Guida al GDPR per chi non ne vuol sapere: e se provate a leggerlo il GDPR vi cala la palpebra?


 

Domanda: Che vuol dire GDPR?

 

Se otteniamo questo tipo di risposte:

  • Grandiosa Donazione Per Riluttanti?
  • Geniale Dono Per Repubblicani?
  • Generosa Dotazione Per Remittenti?

Allora abbiamo un piccolo problemino.

 

GDPR significa

General Data Protection Regulation

 

Allora proviamo a capirci:

almeno cosa significhi l’acronimo (che non richiede acredine nella lettura) dovrebbe essere assodato.

Insomma, ma lo avete sfogliato?

Se davvero volete implementarlo sto benedetto GDPR dovreste almeno provare a leggerlo, ma, vi assicuro, è una lettura non proprio amena.

Mettiamola così, se riuscite a non addormentarvi dopo la prima pagina siete già a buon punto, ma dopo averlo letto senza abbandonarvi tra le braccia di Morfeo (no non è il nome di un immigrato), viene il compito difficile: capirlo.

E si perché oltre ad essere una lettura non proprio divertente occorre anche capire che cavolo significhi tutta quella roba scritta in un legalese europeo.

Vediamo se ancora una volta, nel mio piccolo, riesco a darti una mano.

Iniziamo dal titolo:

General Data Protection Regulation.

General

Indica che si tratta di qualcosa di comprensivo, non nel senso che vi capisce, ma nel senso che comprende un sacco di cose.

Data

Ben lungi dall’essere Data il “robot umanoide” che in Start Trek Next Generation fungeva da ufficiale scientifico al servizio del comandante Picard, qui per data si intende, semplicemente, “i dati”.

Protection

Qui il termine fa riferimento alla protezione in senso lato delle risorse citate al termine precedente.

Il che significa che, utilizzando quanto appreso fino ad ora, stiamo parlando di un qualcosa che parla in maniera comprensiva della protezione dei dati.

Regulation

L’ultimo termine è Regulation. Questo termine merita un attimo più di attenzione, dal momento che è un termine specifico.

Directive Vs. Regulation

Ovviamente da buoni cittadini europei avete ben chiara la differenza tra Directive e Regulation. Fa parte della base minima di conoscenza civica che ognuno di noi dovrebbe avere (sono buono, non vi chiedo la differenza tra legge quadro e decreto legislativo).

Siccome io sono malfidente per definizione, mi permetto di supporre che non tutti abbiano chiaro la differenza tra “Directive” e “Regulation” e quindi provo a spiegarla.

Chiedo già scusa a giudici ed avvocati, legulei assortiti e giuristi vari per il linguaggio non proprio tecnico, ma lo scopo che mi propongo è quello di far capire le cose, non scrivere in “gergo” diventa quindi un obbligo.

Regulation

Quando ci troviamo di fronte a questa roba ci troviamo di fronte a una “legge” Europea che diventa parte integrante delle leggi di tutti gli stati membri.

In presenza di una “Regulation” gli stati membri non sono chiamati a legiferare. Il testo così come è (eventualmente tradotto nella lingua del paese) diventa parte integrante del suo corpo giuridico. Questo significa che vincoli, multe, azioni e altre cose alla legge collegate indicate nel testo sono immediatamente attuate nel momento in cui la “Regulation” diventa “attiva”

Come a dire dal 25 Maggio 2018 ti potresti aspettare un controllo e se non in regola ti potresti vedere comminata una multa pari al 4% del tuo giro d’affari… io ci starei attento…

Directive

Se la Regulation è un atto legislativo che entra immediatamente nel corpo giuridico del paese “cosi come è”, una direttiva (come quella che era in vigore prima del GDPR, la “Directive 95/46/EC” del 1995) è invece uno strumento tramite cui la UE setta gli obiettivi che ogni stato deve implementare attraverso la introduzione di leggi locali che devono regolare la materia in oggetto della “Directive”

La principale differenza tra le due è che in caso di “Regulation” tutti i paesi membri dell’UE si trovano di fronte ad una legislazione omogenea in termini di obiettivi, adempimenti e struttura, mentre nel caso della “Directive” è dato al singolo stato la potestà legislativa per legiferare in merito agli obiettivi definiti. Va da se che, anche se alla fine l’obiettivo deve essere raggiunto in maniera il più possibile omogenea tra i vari membri, la reale modalità di raggiungimento può variare sensibilmente da stato a stato in caso di “Directive”.

