Avoiding Your Worst GDPR Nightmare

You know those mornings when you are in no mood for lengthy discussions with the children? As usual, they’re all late for school and eating breakfast without any noticeable sense of urgency, shouting because a shoe went missing, or crying as you try to drag them away from the TV.

That’s when a work-related lightning bolt strikes.

Today it will be in the shape of a call from your CEO, no less, who informs you that the company is in the news - not because the share price is going through the roof but because personal data belonging to 2.7 million customers are now all over the internet. Your CEO didn’t exactly call you to ‘inform’ you, she wants to know from you “what exactly happened!”. And she wants to know right now because she’s about to go on national TV.

Now you better find that shoe very quickly, load the little rebels into the car, and drop them safely to school. Because it’s going to be a long day, and night. Possibly many of them.

Chaos and Crisis

Fast-forward 72 hours.

You have now notified the Supervisory Authority (SA). Just compiling the notification in those 72 hours involved the contribution of 23 people from 6 different departments (well, 24 if you count your mother-in-law who had to rush home and spend three days there, to help with the rebels). And yet the detail you were able to provide was partial, but luckily the GDPR provides an allowance in that sense, and you will be able to complete the notification as more information will surface in the next few days and weeks.

Three investigators from the Data Protection Authority are now in your premises. They are discussing with you and your key colleagues the level of risk for your data subjects. It’s quite straightforward and it doesn’t take long: The data that have been leaked are not only affecting a vast number of data subjects, but their nature will pose serious risk to every affected individual in many ways.

The investigators mime “quote & unquote” with their fingers: potential “financial loss” in the first place, since bank details were part of the exfiltrated data, but also data concerning "health.” Moreover, since the data of your employees was also affected, “trade union membership” and “performance-at-work” information was also disclosed.

For some reason, all these “quote & unquote” items ring a bell, and yes, you now remember being briefed two years ago about that Recital 75 of the GDPR by some external consultant, who told you: “Start your compliance journey from Recital 75, that’s where you will find all the data you should protect in a special way. They are the ones that pose the highest 'risk' - not to you as a company, but to the 'rights and freedoms' of your data subjects. And if something happens to that data, you and your company will have no excuse.”

No excuse. You really can’t think of one. But that warning did not particularly stick, did it? And now your subconscious is sending a reminder - charged with a hyper-dose of guilt and self-condemnation.

The bottom line is that you must notify your customers “without undue delay.” In plain terms, that means now. Today.

Now the investigators are trying to ascertain what exactly happened, how could the records of 2.7 million customers and employees leave the perimeter of the company and be made available on the internet. You wonder which powerful state-sponsored attack group has so much interest in the data of your customers, let alone your employees. Perhaps it was a competitor. Or even a head hunter who wanted to find out about the best employees to poach. After all, it’s a buoyant market these days. That’s it. That’s the only explanation. And the customer data was just collateral damage, exfiltrated by mistake in the process. Right?

It took another three days for your IT and cyber security teams to find the first clues from the vast amount of telemetry of the last several months. A lot of telemetry to search, most of it irrelevant to the case, some attempted minor attacks now and then, and finally here is an interesting sign. From the analysis of some employees’ endpoints, it appears as though some of them from Customer Service, as well as HR, had sent out some PDF files containing this data. This can be traced back to at least fifteen months earlier, and with some worrying continuity since. More research shows that in fact at least 130 employees (as well as contractors) had sent out data in PDF format. Now things get quite concerning in terms of the root cause of the leak.

Some of the employees have been called in, and kindly asked to explain. It’s a very simple explanation. They needed to have the data, initially collected in PDFs, converted into an Excel format, in order to perform some calculations, but there were no applications in-house and it would have been too cumbersome, and error-prone, to manually copy-paste between formats every time. So, they went to look for something that would help them.

