T-Mobile. TalkTalk. Multi-billion-dollar telecommunications companies that wish they had taken their data protection obligations more seriously.
I know from experience that many organisations view regulations such as the European Union’s General Data Protection Regulation (GDPR), as burdensome red tape; a ‘box-ticking’ exercise that holds them back from doing business.
But, would you board a plane if you knew the pilot had just ticked off items on the checklist without paying an appropriate amount of attention? I doubt it. Likewise, I suspect most readers would not go into the operating theatre with a surgeon who pays lip service to procedure. I also suspect those that deride security and data protection as ‘box-ticking’ would be as pleased as the rest of us if their identity was stolen and bailiffs came knocking to recover a yacht they didn’t know they’d leased.
It is true that some implementations of GDPR (and equivalents in security and non-European jurisdictions) represent the output of a committee of pedants, drunk on power, with zero real world commercial experience. It does not have to be though – in fact, that really should not be the case.
The shareholders of T-Mobile and TalkTalk have found out the hard way the damage to their net worth that can be caused by a hacker; and many of their customers are about to find out what nefarious schemes criminals can perpetrate with their personal information as well.
It’s one thing when it is a bakery’s loyalty card list that’s stolen, but in telecommunications, we handle some very sensitive data. Call Data Records (CDRs) to us are often millions, or billions of rows of faceless data, but each line represents someone calling someone, or someone texting someone.
That could be a teenager calling an emotional support line or an abused wife calling a divorce lawyer. If the telco is also an internet service provider, it may also retain web browsing history. In both cases, it takes little imagination to understand the scale of harm that could be caused should such information fall into the wrong hands.
The media focusses on things like social security numbers, dates of birth etc., which are critical, of course, that’s how identity fraud occurs – but another tangible doomsday scenario would be the release of browsing or call history.
No-one should need to be convinced about the need to implement a data protection framework – unfortunately, the moral hazard of exploitation of the data (think Cambridge Analytica) or the risk of its theft, mean successive governments have implemented even more stringent legal obligations, sometimes with criminal penalties for their breach.
GDPR is a behemoth, but it is also a principles-based law that provides a lot of flexibility to those that implement it. Its scope is only the UK and the European Union; other jurisdictions have different rules, and which rules you must comply with are determined on where you do business (or, importantly, where your data subjects reside). We’ve taken GDPR as an exemplar here – it is likely, even probable, that compliance with GDPR will deliver a substantial amount of compliance with any other regime, but not necessarily entire compliance with another law.
You can spend a week playing buzz-word bingo reading all manner of GDPR sources on-line and get increasingly closer to having an existential crisis, or you can start by thinking about embedding the principles into your culture.
Lawfulness, Fairness and Transparency
When you collect personal data, be transparent about why you are collecting it and where it is going to be used. Ensure that the collection, processing, storage, and disclosure of personal data is done lawfully.
Purpose
You must have a specific and legitimate reason for handling the personal data – and only use it for that reason, unless you have explicit consent from the person the data pertains to. There are some exceptions, but for the most part, you need a lawful purpose.
Minimisation
Keep only the amount of data limited to what is necessary for that lawful purpose you have.
Accuracy
Pretty obvious… but it does mean you need a regular review, which amends or deletes data which is inaccurate. Data subjects have a legal right to require you to fix any inaccurate records within 30 days. This principle is an awful lot easier when you abide by the retention and minimisation principles too.
Retention
Once you have completed your lawful purpose, data should be destroyed unless there are other lawful grounds for retention.
Integrity
Don’t have an unprotected router accessible to the outside world (allegedly how T-Mobile was compromised), or admin credentials of username ‘tim’, password ‘tim’ (something that has been implicated in the TalkTalk attack).
In all seriousness, protect your data. This is basic, cyber-security 101. Use complex passwords. Use two-factor authentication. Don’t share passwords. Don’t have your passwords written on a whiteboard. Use encryption. Almost all modern cloud-based software that even a bakery might use has these functions available.
Accountability
Have someone (appropriately senior, with sufficient bandwidth to perform the duties) to own data protection issues. Know what data you have and where it is. Ensure that the other principles are complied with and be able to prove you’ve done it.
Is that it? Yes! In terms of understanding the principles of GDPR and what you need to embed into your organisation’s culture to comply. The actual implementation does, unfortunately, mean paperwork and audits and meetings to discuss things – but start with the above – it’ll make that mountain seem a lot more like a hill than some of the resources out there.
Remember though – if you’re just using this as a tick list, you are doing it wrong. Be an exemplar; don’t be a T-Mobile or TalkTalk (or LinkedIn or Equifax or Experian or LinkedIn (yep, they’re here twice) or MyFitnessPal). This list is quite illuminating and scary.
If you’re a telecommunications company though, there are two more things to discuss – the public interest disclosure and whether or not a CDR is personal data.
Is a CDR Personal Data?
It is both simultaneously personal data within the meaning of GDPR and not personal data. It’s Schrödinger’s Data.
In isolation, a given CDR is not personal data. However, if it can be married with another data set (or information in the public domain) to identify the data subject, then it is personal data. Even if that data, in isolation, does not identify that person. This is derived from Article 4 of GDPR;
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [Emphasis Added]
A CDR database does not contain personal data per se. But if you can Google the telephone numbers and get results (people whose telephone numbers are in their LinkedIn profile, for example), or knit it together with your subscriber database, then it is personal information.
Therefore, we have a simple solution: treat CDRs (and weblogs for the same reason) as personal data.
The Public Interest Defence
This is a very complex area of the law. Very broadly, there is a GDPR exemption (amongst others) with respect to certain rules where the data is being used in the prevention or detection of crime, for example.
This does not mean that you can suddenly ignore local procedures for the release of information to law enforcement, but it does provide a degree of air cover in certain circumstances, such as a voluntary disclosure of CDRs in relation to a fraud.
These exemptions should only be used by way of a one-off and not relied upon routinely.
Exonia has advised on GDPR issues across Europe, with large and small companies alike. If you’d like to have a no-obligation chat about any of the issues raised here, please don’t hesitate to reach out.