Il fatto che una “Regulation” entri in vigore cosi come è stata emanata dagli organismi UE non significa, in realtà, che lo stato che la applica non deve legiferare in alcun modo…alcune attività accessorie possono essere richieste per adeguare il corpus legislativo alla “Regulation” in maniera che questa sia applicabile. Attenzione che questo potrebbe erroneamente portare a pensare che la “Regulation” non sia quindi in vigore, sbagliato… funziona anche se ne mancano i pezzi accessori, non si scappa questa parte il prossimo anno volenti o nolenti.

Fatto questo doveroso cappellino introduttivo siamo ora in grado di leggere il titolo.

GDPR significa:

 

Legge EU comprensiva e vincolante sulla protezione dei dati

Bene abbiamo passato il primo scoglio nella lettura del documento. Adesso manca tutto il resto, ma si sa chi ben comincia è a metà dell’opera.

GDPR un po di chiarimenti prima di leggere

Visto che siamo riusciti a leggere il titolo (bravi bravi) è meglio fissarci in testa un paio di cose prima di proseguire la lettura, giusto per essere in grado di interpretare quel misterioso testo.

  • se non lo sai sallo

la prima cosa che dobbiamo metterci in testa è che il testo non è scritto per novizi o principianti, sta a noi andare a recuperare e capire le referenze nel testo. una cosa importante è ricordarsi che il GDPR è l’evoluzione della direttiva sulla privacy del 95, e quindi dobbiamo aspettarci almeno una somiglianza nella nomenclatura ed alcune assunzioni del tipo…questo è evidente era già presente nella legislazione precedente.

  • non aspettarti il dettaglio tecnico

NOn troverete nel testo un dettaglio o un manuale di istruzioni modello Ikea. purtroppo la norma va interpretata, molti dei riferimenti fatti in merito alle implementazioni IT ad esempio parlano di misure “adeguate” senza il dettaglio che vorresti vedere. Temo che questo significhi che tu hai una certa responsabilità implementativa che richiede anche di fare scelte consapevoli ed informate. Intendiamoci la cosa è voluta per rendere la norma attuabile ad un mondo tecnologico in continua evoluzione. Ma non pensare per un momento che questa indeterminatezza ti autorizzi ad usare sistemi operativi obsoleti tipo Windows Millenium o robe del genere, fallo e poi prova a dimostrare che hai messo in piedi misure “ragionevoli” di protezione.

  • Anche se sei piccolo devi seguire le regole

Non importa quale che sia la tua dimensione, le regole vanno seguite da tutti. Ognuno avrà l’obbligo di implementare le misure adatte in maniera “ragionevole” e confacente alle proprie possibilità. tradotto questo significa che non puoi fare finta di niente e relegare, ad esempio, l’it ad un retropensiero… sempio: i backup li devi fare e devono funzionare e lo devi poter provare…preparati.

  • Vale ‘inversione dell’onere della prova: sei colpevole fino a che non provi la tua innocenza

Ebbene secondo il GDPR sei tu che devi dimostrare di essere allineato ai dettami di legge. Il non essere in grado di farlo è già di per sé una ammissione di colpa. Chi ti viene a controllare (il garante in Italia? vedremo) ti chiede di dimostrargli che hai fatto le cose bene, non è li che deve cercare il fatto che non lo hai fatto. Questo è esplicitamente detto nel testo e più volte rinforzato come quando si specifica chiaramente che il rischio residuo se troppo grande deve essere concordato con l’autorità di riferimento.

