Pop quiz: Why is it good that regulations are principle-based, instead of rule based?
Because if in 2001 some regulator had said that ‘hashing personal data one-way with plain MD5 is compliant’, data protection would today be as dead as
MD5 a doorknob.
That’s why we have ‘assessments’. They mostly focus on a certain risk balance. Which is also why today we don’t store customer passwords in
plaintext MD5 anymore, but at least use random SALT-ed SHA256 or higher. Right, everyone? Right. Admittedly however, we are having quite a few assessments these days. LIA, TIA, PIA, DPIA… What’s what, and how are they relevant for our action plan today, in the post-Schrems II world? The good news is LIA’s have little to do with this, and PIAs shuold already have been done before the processing activities began. Here’s a few actions and considerations for the short, mid, and long term:
What are you doing now?
- Take an inventory of all your processing activities that include data being transferred to (or accessed from) outside the European Economic Area (EEA). After all, Norway, Iceland and Liechtenstein are on board with the GDPR.
- Note the UK may no longer count in this list.
- Conduct a Transfer Impact Assessment (TIA) of the destination location in all of the above listed processing activities.
- This is mostly a legal assessment, focusing on the laws relevant for the destination location. Often we see that external legal professionals are included here, as it is near impossible to have in-depth knowledge of what plays in other countries.
- Look not only at core privacy / data protection legislation, but also at other potential impacts such as provisions on how government entities may obtain access to data.
- If no obstacles are found, look into the DPIA (see below). If there are, guess we still do a DPIA.
What else can we be doing?
- Keep an eye on the expedited revision of SCCs (standard contractual clauses). The current consultation round seems to close 10 December 2020. Soon after that, the revised versions will be ready for use. Consider implementing them in all your international transfers in replacement of the now invalid Privacy Shield, but also in replacement of existing SCCs in the old version.
- In fact, even though unnecessary for countries with an adequacy decision, it may be good to include similar requirements. Adequacy decisions don’t necessarily last forever, and if a service provider refuses the -otherwise reasonable- content of the new SCCs, such may trigger a concern anyway. What would for example be a reason not to accept, and would such reveal previously unearthed issues? Not required, but may be recommended.
- Conduct a (there it is!) data protection impact assessment (DPIA). This should mainly focus on the areas where the confidentiality of the personal data in question can insufficiently be guaranteed.
- Take into account all available and reasonable means to protect the data. At rest, in transit, and….
- In use where possible. Consider in-use encryption but focus specifically on key management. Not only ‘where’ the keys are matters (i.e. on EU soil according to EDPB guidance), but also ‘who manages keys’. That should be yourself.
- Different use cases deserve different technical measures. What works on IaaS and PaaS may not function the same on SaaS, for example. Also, in-use protection may combat confidentiality issues, but for analytics and business intelligence purposes, synthetic data and especially differential privacy may become crucially relevant as well.
- With these results, do you feel there is sufficient assurance around the data control, confidentiality, and overall protection?
- Just still make sure you revisit the DPIA frequently, to keep in touch with emerging protection techniques as they become more available and affordable and as such, become viable options in a DPIA result.
Anything on the long term?
- As you continue to revisit the DPIAs periodically, observe the development of privacy enhancing computation techniques (PEC). These are featured as on of the Top Strategic Technology Trends 2021 (available to clients on gartner.com) by Gartner, and a few are accounted for on the Hype Cycle for Privacy, 2020 (equally accessible by clients). Secure multiparty computation (sMPC), confidential computing, and developments in applicability of homomorphic encryption are among a few of these PEC techniques.
- For the long term, strategic consideration should also be given to developments of the GAIA-X architecture. An interesting blog can be read here. But in this case we’re talking years, rather than something for your 2021 action list.