Privacy, security and the impact of GDPR in NZ

There have been plenty of privacy and security discussions about the potential reach and impact of GDPR in NZ. It may feel like privacy regulations in Europe are a distant concern to New Zealand companies, but the reality is that the security and privacy landscape is changing. Being left behind in the way that we treat critical business assets, like information, is no longer an option.
“Who made you the judge and jury? Ain't you never heard of privacy?” Beastie Boys

Privacy or security? What’s the difference?

There are currently few incentives for New Zealand companies to treat critical business information, including personal information, appropriately. CERT NZ has some alarming figures on the increasing financial costs of cyber attacks, though the stats hide a dirty secret that the true figure is probably a lot higher, because we are currently under no obligation to report data breaches.

Nearly all information can be monetised by hackers, and costs associated with data breaches, recovery, goodwill and legal expenses can be estimated – this is known as an Annualised Loss Expectancy (ALE). Every organisation we have calculated an ALE for has been shocked their exposure to cyber risk is so large. So the risks are real and the costs are high.

But let’s not confuse privacy with security. The two subjects are related but distinct, so let’s define them.

Privacy is the right of an individual to be aware, and in control, of information that uniquely describes them. More recently the concept of privacy has been reduced to information in the digital realm that people do not wish to be publicly available, and this is what we will focus on for now.

For example, this includes the right to ensure that:

  • information about us is only being collected with our consent
  • such information is correct, including the right to data portability
  • information is only being used for the purposes that it was originally collected for
  • reasonable measures are being taken to protect it (this is the direct overlap with security)
  • the information is not retained longer than is necessary

Security on the other hand is a set of controls that we wish to apply in order to protect something, which may be information that is the subject of someone’s privacy, but not exclusively. There are plenty of good security frameworks out there like ISO 27001 and PCI and they describe the organisational, procedural and technical measures required to define an information security management system or protect payment card information. You might use one of these frameworks to protect someone’s personal information, but they are far from complete in terms of meeting the concepts of privacy.

GDPR is here whether we are ready or not

GDPR is here whether we are ready or not

GDPR in the New Zealand context

What does GDPR have to do with all of this? GDPR is the new European legislation that enforces the principles of privacy described above. The premise is that if you offer products or services to European residents then there are strict ways that you are allowed to collect, process, share and store information about them. Furthermore, in the event of a data breach then there are short timelines to act to notify the victims of a breach. If the GDPR regulators find out that personal data about European residents was not being treated appropriately, then there are severe penalties that will be imposed.

A requirement of GDPR is that if you are dealing with European residents’ personal information as a consequence of offering goods, services or monitoring of their behaviour (including online behaviour) then you need permanent representation in the EU, if nothing else but to be the recipient of any fines. This seems a little onerous for most New Zealand companies but does raise an interesting business opportunity for virtual Data Protection Officers (vDPOs) and vicarious EU representation officers to handles any engagements with GDPR regulators. Employing a full-time DPO or opening a permanent office in the EU could be prohibitively expensive, so this model provides a cost-effective way of meeting compliance.

New Zealand was previously seen by the EU as having “adequate” privacy protection, largely invested in the Privacy Act 1993, which is now showing its age and without any real teeth to act as a serious deterrent for those flouting the rules. And while our adequacy will apparently transfer across into GDPR without expiration, the GDPR regulators can review and revoke this as part of a periodic review. Thankfully there are some sound recommendations made by the Privacy Commissioner regarding changes to this act, including civil penalties, that bring it more in line with other international legislation. But if our adequacy is not renewed, then it is possible that New Zealand could be labelled unsafe from a privacy perspective, a bit like travel safety advisories from the organisations like the UK Foreign Office.

The Australian Government has recently released its Notifiable Data Breaches (NDB) amendment to their Privacy Act 1998 which, as the name suggests, focuses more on the post-breach declaration. It also has a lower threshold for the size of entities bound by the law. It also has longer time frames in which to respond to a data breach and then only where failure to notify could cause “serious harm”.  This encourages good behaviour since most data breaches become public knowledge eventually. Coming clean early and conducting appropriate notification activities may drive organisations to take action to prevent a breach in the first place, that is, having good security by following a suitable framework. New Zealand would do well to have something similar to the Australian NDB amendment as a pragmatic middle ground between GDPR and where we are now.

Don’t delay the inevitable

A few years ago, I was the local Security Officer for a classified US Government system that was heavily administered by the Information Assurance Directorate of the NSA. The tagline of the security policy concerning security incidents was “Bad news doesn’t get better with time”. Even if you felt that reporting an incident was going to be awkward, just wait until the NSA investigators get hold of you!

An interesting example of this was the handling of the Vector outage app data breach where thousands of personal records were made publicly available due to poor mobile app design. While the design of the mobile app could have been better, Vector did a stand-up job of handling the fallout from the breach and conducted a GDPR-like notification exercise to affected individuals. They didn’t have to, but they did, though I sense they stopped short of doing anything further because they were not legally required to do so – such are the weak requirements of the current Privacy Act.

Vector outage

If you submitted an outage to Vector during the storms in April 2018 then all of the personal data (name, address, phone number, email address, physical location, nature of the fault etc) submitted was probably leaked.