  • Il rischio di cui ti devi preoccupare è al di fuori della azienda, questo cambia i parametri della valutazione.

Quando nel testo si parla di rischio deve essere chiaro che il rischio è che si danneggi la libertà dell’individuo a cui i dati sono correlati. in altre parole non devi valutare solo quanto sia facile che ti buchino la rete o ti rubino i faldoni con i dati, ma anche che può accedere se quei dati vengono usati male nei confronti del soggetto a cui sono riferiti.

  • Le multe non sono una per tutto, sono multe su punti specifici. E rimane poi il danno arrecato a terzi

qui mi sembra che molti non abbiano chiaro il fatto che la struttura delle multe del GDPR non ti garantisce di prenderne solo una che copra tutte le inadempienze. Rischi di beccartene piu di una se sei una multinazionale o se sei beccato con le mani nella marmellata in più aree… ed in ogni caso le multe fanno riferimento alla non attuazione della normativa, ma non coprono i danni procurati alle persone a cui i dati sono riferiti, e le eventuali cause civili eo penali associate.

  • I soggetti non sono solo i tuoi clienti

Il GDPR fa riferimento ai cittadini e residenti in UE. in questa categoria rientrano non solo i tuoi clienti,ma i tuoi contatti di marketing, i tuoi fornitori ed anche i tuoi dipendenti.

 

beh che dite abbiamo fatto abbastanza premesse? se si buona lettura:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

ciaooooo

a

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Guida al GDPR per chi non ne vuol sapere: e se provate a leggerlo il GDPR vi cala la palpebra? was originally published on The Puchi Herald Magazine

GDPR and the technology market


Question: will the new privacy policies and laws impact the technology market?

This is an interesting question to ask ourselves; whether we are consumer of the technology market or technology vendors the impact of the new technologies (from cloud to IoT, from industry 4.0 to big data just to name the most acknowledged from a marketing point of view) privacy regulations can affect heavily our behaviours and the market.

so let try to understand what could be the implications of this new focus on privacy and data protection.

First of all we should try to understand what we are talking about.

Privacy, GDPR and the rest.

Privacy: the state of being alone, or the right to keep one’s personal matters and relationships secret:

In nowadays environments the presence of data related technology is pervasive: from business to  personal life technology play a big part of our life.  data related technology means we use technologies that is able to manipulate information: informations are collected, changed, communicated, shared all in form of data. Bit and bytes that describes our job, our business, our personal life.

Although in the past privacy was mainly a physical issue, and therefore legislation was focusing on those aspects, this increasing presence of data collection and sharing makes people realize that there is a new abstraction layer that involve privacy that is no more related to be alone or in a confined physical space, but in a undefined and without borders digital virtual space.

Email, Blogs, social networks, chat, E-commerce, electronic payment, smart phones all this and more shifted the same perception of privacy from a simple concept to something more hard to be defined.

Rulers and consumers started to deal with those issues in the last years whole enterprise and technical world has been remained almost frozen waiting for indications. the first indications that this would have been a wakeup call for enterprise has been the ending of the safe harbour agreement, privacy was not longer a secondary issue even for the economy.

The latest development can be easily identified in the new  European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018, has far-reaching implications that extend far beyond the EU.

Businesses that fail to meet the new mandates aimed at protecting personal data face severe consequences. They can be fined up to $20 million, or 4 percent of global revenues — a cost that makes this regulation impossible to ignore.

But other areas of the world are moving toward a more cautious approach toward data privacy, not only Europe. While it is not yet clear how will be the new USA administration approach toward this subject, it is out of doubt that data privacy is becoming a major issue in the next years; how this will impact business is, although, not yet clear.

For sure is that GDPR will enforce companies to deal with a tremendous amount of data to be protected. Any data used to make inferences linked tenuously or otherwise to a living person is personal data under GDPR. Cookie IDs, IP addresses, any device identifier? All personal data. Even metadata with no obvious identifier is caught under the GDPR’s definition of personal data. Truth be told, such assertions are not entirely new. The difference under GDPR is that they will be enforced and the non compliance fined.

