GDPR has been introduced to strengthen consumer rights, bringing together an international consistency around data protection laws and rights due to the increased use of technology and digital transformation on how information is processed and stored.
GDPR came into effect in May 2016, with the Government providing businesses and organisations two years to comply, before fines and penalties will be actionable from May 2018. If you are subject to DPA it is likely that you will be subject to the new legislation or if you do business with the EU or hold data on EU citizens. GDPR will apply even after Brexit in 2019.
The new GDPR rules are not just enforced for businesses; local government, hospitals, schools and charities will need to comply. (Any organisation that holds personal data on clients, staff, patients or pupils).
There will be firmer penalties with meticulous levels of compliance including ‘The right to be forgotten’ (EU Citizens can request that their data be deleted).
The UK have systematically been under reporting breaches, under the new regulations, data breaches will have to be reported within 72 hours of discovery, unless you can argue that the data breach is unlikely to harm the individuals due to encryption or pseudonymization; with fines from 2% /4% of Global turnover or 10/20 million Euro’s (whichever is greater).
Under the new GDPR rules, many organisations will need to appoint a Data Protection Officer (DPO) for compliance; someone who is in direct contact with management but not board level or an Administrator.
As a ‘Controller’ or ‘Processor’ of personal information, you have a specific obligation to maintain records and processing of personal information. GDPR applies to all Personal Identifiable Information including IP addresses, mobile device identifiers, HR records, biometric information (facial recognition, finger prints, retinal scans etc), customer lists, contact information, both automated and manually filed. It also includes sensitive personal data such as racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, health and sex life/orientation data.
GDPR requires that you show how you comply e.g.: by documenting the decisions taken about a processing activity.
Key Principles of GDPR
• Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technological or organisational measures. Staff training, internal audits, HR policy reviews and encryption. Accountability, The ‘Controller’ shall be responsible for and be able to demonstrate compliance with the below principles:
- Maintain relevant documentation on processing activities
- Appoint a DPO (Data Processing Office)
- Implement measures regarding DPA
- Use data protection impact assessments (DPIA)
- Adhere to codes of conduct and/or certification
As stated, fines for non-compliance can be 10 Million Euros or 2% of Global Turnover or up to 20 Million Euros or 4% of Global turnover, WHICHEVER IS GREATER!
In addition to the fines any person who has been affected or suffered from material or non-material damage as a result of an infringement has the right to compensation from the ‘Controller’ or ‘Processor’ and can therefore claim for damages and compensation. It is the ‘Controllers’ responsibility to ensure that all contracts with ‘Processors’ comply with GDPR.
By May 2018 all organisations should have reassessed their data security, policies and procedures for compliance.
Article 5 recommends data should be stored:
- Lawfully, fairly and in a transparent manner
- Specific, explicit & legitimate –“purpose limitation”
- Adequate, relevant and limited to what information is necessary “Data Minimisation”
- For no longer than necessary “Storage Limitation”
- Securely “Integrity and Confidentiality”
- The key for Data security is Confidentiality, Integrity and Availability (CIA)
- Breach Notifications
A breach is classed as more than just data loss e.g.:- destruction, loss, alteration or unauthorised disclosure. Data Controllers must notify the ICO within 72 hours after discovery of a breach. They must also communicate the data breach to the data subjects who may be affected.
It is recommended that data breach detection, investigation and internal reporting procedures be implemented.
Cyber Security is not an IT issue, it is a Board Room issue. As an organisation you have a Duty of Law to protect your customers and staff. The ICO have suggested that the Directors who violate DPA Laws should be personally liable to pay fines and compensation to those affected and have indicated that they will have a tougher approach with regard to GDPR.
Key Message: It will apply to you. Prepare, budget, plan & do it now.
So what can you do to make sure that you comply with the new regulations?
Identify data, where it is stored and who has access to it – Data Mapping & Scoping Analysis. Assess the 4 V’s – Volume, Variety, Velocity & Value of data and how it is processed. Things you can do:
- Full vulnerability assessment testing
- Secure infrastructure to strengthen defences
- Encrypt sensitive data
- Review policies and procedures for data processing, storage and deletion (including recording consent given)
- Ensure there are procedures in place to detect, investigate and report on personal data breaches
- Data Protection Impact Assessment (DPIA) in high risk situations
The Ten Steps to Cyber Security
- Education and awareness – Staff training, policies & procedures
- Protect data at rest & in transit, including Home & Mobile working (Encryption)
- Secure configurations – security patches to be regularly updated
- Scan all media for Malware – implement removable media controls
- Monitor activities & Manage user privileges
- Incident response & disaster recovery plans – Incident Management
- Monitoring of all IT systems, networks, analyse logs
- Malware protection – Firewalls & Anti-Virus
- Network security for external & internal attacks
- Risk & Threat Management Co-ordination
GDPR encourages Pseudonymization of personal data – the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. This can be done utilising encryption, key management, key rotation and key storage providing a separation of duty.
With the increased use of technology to process data we need to implement technology to secure that data.