Observations from the front line: Budgets, budgets

(Posted originally on LinkedIn, March 1 2017)

I have been traveling the past month or so, and delivering presentations on GDPR compliance as well as attending others’ presentations. I have been struck by how many organizations are still trying to get budget to deal with GDPR, when I was advising our clients last fall that they really needed to have budget established and concrete actions starting in early 2017.

What to make of this? I had thought – probably as most people in privacy had thought – that with the GDPR, all those resource challenges of the past were going to be eliminated, or at least reduced, as the threat of large fines and regulatory sanctions would help us make our business case. This was clearly optimistic.

Raising this in discussion with wiser heads than mine has not yielded an answer, though they agreed this was a common problem. It leads me to think that despite the imminent arrival of May 2018, that resource challenges still exist for a number of reasons:

  • Many organizations are busily hiring for DPO roles, but not all are providing the DPO with the resources and support to really meet the requirements of the position, and may not be getting privacy professionals with the right experience into the role. This will admittedly be a challenge for many EU organizations given the lack of sufficient numbers of qualified privacy professionals to fill roles in EU organizations (or even the regulators). It is currently a sellers’ market. But it suggests two reasons why there is still inadequate resources – first, does an inexperienced DPO know what to ask for (staff, tools, technology)? And does the organization hiring such a person think that they are ‘done’ – now that they’ve hired a DPO?
  • Organizations that do not have experience with building privacy programs are still approaching this as a ‘paper’ exercise. As James Leaton Gray said at the Future of Privacy Forum in November, when we shared the stage discussing accountability under the GDPR, privacy is not simply something that sits in the compliance or legal department. The GDPR requires accountability on the part of the whole organization. There is still, unfortunately, a tendency to regard privacy as just another compliance area, one that can be fixed with the right paperwork.
  • It may also be that some privacy professionals are still having difficulty getting the message across about what privacy means in the context of the GDPR, that the EU views privacy as a fundamental right, and is more than’ just another compliance issue.’

What to do? I think addressing resource challenges for privacy professionals is a combination of education and governance. Privacy pros need to still attend to explaining why privacy is important, what it means in the EU versus elsewhere, and what it means for their organization to do well. It helps to draw from the experience of others, from benchmarks and statistics, because management needs this to understand that what we as privacy professionals are asking is not that odd or unusual, or that we are trying to build a privacy ’empire’ within the company.

It also requires privacy professionals to engage in ‘tough love.’ This means making very clear that since we cannot write the cheque to fund an activity, then the person who can, owns accountability for failing to resource it. No regulator is going to be fooled by an organization saying that the CPO/DPO is to blame for a privacy failure if the resourcing lies in someone else’s hands. We cannot compel the writing of the cheque – but we can make clear to the responsible part of management that this is their decision, and thus their accountability.

Finally, while I hate ‘selling on the negative,’ there is ultimately one question for management that may need to be asked: are you prepared to accept the risk that your fine for non-compliance is significantly greater than the investment for doing the right thing?


Article 29 Working Party to Quebec: “Sorry, darlings, you’re inadequate…”

This is a tough message to get from the EU; the Article 29 Working Party has identified some areas for improvement in order to find adequacy for Quebec’s Privacy Act (opinion linked here). Particularly harsh, I imagine, getting this by way of a voice mail message since Quebec was celebrating Saint-Jean-Baptiste Day on Tuesday; if they got any forewarning of the result, it was left via voice mail. Harsh.

I have hope that this will prompt changes that the Quebec Commission d’Acces a L’Information (CAI) have been asking for to their legislation; perhaps thoughts like servers leaving Montreal in a caravan down the 401 to Toronto, or even that the ROC (rest of Canada) is considered by the EU – the EU! – as adequate while Quebec is not, may prompt some speedy action…

Seriously, this is a shot across the bow for the provinces, for Canada, and for the world. I had done a presentation last year at the IAPP Canadian Symposium, on the topic of whether our adequacy finding was at stake. The EU had been pressing forward with its draft Regulation, and I speculated over whether we would need to update PIPEDA to maintain our status, and whether in fact provincial ‘substantially similar’ findings would not save the provinces from being reviewed for adequacy, since the draft Regulation contemplated reviews of adequacy of national subdivisions. This issue over Quebec, however, goes back as far as the WADA controversy in which the Working Party issued an opinion over the adequacy of Quebec’s law in relation to drug testing of athletes.