Today swathes of business practices unlocking data monetization rely upon data not being considered personal. So they apply weak consent, onward transfer and data reuse concepts. These models are going to change; either by choice, or by obligation.

Data Privacy , Data Protection and Cyber Security

One aspect that is not yet completely perceived and understood is the correlations between data privacy, data security and cyber security. The requirements that enforce the companies to respect data privacy legal requirements are intrinsically bound with the explicit request for data protection and, therefore, cyber security.

GDPR clearly define data should be fairly processed and protected: the implications are not only in terms of procedure to adopt inside the enterprises, but also technical in terms of data manipulation, retention, storage and security.

Recent security outbreaks as the one related to ransomware are an example of how basic cyber security threats can impact directly on this area, as well as common and well known cyber attack directed to data exfiltration.

This is a growing phenomenon and is affecting not only the classical online services (think of classic dating site attacks, as an example, to collect username and passwords) but, as an example, extensively the healthcare industry.

While in the past those outbreaks could have been just a relative minor issue, the new GDPR structure of fines could affect in a heavy way any company, regardless its sector, and some departments that in the past have never considered those issues as a business imperative, as marketing or Human Resource, will have to face a difficult transaction in terms of awareness, policies to be implemented and technology approach.

It is easy to forecast that this situation will shape in the next years the technology market in different areas.

Impact on the technology market

When we talk about the technology market we face different aspects, “technology” as a term can cover a wide range of things. We can talk about hardware vendors or software vendors. We can talk about service vendors (cloud, CRM or whatever you like more), IT enterprise or carrier HW providers, Security vendors, End user HW providers (as smart phone makers).

Recently the trend is to aggregate functions and offering, making those areas overlapping in the same company although not often integrated.

Since all the industry will have to face the new privacy requirements it is to be expected a increase on data privacy expertise requests hitting the market, and a growing demand for IT solutions that will help companies to manage the requirements. this could, as an example, give a small impulse to historically neglected areas as DLP solutions, data categorization solutions and so on.

Some little advance and effort will be probably put also on more traditional areas as backup.

An heavier impact will be seen in the growing online market with the need to protect not only privacy of users but also to save the economic transactions, content providers, social or gaming platforms will be heavily impacted too.

In a second run we will probably see a renewed interest for baseline security solutions, as the stakeholders will, sooner or later, realize that there is no compliance without data protection and there is not data protection without cyber security.

The request for expertise and consulting services will be mostly redirected outside to technology vendors (here considering HW\SW vendors as cisco, hp, huawei, SAP, Microsoft; service vendors as cloud providers – azure, AWS, google –  but also app stores, CRM online providers), consulting companies and technology integrators.

On the other end technology vendors will have to face a strange situations where they will be both requested to provide solutions compliant with the new rules, be the driver of the new requirements and implementations (public-private partnership basically means this)  and in need to implement solutions to protect themselves in different areas as:

Product and Services development

Here vendors will have to start developing products\services considering data protection a major issue. It is clear the impact on cloud or services, where data protection can be easily identified, but also the HW product side will have to face issues. Although it can seems trivial we can remember the problem related to GPS tracking in apple and, at some extension, android happened some years ago. privacy implication with products can be wider than expected, since we have to protect not only the data per se, but also the metadata (this is the wider range of GDPR and new privacy regulations).

Usually we tend not to consider, as an example, system logs as a problem in terms of privacy, but in effect they are if they contains data that can point to a physical person and being used to track somehow the person behaviour.

Firewall and router logs, as an example, could be used to determine what is someone doing online, and therefore can expose information that are subject to GDPR realm. minor features apparently but the truth that also metadata are object of GDPR.

Privacy By design and Privacy Enhanced Technology will be mandatory component of any product\service developement.