By demonstrating at a national level that we are committed to similar principles to GDPR then the willingness of Europeans to do business with New Zealand companies can only improve.

But here’s the problem that has been frequently pointed out; New Zealand is not subject to European legislation so the regulatory fines would be hard to enforce. And in a highly litigious environment, like corporate USA, it would be interesting to see a GDPR fine being levelled at a US-based company. There are however precedents for this, such as the defunct Safe Harbour Act and more current EU-US Privacy Shield, which are agreements about data protection requirements for personal data, in support of trans-Atlantic commerce.

If a company isn’t bound by a similar agreement, is outside of the EU and doesn’t have EU representation then the EU’s approach will be through “mutual assistance”, “stakeholder engagement” and “promoting the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries”; diplomatic-speak for “we can’t do very much but we’ll figure it out as we go”.

The EU does have representation in New Zealand so any GDPR-related issues would likely be coordinated through their local office. They also provide some pragmatic advice to small companies where they state that many of the GDPR regulations, such as appointing a DPO or having an EU-based representative, may not apply if handling personal data is not a core part the business or if it is not done at scale.

While it could be tempting for New Zealand companies who deal with European residents’ data to ignore the regulations on the grounds that it is hard to enforce, few companies would want an international investigation or lawsuit hanging over them in an age of continuous disclosure. Fewer still would want to be branded as being reckless with personal information and I suspect this would attract attention from our own Privacy Commissioner.

Full GDPR penalties are unlikely to be used as a first measure and only likely to be enforced against large scale and repeat offenders; this likely only represents a small number of New Zealand organisations. Compliance with the current New Zealand Privacy Act 1993 will go a long way to being GDPR compliant but that said, there are plenty of examples where even this has not been well implemented.

Fines or no fines, to notify or not to notify, to comply or ignore, GDPR has created a potential minefield of privacy issues for New Zealand companies. Our advice to customers is that while the majority of them have only limited exposure to GDPR, it does raise the privacy bar significantly. The discussion about whether GDPR is enforceable here or not is largely irrelevant and a “GDPR-like” privacy landscape is the new norm, even if our local legislation has yet to catch up.

Image by Samuel Zeller on Unsplash

How much data do organisations hold on you? A feature of GDPR is data portability – the requirement that all of your personal data can be downloaded and viewed in a standard format.

Practical tips to assist with GDPR compliance

As a feature of good practice and ethical behaviour when handling personal data, we recommend our digital customers consider the following for their websites, even if they don’t feel they need to fully comply with GDPR:

  1. Your Privacy Policy must describe the collection, processing and storage of personal information should be concise and written in plain English – not legalese.
  2. People visiting your website are informed that cookies and potentially other personal information will be collected and provide a direct link to you Privacy Policy. This is sometimes known as a “cookie banner”.
  3. Consent is provided for any personal information to be collected. This is known as “Opt-in” and the default setting should be set to “none” or “blank”.
  4. All “Opt-ins” are unbundled from other terms and conditions and clearly separated as an act of consent about their personal information.
  5. All “Opt-ins” are as granular as possible and allow people to select which communications and services will be used as a consequence of their personal information being collected. Their data cannot be used for any other purposes (!!) so whatever is happening at the back-end must reflect the wishes of the individual.
  6. Third-parties that manage any collected information (such as marketing or eCommerce) are contracted to agree how personal information is to be handled.
  7. Ensuring any third parties are aware of the usage limitations of the personal information you transfer to them. The collector of the information remains liable for any costs associated with exploring where any personal information has gone in the event the individual wants their information corrected or deleted.
  8. All personal information has appropriate security controls applied to it. We recommend the CrowdStrike security platform as the best-in-class tool for detecting malicious activity on your network and preventing data breaches.

If you deal with personal information as a core part of your business or you handle large amounts of such information then you should also:

  1. Conduct a Data Protection Impact Assessment. This is very similar to the guidelines from the New Zealand Privacy Commissioner and is a form of risk assessment for personal data.
  2. Appoint a Data Protection Officer who is responsible for handling privacy issues and ensuring compliance with the necessary legislation.
  3. Ensure mechanisms are in place to ensure data portability of personal information. Individuals should be able to request all information that is held about them in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another organisation.
  4. Appoint a representative in the EU to coordinate privacy issues if you don’t already have a footprint in Europe.

Final thoughts on GDPR

It is possible that GDPR has handed a competitive advantage to countries that have a poor history of respecting the privacy of individuals and it is no coincidence that they are the same countries that will be the least likely to enforce any fines imposed by the EU. While we tangle ourselves up in compliance issues these countries are probably quietly confident that it's one thing they don't have to worry about.

And while we are being deluged with mostly unnecessary privacy policy updates and re-subscribing to various services and notifications, this provides a great attack surface to bundle new forms of cyber attacks, posing as GDPR compliance notifications. Stay safe out there!


Image credits:
Lead image: Max Pixel | Terracotta Warriors (Contemporary) - Yue Minjun - Paul Stevenson | Files pic by Samuel Zeller on Unsplash

Jeremy Jones.jpg

Jeremy Jones is Theta's Head of Cyber Security.