Well, the Working Party didn’t wait for the draft Regulation; they’ve started, and and while it is an advisory opinion, sets out a list of four areas for improvement that can only be interpreted as setting a standard for adequacy:

  • clarifying the territorial application of the Quebec Privacy Act;
  • strengthening transparency by requiring identification of the data controller;
  • clarifying sensitive information; and most significantly,
  • putting in place data agreements for onward transfers.

The last one has relevance for all of Canada – this is an issue raised with the Federal Commissioner’s Office, over the fact that transfers can take place from the EU to Canada freely, but there is no controls over onward transfers – say to the US. I think that this decision sets out not only expectations for Quebec, but for all of Canada, and is possibly also a message to the ‘league of the adequate’ nations as to what they will have to start doing to keep pace with changes in the EU.

Not Alway Private – the other side

Last week I wrote about the customer being wrong about privacy. There is the other side of course; for Not Always Right, there is the sister site Not Always Working.

There are fewer stories I can draw from there – perhaps because I haven’t written in with mine. I will write them in the style of Not Always Working:

Bad to Worse to Worst

I received a call (at dinner) from an otherwise reputable TV and Internet provider, which shall remain unnamed. I don’t normally welcome telemarketing calls, but this time I did because they happened to offering a particularly good deal that was going to save me money. And I happily provided my information to the nice lady on the phone, who informed me that someone would be calling to arrange to send me my set-top box. All was well with the world, until I received later a call from a third party fulfillment firm with a Montreal area code (I’m in Toronto).

Fulfillment guy: Can you confirm your address?

Me: (I do)

Fulfillment guy: To ensure we’re sending this to the right person, could you give us your driver’s license?

Me: Um… no, I won’t give that information, it’s not necessary.

Fulfillment guy: Can you provide your social insurance number?.

Me: Definitely not. Things are going from bad to worse, I think.

Fulfillment guy: We can’t deliver this without some identification for the driver to get from you. How about your health card number?

Me: You have got to be kidding.

I tell him I will pick it up from the local store of the company; this is of course even worse when you realize that he planned to write it on the packing slip for the courier to verify with me when it arrived. Yikes. Of course, the right thing to do would have been for the lady who first called me, to have created an order number, and to have used this made-up number as the authentication.

Going Postal at the Supermarket

This was at Christmas, and the local supermarket was very busy. I had stopped to get a few things so it was tedious getting through the line, and the line was still long behind me. I had cash, and I thought when it was my turn I would at least get done quickly,until…

Clerk: “Can I have your postal code?”

Me: “No, sorry”.

Clerk: “But … I can’t ring you through without your postal code.”

Me: “That’s ridiculous. I  am paying with cash.”

Clerk: “But I need your postal code.”

Me: “No, you don’t.”

Then, as of course everyone behind me is waiting wearily, the clerk attempts to figure out from someone else what is she to do with this recalcitrant customer. Finally a more senior clerk comes over and says:

“Just hit enter, you don’t need the postal code to ring him up!”

Of course, this is due to lack of adequate training – she had been told to get postal codes, and not that she could proceed with a sale without it, regardless of how payment was made. This also shows the danger of leaving fields in databases – someone always thinks they need to be filled in.

Not always Private

One of my favourite web sites is Not Always Right. This is a user-contributed site with stories – many funny, some disturbing – about the trials and tribulations of working with customers – the premise being that despite the often-quoted saying, the customer is not always right. My father was a cobbler, and I often spent time behind the till in his shop; when I was in high school, and in university, I had summer jobs in retail. I have a few stories of my own.

However, the reason for mentioning this here is that occasionally, people demonstrate how terribly wrong they are about privacy.

The stories you can find will make you laugh, or shake your head. One is an overzealousness in providing information that becomes the retailer’s fault; another demonstrates the willingness to give up on principles for the sake of coupons.  People go to some lengths refusing to provide information that would seem innocuous, like a ZIP code, only to offer something up even worse like banking information – and even worse, their social security number.  Clearly some people are very unclear on the concept of privacy – offering up ZIP, SSN willingly, but then, refusing to provide a proof of age when it is actually required to buy alcohol. Or  going all out paranoid on a poor clerk trying to process a credit card transaction, merely for doing her job.

