GDPR went into effect – and the first information leak is already here

The final GDPR panic in May could be compared to the millennium: prejudices, fear and plenty of talk about catastrophes – and in the end, the world never ended and the charcoal tablets were left in the cabinet.

“Of course, everyone wants to comply with the requirements of GDPR. The most important thing to understand is that GDPR is a constant and complex process that requires companies to constantly evaluate themselves. There is much to consider and it relates to, for example, the technology used and to the organization itself and its members”, says Roberto Camilli from Bird & Bird. “Every time business is developed or new services are launched, companies must make sure that everything is in accordance with GDPR.”

The honeypots are sealed well – but customers using services must also protect themselves

The first information leaks of the GDPR era have already happened. On 28 June 2018, the news told us that malware had entered Ticketmaster’s information. According to the company, part of its customers' personal and payment information may have ended up in the hands of an unknown third party.

Camilli emphasizes that information leaks will continue to happen because hackers have not disappeared and cybercrime is a big business globally.

“Companies must prepare for information leaks and their consequences. If the company has prepared adequately, it will not necessarily be fined.”

Data centers can be considered honeypots that draw hackers.

“Companies offering data center services have very strict policies on information security, but the clients using data center services must also make sure that their processes and procedures are safe and in accordance with GDPR”, says Jack Bedell-Pearce, Managing Director at 4D Data centers.

A company using data center or cloud computing services is always responsible for the handling of the information that they collect

Companies are responsible for the personal information that they collect and handle. The responsibility cannot be outsourced to a third party.

“For example, companies are responsible for how the data is protected, how it is handled and how it is deleted. Data center and cloud computing service providers are considered data processors, and the clients using their services are also responsible for ensuring that the data processor fulfills its own duty in accordance with the GDPR requirements”, says Eero Lindqvist, Senior Development Manager at Telia.

Telia offers its clients data center and cloud computing services. Telia’s new data center in Helsinki, for example, has a very high security level.

“Security has been taken into account in everything, such as strict access control. The physical security of the building is protected, for example, by round-the-clock guarding and various structural solutions”, Lindqvist shares. “The data center also includes facilities that fulfill the requirements of the Government Information Security Management Group VAHTI.”

The extremely high security level is also guaranteed by certifications. In addition to the ISO 27001 certification, Telia has also applied for the ISO 22301 certification for the data center and it will be the first one of its kind in Finland. The ISO 27001 certificate guarantees that the data center’s processes and operations are adequately secure and the ISO 22301 certificate ensures that the continuity of the processes is managed.

“The data centers’ security policies are, however, useless in a situation where a client using the cloud computing service transfers their data into the cloud and leaves it unprotected, which means that all of their information is available to anyone. There are surprisingly many cases like this, and for hackers, it means that they do not even need to break into the company’s data systems; they can simply read the unprotected data from the cloud.”

The latest case was reported in the media on 27 June 2018, when Exactis was caught after leaking the information of 340 million people online. According to Wired, the leaked database was on a public server and it had no protection whatsoever.

“Companies must make sure that their processes and instructions are in order. Information leaks might be impossible to avoid completely, but there is no reason to be stupid about it. In these cases, sanctions can be monumental in many ways”, says Lindqvist.

This article is based on a panel discussion in the DataCloud Europe 2018 event. The discussion participants were Roberto Camilli from Bird & Bird, Jack Bedell-Pearce from 4D Data centres, Olivier Labbe from Cap Ingelec, and Alex Rabbetts from EUDCA. Furthermore, specialist Eero Lindqvist from Telia was interviewed for the article.