GDPR: should you be worried?
If, like me, you are old enough to remember the 1999 Millennium bug panic and the rush to update legacy systems before the end of the rational world as we knew it (Planes falling out of the sky, banks collapsing, etc.), then you will be familiar with the anxiety and feeling of impending doom that seems to surround the acronym GDPR and the date of 25th May 2018.
Notwithstanding the recent government announcement to make it appear as if tightening the legislation is their own idea instead of the EU’s, there are some real concerns and issues that face organisations now in preparing for the coming of the enforcement of what will be upon us pretty soon.
Contrary to some who believe GDPR is down to the organisation’s legal beagles, or the IT department, this is a root and branch level change in how we all perceive personal data, and is a learning curve required for all directors, employees, subcontractors, 3rd party data processors, et al. This change in perception precedes a change in behaviour. And as you will know, if you have or had children or cats, changing human behaviour is the trickiest thing to achieve. People are naturally suspicious of change. So, using the well-worn metaphor, it requires an effort in three arenas – People, Processes and Technology. People and Processes will take centre stage, aided by some clever technology solutions, but in a few years, your view of data will be radically different.
But how did GDPR come about?
The General Data Protection Regulation is the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. Modern technologies have changed the way we work with data, and GDPR is designed better to control the way we work with personal data today and are likely to work with it in the future. In addition, there is a much greater emphasis on compliance following a widely-held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use.
In December 2015 the European Commission, Parliament, and Council (of Ministers of Member State Governments) agreed the replacement of the Data Protection Directive with the General Data Protection Regulation to protect its EU citizens’ personal data, wherever in the world they resided. The Regulation will be transposed into national laws in every European Member State to have direct applicability on 25 May 2018, and the Data Protection Directive will be repealed.
How does a Regulation differ from a Directive? A Regulation is the identical law in every country of the EU, whereas a Directive requires each country to make its own interpretation of the law and pass it independently.
So you might ask, since we are leaving the EU, why do we need to worry? Well firstly, as at the 25th May 2018, we will still be part of the EU, so we must pass it into law, and enforce it; secondly, the UK government has declared that the UK will have as high a standard of regulation and enforcement after leaving the EU. So no luck there, I’m afraid.
You might also ask, well, surely this will only be for the biggest Organisations, to be hit with the €20m or 4% of global turnover fines for the worst breaches? Among the GDPR expert community we all feel that certainly early on there will be big fines for large and small companies to ensure compliance is attained by all, to make an example of some organisation so the others will follow.
Or you might hope in some rumours, that as with other Europe wide legislation, the activation date of 25th May will be pushed back a year. Well the Information commissioner’s Office (‘the ICO’) isn’t preparing for such an eventuality, and it would be rash for any organisation to bank on such an outcome.
So what exactly is GDPR?
GDPR at its essence, has 6 Data Protection Principles:
Lawfulness, Fairness and Transparency
Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality
Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures.
What this means for organisations
Complying with the regulation in its many 99 articles will require a massive programme of changes, but in view of the lack of time before it is law is enforced, we believe it can be segmented into actions to be taken in decreasing order of risk to organisations, what follows is our view of the greatest risk – a data breach.
Preventing a data breach
You may already understand the importance of implementing the right procedures to detect, report and investigate a data breach, but you may not know how to go about this effectively. These steps will help your organisation prevent a data breach:
- Find out where your personal information resides.
- Identify all the risks that could cause a breach of your personal data.
- Apply the most appropriate controls to mitigate those risks.
- Implement the necessary policies and procedures to support the controls.
- Conduct regular tests and audits to make sure the controls are working as intended.
- Review, report and update your plans regularly.
Some points to bear in mind
Personal data can be on server disks as databases, emails, or pdfs, on USB sticks, in the cloud, on laptop and pc hard drives, external disk drives, paper in filing cabinets, paper in storage, on backup tapes, and at your third party processors, if you have any, such as the outsourced payroll or HR departments, telesales and marketing companies, etc. Finding and listing them is usually a big task, so you should work up a project team. Also, with regard to Data Protection Principle point 3, Data Minimisation, you should find and delete all unnecessary data. A recent survey by Veritas found that 33% of all data stored is redundant, obsolete and trivial. So you could reduce the workload significantly by deleting the unneeded data.
You should note that the ICO considers even the loss of an unencrypted laptop as a breach requiring notification to them within 72 hours.
In future, security must be front and centre – securing your network and servers from external attack and doing penetration and other tests to check it really is secure, preventing unauthorised internal access, securing all USBs, mobile devices and staff owned devices that access corporate networks, etc. Document all the steps taken, and set up asset and risk registers to be able to show the ICO that you have taken the regulation seriously!
Once you have started the project to find and secure all the personal data in your organisational landscape, a procedure for handling a breach is a top priority. Similar to a disaster recovery plan, a data breach plan will need to be created. This needs to have a delegated staff team with contact details, actions to be taken, including who will decide if the breach requires notification of the ICO within those 72 hours following discovery of the breach, and so forth. All staff will need to be briefed on what is considered a breach and who to notify if they detect or even suspect a breach.
What else do I need to consider with GDPR?
We would suggest you consider appointing a Data Protection Officer if you haven’t already done so, with board level reporting, and use them as an over-arching resource for the actions needed, a programme manager for the multiple projects only hinted at here.
A big challenge will be the need to conduct these projects while continuing with business as usual, so resourcing for the projects that need to be completed will be a challenge. But with the alternative being a massive fine of €20m or greater, finding the budget for extra staff and expertise might be easier than you think.
START YOUR JOURNEY TO GDPR COMPLIANCE
Join us for our rountable events to learn more about our approach to assessing GDPR compliance and how we can help your organisation adopt Microsoft Cloud Security Technologies successfully, in time for GDPR enforcement next May.
About our author
Director | GDPR Specialists
Lawrie Siteman is a director of GDPR Specialists Ltd, a company of independently certified GDPR experts, with resources available to assist organisations prepare for the Regulation. GDPR Specialists offer packages of templates to simplify the processes and procedures needed to speed the route to compliance, will brief and train staff, deliver penetration testing, and be an outsourced Data Protection Officer. GDPR Specialists have also reviewed and can advise on suitability of many software tools available for a variety of databases and unstructured data, and consent management. Lawrie can be contacted through Content and Code or directly on 020 3896 3896.
The Office 365 productivity suite is made up of many applications that work together to enable a more productive workforce. As such, there are many opportunities to change how employees work - both as individuals and as teams. However, problems can often arise...read more
Digital Transformation in 2018 Masterclass Align your business objectives to Microsoft Technology Date: Thursday, 22nd February | Time: 9.30am – 1pm | Where: Fountain House, 130 Fenchurch Street, London, EC3M 5DJ As the modern workplace advances with new and...read more
I just wanted to share some lessons learned from a recent SharePoint migration project we have undertaken using both the Metalogix Essentials and Content Matrix tools. In this post I will share some potential pitfalls so that hopefully you can rectify these...read more