Why are people so horrible at protecting themselves? (One might also ask why they’re so horrible, generally, after reading a few of these stories – my advice is to read them in measured doses, so you don’t want to give up on humanity altogether). The stories illustrate that people think privacy is important – but that they’re clueless about what to do about it.

A very good book I would recommend is The Drunkard’s Walk: How Randomness Rules our Lives. I have often used this in my talks because in reading this fascinating exploration of the connection between statistics, gambling, history, baseball scores and wine tasting, the author concludes that people are really bad at understanding risk in mathematical way – we’re just not wired that way. For proof  we don’t understand risk, you only need to go to a casino.

Because of this, we understand risk only from our personal experience; the conclusions we draw are different, for example from when we just think about identity theft as a topic, and experience it ourselves or close-hand through a friend or relative. This is why people on the streets of London and New York could be persuaded to give up their e-mail passwords for chocolate. (There are too many stories on this for me to link to; just Google “passwords for chocolate”).

What’s the moral? I think it’s a somewhat paternalistic one; privacy professionals have to be the ones to be the risk managers for the public, whether or not the risks are understood, and do our very best to educate what risks they really do run. At the same time, as you can see from the stories I’ve linked to, we need to also avoid being too alarmist as this seems to lead to unreasoning paranoia…and to rudeness to people in the service industry.

Nymity interview on Canadian response to the EU Draft Privacy Reg

Thanks to Nymity (again) for publishing an interview on the topic I covered at the IAPP Privacy Symposium in Toronto two weeks ago – the discussion from the audience during the session was great (and we were fortunate to have the Privacy Commissioner, Jennifer Stoddart, attend the session). I certainly got a lot out of that myself, and I think its helped developed my thoughts on the topic.

Nymity Interview: http://www.nymity.com/~/media/Nymity/Files/Interviews/2013/2013-06-karbaliotis.aspx

OPC Discussion Paper a starting point for change to Canada’s #privacy framework

The Privacy Commissioner of Canada released her office’s Discussion Paper last week, announcing it at the IAPP Canadian Privacy Symposium. The timing could not have been better for me personally, as I was due to deliver a talk the next day at the IAPP entitled “Canada’s Response to the EU Privacy Regulation.” The Discussion Paper was of course (and properly) focused on the needs of Canadians, but offered this about the EU:

“It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”

This of course led nicely into my presentation. Nymity has kindly done an interview of me on this and I will link to that when it is available; what I want to talk about is the substance of the proposed changes to PIPEDA.

There are four main areas identified in the Discussion Paper for update:

  • Mandatory breach notification;
  • Increased and effective enforcement powers in the Office of the Privacy Commissioner of Canada;
  • Tightening controls on lawful access; and,
  • Increasing organizational accountability for privacy

Needless to say, I agree with all these changes. How we do so is important:

  1. Coordination with the Provinces: We do not want or need the kind of patchwork that the US has to endure. It is not helpful to organizations to have different standards for breach, time limits and procedures varying from province to province or with the Federal government.  In fact, the need for coordination goes beyond breach: we need to ensure we continue to have our laws founded on the same principles, and using the same ideas and tools. The collaborative nature of our commissioners has facilitated this (more on this below), but perhaps we need a ‘model law’ with an appropriate allocation of responsibilities between federal and provincial commissioners, and harmonization of breach requirements, accountability and risk management concepts. I pointed out in my talk how much of our reputation internationally is due to the good luck we have had with privacy commissioners, both federal and provincial. Another aspect of that good luck is the degree to which they work together. PIPEDA (and each of the provincial laws) should encompass shared investigations and responsibilities; we cannot leave to luck the willingness to collaborate between levels, as this is essential for a federal system of shared responsibility for an effective privacy framework. In fact, I think this would be the ideal way to address the challenge of the EU Draft Regulation is for a joint federal-provincial review and update of our legislation – obviously not something the Federal Commissioner can propose in the Discussion Paper on updating PIPEDA, but something we in the privacy community should discuss.
  2. Breach Thresholds: While the Discussion Paper does not go into detail on this, I believe the prevailing view of privacy professionals is that Bill C-12‘s provisions do not go far enough, when it was introduced (in 2011) and certainly not now. I think it is helpful to look at recent developments south of the border: HIPAA in the US was recently updated with the Omnibus Rule to establish a lower threshold for notification of HIPAA breaches–in large part due to the recognition that ‘substantial risk of harm’ was  leading to a conclusion by many organizations that notification was not required,  perhaps in more circumstances than warranted.
    The Alberta model of ‘real risk of significant harm’ and C-12’s “material breach” of security, are subject to the same criticisms. The Omnibus’ new test relies on the assumption that a disclosure is a breach unless a four-point risk assessment determines that there is a low probability that protected health information has been compromised.  While I like the Alberta model otherwise,  I believe it would make sense to utilize the HIPAA Omnibus threshold, as well as the risk assessment piece; Alberta already has this concept embedded in its Mandatory Breach Reporting Tool.
  3. Notification: I also do like the notion that not all ‘breaches’ are reported to individuals. While it may make sense to require mandatory reporting to a commissioner’s office to ensure that there is oversight, there are many ‘events’ which simply do not amount to a situation requiring that individuals be notified and be made concerned.The typical event is where personal information is sent by e-mail to an incorrect party with which the sender has a relationship; the usual course is to have the e-mail deleted, both from the recipient’s mailbox and the company systems, and to obtain a confirmation that the data has not been disclosed or retained. This is not a situation requiring notifications; the recipient is often in a position of responsibility in the recipient company, and has notified the sender of the mis-sent e-mail, so it would be difficult to see how there could be a risk of mis-use.I highlight this scenario because it is very common and yet, can easily under some state laws, requires notification to individuals. With oversight, I believe it is possible to resolve most of these issues without unduly alarming people. I don’t buy into breach exhaustion; I do believe in lack of understanding as a major reason why only 15-20% of credit monitoring offers are usually taken up by the individuals receiving them after a breach notification – even though it’s free. This is why to some extent, we in the privacy community must act as risk managers for the public.
  4. Increased Enforcement Powers: I agree that these should be enhanced; the main concern that most in the privacy community have is over whether this would ‘chill’ the otherwise informal, open, ombudsman-like role the Commissioner’s office plays in resolving privacy issues between organizations and individuals. I once observed at an IAPP event in the US, where FTC Commissioners were having a town hall, a lawyer refused to identify himself when asked by an FTC Commissioner during a question – I think we never want to reach that level of mistrust.I think that this could be addressed by ‘codifying’ some of the alternative-dispute resolution mechanisms that the Office can employ – conciliation, mediation and arbitration – at the same time that enforcement powers are enhanced. This role could be further protected by ensuring that the ‘conciliation’ and ‘enforcement’ arms of the OPC have an ‘ethical’ wall to ensure that organizations feels comfortable in sharing information with the OPC.
  5. Accountability for Cross-Border Data Transfers: The Commissioner remarked during her speech at the general session at the IAPP Privacy Symposium that it was difficult to assert that we had effective control over flows of data out of Canada to the EU, given the limits of her enforcement powers. It is ultimately not only a matter of having fine-making powers; cross border issues will also have to be addressed under the accountability provisions, that organizations taking personal information out of Canada, can ensure that there are adequate controls to carry Canadian privacy principles along with the data.”Adequacy” is met by use of the Model Clauses in the EU; but frankly, the use of agreements has become a very bureaucratic system requiring registrations, fees and much headache due primarily to logistical challenges of multi-nationals having to meet the formalities of the agreements. We can do better; we can require through governance or through contract,  accountability for the management of data in accordance with the commitments to Canadians, and that this accountability ‘travel’ with the data. We leave it to the organization to determine how best to do so, knowing that they may be called upon to defend it.
  6. Lawful Access: I won’t pretend to the knowledge that others, particularly Michael Geist has on this topic, but the Discussion Paper’s emphasis on disclosures of access requests was interesting to me for what is missing: accounting not from the recipients of such requests, but from the makers. Professor Geist has quite a detailed set of ideas he put forward to deal with the last version of ‘lawful access’ under Bill C-30, but the most important one is that suggested by Ontario Privacy Commissioner Dr. Cavoukian, which is an independent body to review lawful access requests. I don’t know that a new body is needed – perhaps the accounting can go simply to the Federal Commissioner’s office – but oversight again will help to facilitate legitimate law enforcement needs while retaining accountability.

I am sure that there will be many thoughts expressed from many quarters; I think the Discussion Paper is an invitation to do just that, discuss, but more importantly, I think we need to create some urgency for change with the legislators, to move forward at last on updating the Canadian privacy framework.