Marketing and Sales

Marketing(and or  sales)  has always been considered agnostic towards technology, but the ultimate scope of marketing is to get in touch with the market, this means customers and ultimately people. Marketing activities will get a huge impact towards GDPR requirements both in terms of operations, since is up on marketing to manage a large amount of data coming from outside the company, and communication.

Technology vendors, somehow, will be expected to lead and drive the request both in terms of consulting and example. The result of a breach or misinterpretation of GDPR guidances will impact severely the business from a brand point of view and undermine vendor credibility.

Internal protection

As any other company there will be a direct impact on business operations of any vendor dealing in the technology field. But this case the extension of the problem will not focus just on the standard cyber security procedures, since technology vendors enter, somehow, almost directly on customers IT or data processing infrastructure the request will be to implement an end to end protection system which include GDPR compliance and cyber security application. This will require technology vendors to operate on:

  1. supply chain
  2. production and vulnerability disclosure
  3. product and service delivery

all three area are still trying to develop standards and good practice although something is moving.

So what are the changes expected under the new regulation?

There are around a dozen headline changes which technology companies should be aware of.

Some of the key areas include:

  • Privacy by design and Privacy enhancing technology – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Companies must also only hold and process data which is absolutely necessary.

Privacy enhancing technology (PET) and Privacy by Design (PbD) are obligatory and mandated requirements under the GDPR. There remains no generally accepted definition of PET or PbD, but PbD is considered an evidencing step for software development processes to take account of privacy requirements. So the incorporation of what can broadly be defined as PET in such solutions represents PbD.

Two particular PET techniques that control downside and enable upside risk are differential privacy & homomorphic encryption.

  • Differential privacy counters re-identification risk and can be applied to anonymous data mining of frequent patterns. The approach obscures data specific to an individual by algorithmically injecting noise. More formally: for a given computational task T and a given value of ϵ there will be many differentially private algorithms for achieving T in a ϵ-differentially private manner. This enables computable optima’s of privacy and also data utility to be defined by modifying either the data (inputs to query algorithms) or by modifying the outputs (of the queries), or both.
  • Searchable/homomorphic encryption allows encrypted data to be analyzed through information releasing algorithms. Considered implausible only recently, advances in axiomatizing computable definitions of both privacy and utility have enabled companies such as IBM & Fujitsu to commercially pioneer the approach.
  • Data processors – those who process data on behalf of data controllers, including cloud-providers, data centres and processors. Liability will extend to these and businesses that collect and use personal data.
  • Data portability: Empowers customers to port their profiles and segmentation inferences from one service provider to another. This is a reflection by lawmakers that data is relevant to competition law, whilst not conceding an imbalance between a companies ability to benefit from data at expenses of us all as citizens.
  • Data protection officers – internal record keeping and a data protection officer (DPO) will be introduced as a requirement for large scale monitoring of data. Their position involves expert knowledge of data protection laws and practices, and they will be required to directly report to the highest level of management.
  • Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.Customers consent to privacy policies that change. Being able to prove which contract was agreed to, in court or to a regulator, requires  registration time stamping and tamper resistant logs become de rigueur.As we move into an opt-in world of explicit consent and ubiquitous personal data, data transmissions beyond a website visit must be explicitly permissioned and controlled. In this world, default browser values de-link machine identifiers from search queries. In other words, in this new world, online advertising to EU citizens is in line for fundamental change.And given particular regulatory emphasis on profiling, explicit consent will require loyalty programs to differentiate consent between general and personalized marketing consents. Those consent flags must cascade through registration, reporting and analysis, targeting and profiling, contact center operations and all other processes that handle such data.
  • Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified. it is underestimate the relationship between breach notification and vulnerability disclosure. While for an end user those two aspect seems to be unrelated, there could be a higher impact on vendors for, at least, a couple of factors:
    • The breach notification could expose the vendor as the main source of the breach itself due to lack of vulnerability management and disclosure.
    • The victim could consider liability against the vendors which “vulnerabilities” caused the breach redirecting to them part of the costs.
  • Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
  • Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities.A framework to comply with this obligation would include the following steps:
    • Spot identifiers which tie together datasets, e.g: machine identifiers link together our social media experiences;
    • Prescribe how re-identifiable data flows in and outside the organization;
    • Document a scalable process to overwrite identifiers in all datasets where re-identification can be established, upon the validated request of a user, and
    • Third party contracts and SLAs should be adjusted to ensure compliance with validated requests.
  • Data Bookkeeping: Field level data, linked to an identifier, flows across geographies and legal entities, processed by machines and people. Organizations will account for these flows with evergreen reporting. It stands to reason that these flows will be threat-modeled for integrity and confidentiality so controls can be readily evidenced upon request.