No hackers involved then? No plot from rogue state-actors? No competitors trying to steal juicy secrets or head hunters trying to poach? Insiders instead. And not for malicious purposes either. Just a productivity need. Commendable though, almost moving, you think to yourself.

And so, some found apps to use in the cloud, without the IT department knowing about - another example of the "Shadow IT” phenomenon where employees go ahead and use unsanctioned applications.

You now recall reading that a study by Symantec showed how IT departments of Enterprise organisations had indicated that the number of apps in the cloud used in their organisation was, on average, 30-40; but when CASB tools were used, they revealed a number on average above 1000. And you had found this unbelievable at the time, surely impossible in your company.

Others used one of the innumerable websites that ask users to upload the file they want to convert, and then download the resulting file.

Wait, you think. “Upload the files?” This causes you a mix of shivers and palpitations. Your brain is now processing a Megabit of thoughts per millisecond, envisioning catastrophic compliance implications. Uploading all that personal data? By so many employees, over such a long period of time? And then: “upload” where exactly? And who is physically performing that conversion? Do we know them? Are they a Processor of ours in GDPR terms? Do we have a contract in place - and that’s when an investigator is going to ask:

“Were you and your IT people aware of all this particular personal data processing? All these employees downloading apps, “uploading” personal data, “downloading” converted files?”

“Sorry…? Did you say 'exploding'?"

“No, I said 'uploading' and 'downloading' files."

“Right…Yes...No! I mean no, we were not aware. How could we?”

“Therefore, such websites and apps in the cloud are not known to you, let alone to your IT?”

That hurts.

You, the DPO (or CIO, or CISO), and the IT Dept of the leader company in your marketplace are unaware of what apps or websites the employees use on a daily basis, and what processing they perform with them on personal data of customers and employees. The personal data - some of them “special categories” according to Article 9 and Recital 75 - that customers and the work force had entrusted your company with. And now that data is gone. And it’s dangerously public.

Just the Facts

The investigators start going through a list of, shall we say, “GDPR compliance challenges” originating from this regular, relentless Shadow IT and web-processing exuberance.

1. They are quite certain that you have insufficient control about the way personal data flow inside and outside the boundaries of the organization; likewise, in terms of the use of the personal data, by which departments, employees or contractors, and crucially who has the necessary authorisation to process them and in which way.
2. It is also clear to them that you have no full knowledge of which processes are executed by these Shadow apps or websites, over which personal data is processed. Therefore, these processes will be unlikely to have been recorded and documented, as required by Article 30.
3. And then it’s evident that you have no idea of who the Processor(s) of this data is (are), (i.e. the app providers or the website operators) and whether they fulfill their Processor obligations according to Articles 28 and 29 let alone the security provisions for the personal data they process. So after Article 30, now Articles 5(f), “Confidentiality, Integrity” and 32 (“Security of Processing”) also go out of the window, together with the Processor Data Breach Notification process (Article 33.2).

And as the list recited by the investigators goes into the depth of your compliance flaws, the shadow of the scenario acquires even darker nuances.

4. Now they are alluding to further potential infringements of Article 5, in the principles of Transparency, Purpose Limitation, Storage Limitation.
5. And then some sharp Medieval tool of torture stabs you deep: you are reminded of the obligations of “Data Protection by Design and by Default”, Article 25, remember that one?
6. Which is emphasized by the next even sharper one, back to Article 5: “Accountability”, the Giant. Just a small word in Article 5.2, but the Everest, or in European terms the Mont Blanc, the Mother of all the GDPR obligations.

You are now ready to knock down the King and concede defeat. But it’s not over yet.

Because in rapid succession, another storm of pounding is upon you:

7. Transparent information (Articles 12-14).
8. Data Subject Rights (Articles 15-21).
9. Cross-border Data Transfers provisions as explained in the whole GDPR Chapter V, Articles 44-50 (because in this case Shadow apps and websites could be operated and hosted by providers in Countries with unverified adequacy).
10. And then, in case of high-risk processing, like this seems to be, given the sensitive nature of the data, Risk Assessment, DPIA, Prior Consultation of the SA (Articles 35-36) all seem to have been underestimated if not completely ignored.

