The American decision to bug Chancellor Merkel’s private mobile has several consequences. All of them will affect us – by which I mean business decision makers – sooner, and more thoroughly, than we’d like.
The obvious part is that our compliance costs are about to go up. We already knew that the European General Data Protection Regulations are coming, and that they will mean more work for us, and changes in the way we do business. They’re not final yet, and each country’s implementation will vary, but Germany’s outraged response to the Snowden revelations can only mean greater impetus behind Merkel’s vision of a digital “Fortress Europe”. It’s also likely to further harden the French attitude to corporate data processing – and, by extension, ‘foreign’ corporates in general.
Some things you need to think about:
Where’s your data? If it’s in the cloud, where’s it stored, and by whom? Merkel’s wrath might, conceivably, lead to revision – or, more radically, abrogation – of the US/EU Safe Harbour agreement. This will mean checking the data protection clauses in all of your supplier agreements – you know, the stuff in the one-inch-square box just above the “I accept” button you clicked when you signed up. Of course you’re sure that all your data’s in a compliant location at the moment. Aren’t you?
What controls do you have in place? We can expect greater focus on accuracy; on resilience; on disclosure – how quickly, and how well, can you respond to a subject access request right now? – and on removal. Can you purge all your backups of individual account data? Can you remove personal information not relevant to transaction history without your systems falling over? You’ll need to.
How secure are you? Personal data breaches are already costly and embarrassing. Combine a wider definition of personal data with stricter control requirements and fines of 2% of turnover and they start to look ruinous. Remember that most breaches are the result of internal error, not external malfeasance.
Remember I said “the obvious part” earlier? Here’s the less obvious part: the external security threat is also increasing. What’s this got to do with Snowden?
Firstly, more genies have been let out of more bottles. Various impossibilities are alleged to have become possibilities, like cracking RSA encryption, or monitoring GSM voice calls. If the NSA and CIA can do it today, so can the Chinese, and soon enough the teenage hacker in his bedroom. Thank Moore’s Law for that.
We also know that a number of large organisations have been co-operating willingly with US agencies in the disclosure of data. If they’re used to handing sensitive information over to authoritative-sounding acronyms, who’s to say all their staff will really check before they reveal information to a plausible-sounding caller. That information, of course, could be yours.
Finally – and I grant this is contentious – thanks to the NSA decision to sack 90% of their systems administrators, it looks like a lot of smart people with specific skills in these areas are about to be available in the labour market, and annoyed. I’m sure most of them will behave with scrupulous rectitude. But there are always a few bad apples.
So while your main risk remains poor processes and your own staff, and your main cost remains compliance with legislation, you’re going to have to deal with a wider range of external threats too. Ain’t life grand?