 

GDPR impact

Privacy regulations as GDPR and the growing awareness and concerns related to data privacy and security are related to the expanding presence in everydays life and business of smart mobile devices able to process data, the growing online market, consolidated trends as cloud services or newcomers as IoT.

Technology market face this transition in front line, and will see the impact of new regulations and customer reactions in several ways. This is both a chance and a problem; implementation of new mandatory requirements will impact all areas, from design and production to sales and delivery. But this will means also new area of business in the consulting area, in the technologies to support GDPR and privacy compliances in the market where data analysis technology, artificial intelligence and other high end technology areas could provide a competitive\price insensitive advance vs the consolidated technology market.

The key success factor is to embrace this change and drive it acquiring internally the needed competences, implementing the correct corrections and driving the needed improvement related to product and services provided.

Future trend will see a prevalence of  technologies related to “data” processing and services related to data vs products. The new Data paradigm is already visible nowadays as example in the Big Data market (take data lake implementation as an example). in terms of technology market this will means to focus on Data Science which will pose a new and somehow unpredictable relationship with privacy regulations.

GDPR Risks and “Data Science”

The term data science describes a process from data discovery, to providing access to data through technologies such as Apache Hadoop (open source software for large data sets) in the case of Big Data; and distilling the data through architectures such as Spark, in-memory and parallel processing. That data science creates value is understood. What isn’t are the risks it exposes investors to under the GDPR, of which there are principally three:

Risk 1: The Unknown Elephant in the Room – Unicity: a general misunderstanding in monetization strategies is that stripping away identifiers of a data model renders the data set anonymous. Such a belief is flawed. So-called anonymous data sets can often, without implausible effort, be re-identified. Unicity is a measure of how easy it is to re-identify data. It quantifies additional data needed to re-identify a user. The higher a data set’s unicity, the easier it is to re-identify. Transactional and geo-temporal data yield not only high monetization potential, they carry statistically unique patterns which give rise to high unicity.

Risk 2: Relevance & Quality: Income, preferences and family circumstances routinely change, and preference data on children is difficult to ethically justify processing. While this creates a problem for predictive analytics, that data and the inferences it engenders can be considered inaccurate at a given point in time, which creates a GDPR cause-of-action. Data quality needs to stay aligned to business objectives.

Risk 3: Expecting the Unexpected: When data science creates unexpected inferences about us, it tends to invalidate the consent that allowed data to be captured in the first place, which, again, is a big deal. Data collected today, particularly from mobile devices, is subject to a constant stream of future inferences that neither the customer nor the collector can reasonably comprehend. Consider a car-sharing app that can model propensity for one-night-stands from usage patterns. While that data may not result in propositions today, the market will consider upside risk/option value to have been created (the market still does not seem to believe in GDPR impact), but this incremental data coming into existence creates downside risk (such data is difficult to find a legal-basis for, given the vagaries of a given consented disclosure).

More generally, the problem of negative correlations is brought to the fore by algorithmic flaws, biased data and ill-considered marketing or risk practices, the enduring example being U.S. retailer Targets’ predictive campaigns to pregnant teenagers, spotted by parents. These are examples of a new form of systemic control failure, leading to potentially actionable GDPR claims.

 

Related articles

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

GDPR and the technology market was originally published on The Puchi Herald Magazine