To recap, almost thirty articles of the GDPR (30% of the whole legislation) could have been infringed through this ‘innocent’ shadow IT and website activity by employees.

Final Tally

Now the investigators are persuaded that the company has insufficient control over the way personal data are processed.

You feel numb. You will have to report this assessment to the CEO. And to the Board.

They will ask you some of the same questions the investigators have just asked you. But probably without a full understanding of what they are asking, therefore a much more insidious conversation.

And how will you explain to them that the last thing the chief investigator mentioned to you is the possibility, not too remote at this point, that given your lack of control over the way personal data is processed in your organisation, the monetary fines are likely to be substantial, but…, and they emphasize “but” with a painful pause, fines might not be the worst that you will have to endure?

No, not the reputation in the market place or in the stock market either, or in the press, if that is not devastating enough.

No. What they are considering applying - they told you as they were leaving - is in Article 58. The “Powers” article, what Supervising Authorities can do. Article 58.2.(f): “to impose a temporary or definitive limitation including a ban on processing”. Imagine that: your market-leader company will be unable to process personal data for some time. That will impact virtually every activity, in every department, most likely in every country.

And this measure is not a ‘dissuasive punishment’ like fines are meant to be, rather a way to guarantee that the personal data is not processed by a Controller that is unable to demonstrate the necessary ability to ensure safe processing, and ultimately the “rights and freedoms” of the data subjects. Fines are meant to be dissuasive, but a ban on processing has some powerful dissuasive element too, you realise.

Therefore, until all the appropriate measures, both “technological and organisational” of course, are reviewed and deployed, your organisation will not be able to process personal data. It could take weeks if not months.

And on that bombshell, they left your office.

You are now staring into the abyss. You cannot believe this. But your CEO will. And his reports too. And your investors. And your partners, agents, re-sellers, suppliers, employees, customers, shareholders, big and small. Meanwhile, your competitors will celebrate and prosper for some time.

Do you feel faint?

“Mum! Dad! I can’t find my shoe!”

You wake-up. Turns out, you, are the one who is late for the school run. You are so happy, but realize now is the time to take action.

You grab your mobile phone and send an email, naturally full of typos, to the CIO, the CISO, the CFO, the VP of Sales, and the Heads of HR, Legal, Privacy, Compliance, Risk Management, and Marketing, and call an urgent meeting, in which you will address “a serious issue that has been neglected in the last two years of GDPR efforts”.

“Ok, where did you put your shoes yesterday, sweetheart?”

Final Thoughts

Any resemblance to real persons or actual events is purely coincidental. Still, it’s a realistic scenario, I think you will agree. A number of recommendations derive naturally from this scenario, which shows as an issue that seems to be just technology-related, can have severe compliance implications, and subsequent much wider consequences for the organisation:

• Organisations should verify their own Shadow IT situation, through technical controls such as CASB (Cloud Access Security Broker), able to scan the apps unknowingly utilised by employees;
• Data loss prevention technologies should be considered, in order to control the outbound flow of personal data. Encryption will also provide a way to limit access to data to those who are authorised and therefore have the key;
• The workforce should be made aware of the risk posed by the use of unsanctioned apps or websites, and trained to refrain from using them to process data, especially personal data;
• Productivity needs should be identified, procured and made available by the organisation in order to minimize employees’ need to access unsanctioned applications;
• Cloud customers should perform a thorough privacy and security evaluation on all apps before sanctioning them for use by employees;
• Sanity checks should be performed regularly on the cloud environment, in order to assess the level of unsanctioned apps active at any one time, so as to minimize the risk of compliance breaches, and to fulfill and document the related due diligence, which can be a mitigating factor in case of an investigation.