support any of these cases that we're gonna make going forward after we get bagged for personal data escaping or data leakage in any environment, right?
Because I see it there's three choices, you know, in front of companies right now. So one is they stop processing data from EU subjects. EU subjects, right?
So some will either stop processing data from EU subjects and dump the data they currently have, or they could separate out the EU subjects into two different databases and treat them differently according to the laws of the land.
Or three, they review and revamp exactly the whole systems. And you would do that because you think the world's going this way, right?
This is going to be bigger and bigger, and it's not just going to impact on EU citizens. We expect this to move to the US, UK, and US, etc. Australia.
So some will either stop processing data from EU subjects and dump the data they currently have, or they could separate out the EU subjects into two different databases and treat them differently according to the laws of the land.
Or three, they review and revamp exactly the whole systems. And you would do that because you think the world's going this way, right?
This is going to be bigger and bigger, and it's not just going to impact on EU citizens. We expect this to move to the US, UK, and US, etc. Australia.
I have another alternative.
Okay.
I'm thinking that maybe the United States could launch a small tactical nuclear missile at Brussels.
If they knocked out Europe, or at least the legislative part of it, maybe that would be the simplest thing to do. I mean, if this is really going to be a big pain.
If they knocked out Europe, or at least the legislative part of it, maybe that would be the simplest thing to do. I mean, if this is really going to be a big pain.
I'm pretty sure Donald Trump's lined up for that.
Let's not get political. We had a bad iTunes review the other day.
You're telling him not to be political? Right.
Oh yeah.
Yeah.
Kevin, tsk, tsk.
Bad on me.
Bad on you.
Exactly. Yeah. We would never say things like that. We'd never do that. No. Well, it seems like a— okay, so GDPR, you've sold me. It's a big deal.
It's a big fricking deal, as some people say. So where can people read more about this?
Because I mean, obviously we've only been able to skim the surface of this, but there must be places where people can go, where they can read more.
I imagine many companies are dealing with this.
It's a big fricking deal, as some people say. So where can people read more about this?
Because I mean, obviously we've only been able to skim the surface of this, but there must be places where people can go, where they can read more.
I imagine many companies are dealing with this.
Well, let me plug, I've been working with Kevin on a GDPR guide. So we can, we'll provide a link to that and other really useful resources inside the show notes.
There's a number of places because when you look at the actual legislation, and you scroll through the hundreds of pages that it takes, you know, in size 8 font, it can lose your will to live.
So there are a lot of places that have distilled the information in a more manageable way so people can introduce themselves. I suggest introduce yourself gently.
There's a number of places because when you look at the actual legislation, and you scroll through the hundreds of pages that it takes, you know, in size 8 font, it can lose your will to live.
So there are a lot of places that have distilled the information in a more manageable way so people can introduce themselves. I suggest introduce yourself gently.
Well, thank you. It's actually been quite interesting, you know.
When I drew out those letters from my little Scrabble sack of GDPR— yes, I know, it was a strange coincidence— I wondered, you know, is this an interesting subject actually.
It's obviously important. There's so much hacking going on. There's so many data breaches going on. Organizations have to do it.
And oh, just one other thing, of course, reaching, you know, fulfilling these requirements isn't necessarily the end of the road for companies, is it?
I mean, I guess you should really view this as a minimum that your company should be doing.
And maybe if you really want to stand out from the crowd in terms of protecting your users, maybe you should go even further.
When I drew out those letters from my little Scrabble sack of GDPR— yes, I know, it was a strange coincidence— I wondered, you know, is this an interesting subject actually.
It's obviously important. There's so much hacking going on. There's so many data breaches going on. Organizations have to do it.
And oh, just one other thing, of course, reaching, you know, fulfilling these requirements isn't necessarily the end of the road for companies, is it?
I mean, I guess you should really view this as a minimum that your company should be doing.
And maybe if you really want to stand out from the crowd in terms of protecting your users, maybe you should go even further.
I think if they can get to the finish line, you know, by May 2018, I think it's going to be quite an amazing feat because most companies are saying right now, we ain't ready.
We are not ready.
We are not ready.
Oh my word. Yeah, it's going to be a Herculean task to meet that date for a lot of guys.
If you haven't started already, yeah.
Yeah, if you haven't started, you're in doo-doo shape.
Yeah, get help. Get help. Get help quick. Expert help quick if you need it.
Perfect.
Okay, guys, it's been great. I think that just about wraps it up. Thank you for tuning in. Thank you, Kevin, as well for joining us on the podcast.
It's a real pleasure having you here.
It's a real pleasure having you here.
Thanks for having me.
If you like the show, tell your friends. We'll be back again next week.
Week.
And let us know what you think by leaving us a review on iTunes. Don't leave us a 1-star review. Don't leave us a 2-star review. Go on, leave us a 5-star review.
I'll tell you why, because if you do that, it actually helps more people find out about the podcast and it makes us feel loved and wanted, which is really important to me at least.
I don't know if it matters to Carole or not.
I'll tell you why, because if you do that, it actually helps more people find out about the podcast and it makes us feel loved and wanted, which is really important to me at least.
I don't know if it matters to Carole or not.
It matters.
Okay.
It matters.
Go to www.smashingsecurity.com and you'll find other ways to get in touch with us and listen to our other podcast as well. And until next time, toodle-oo, bye-bye. Bye.
Cheers.
Kevin is just so cool, isn't he? Isn't he cool? He's so laid back and cool.
You were, I think, the coolest cucumber we've had. Wow.
Maybe he just doesn't realize what a big freaking deal it is to be on the Smashing Security podcast.
It's good. Good.
I realized what a big deal it was.
It is huge.
This could be— this is a career maker for me. Absolutely. I've told all 3 of my friends. It's gonna be huge.
We vote to leave the EU, to avoid their draconian 'Regulation' monster and we are still obliged by their regulations.
Sorry people, in addition to this, the EU are secretly merging our Armed Forces with the EU. Brexit was an illusion and the globalists will have their freaking NWO.
We could of just amended the UK's Data Protection Act instead if really necessary.
You can't legislate stupidity out of existence. Attempts to do so engender a police state, wherein everything that is not required is forbidden. That's not a solution.
In my experience, many people act like morons with regard to the protection of their own personal information. They don't even question whether companies and other organizations (including "government" agencies) handle their data securely. And they provide information they should never provide.
For example, many websites require customers to provide their date of birth to "prove" they're old enough to purchase or use various products or services. That's idiotic. An identity can be stolen if the thief knows your date of birth. (It happened to me.)
Why not just ask users to confirm that they are at least (x) years of age? The answer to that yes/no question is much less harmful if it gets into the wrong hands. Yet, people hand over their date of birth routinely, without question. It's idiotic. If a company wants my business, they had better ask the right questions.
Now the state is getting into the act, punishing companies that don't get in line with coercive rules that do absolutely nothing to repair damage that already has been done, or prevent future damage by people or companies who are going to behave irresponsibly anyway…not because they're evil, but because they're naive or downright stupid.
The solution is proprietary, secure data management services to which companies and their customers can both subscribe, operating competitively in a free market, where success depends on competence, not on compliance with arbitrary coercive rules imposed by bureaucrats who have no stake in providing solutions that actually work in the real world. More legalized coercion won’t solve anything.
It is not a crime to approach somebody out of the blue and offer them a service or product, whether that is by email, letter, phone, social media, television ads, flyer handouts, branded trucks, Football short sponsors, Billboards, Blimps, flash dance troops, radio jingles, free stickers, … . What is GDPR supposed to be protecting us from – an overwhelmed email inbox??!!! I use Weatherspoons and I am happy to receive the newsletter.