Don’t be caught out by new EU data protection rules that impose more stringent monitoring and reporting requirements on UK businesses
On 25th May 2018, new rules concerning the collection, storage and processing of personal information relating to individuals in the European Union (EU), regardless of nationality, come into force which could result in expensive fines for UK companies.
The EU general data protection regulation (GDPR) was designed as a replacement for the existing EU data protection regime, now updated to accommodate changes in the way that companies process, transmit and store electronic data.
Its remit extends to any organisation that handles personal data (whether names, addresses, photos, email addresses, bank details, social networking posts, medical information or IP addresses, for example), has a presence in EU countries or offers products and services to markets within those countries.
The key elements of the GDPR are bigger fines: administrative fines of up to €20m or 4% of a company’s annual turnover (including those at group level so multi-nationals could face significant financial penalties) whichever is the greater, and a legal obligation to notify the relevant supervisory authority of any data breach within 72 hours of it occurring and in some cases, notification to the affected data subjects without delay.
In certain circumstances, organisations may be required to appoint a dedicated data protection officer (DPO) to handle compliance though regular and systematic monitoring of data. Also, data subjects have additional rights, namely the right to have their personal data erased on request or transferred from one electronic processing system (or supplier) to another in a common, easily portable format without obstruction.
In preparing to meet GDPR compliance, the first step should be to ascertain what personal data a company holds that will be affected by the GDPR. The ICO has published draft guidelines on what IT departments should do in preparation for compliance with the GDPR, though much of the advice centres on a strategic rather than practical approach.
Key pieces of advice include documenting the personal data which falls under regulatory scrutiny, perhaps via an information audit, and checking current procedures to assess whether rules around the deletion and/or storage of that data, its format and electronic transfer policies meet requirements.
That should include data processing procedures and analysing the legal basis for carrying out those procedures. Methods used for seeking, obtaining and recording consent for storing and processing that data should also be reviewed in readiness to implement any necessary changes.
With fines for data breaches set so high and strict rules on when and how to notify the relevant supervisory authority (likely the ICO) of any problem, attention should be paid to making sure the right technology and procedures to detect those breaches are in place alongside investigation and reporting tools able to quickly extract and present the relevant information.
Translating those guidelines into points of action:
Appoint a DPO: If needed, a data protection officer should be appointed, or at least somebody within the organisation who can take responsibility for GDPR compliance. Smaller companies may not want or need to appoint a DPO, but if appointed they must follow certain rules laid down in the GDPR.
The DPO can be existing IT managers or directors, chief information security officers (CISOs) or chief information officers (CIOs) – there is no bar against an individual having multiple roles. It may also be a good idea to send them on training courses to learn about the legal requirements/IT procedures too, though there is a large volume of information freely available that may negate that requirement.
Develop and articulate a clear, transparent policy to customers: this should set out how their data is being collected which is easy for them to read and understand, not obscured by complex legalese. Iterate what personal details are being collected and that it will be used only for an exact purpose within the boundaries of consent.
Enable an opt-in, rather than an opt-out, requirement for data sharing: the GDPR does not allow organisations to share information by default when assumed consent is applied. Rather the data subject has to specifically opt in to any data sharing scheme and service or application usage policies must be adapted to meet this requirement.
Make sure new data breach reporting timelines can be met: the 72 hours’ deadline to report a breach is tight and organisations must move fast to collate and transmit the necessary information to the relevant authority. Compliance reporting timelines should also be written as standard into incident response plans.
Implement adequate controls for tracking and managing data: some organisations will have already implemented e-discovery software or other systems that track and manage data as it is routed across their network, storage and server infrastructure. But the portability and right to erasure requirements enshrined in the GDPR put more pressure on those systems which will have to quickly locate, transfer and erase all traces of that data on request.
A suggested way to also protect your data alongside software and tracking is to “pseudonymise” or anonymise data as part of an overall strategy to protect and secure your staff and customers. Encryption can be implemented in a variety of ways in a network to help protect and in some cases, identify a range of security attacks such as DDoS. For example, advanced optical networking equipment with built-in support for in-flight encryption provides a simple and cost-effective means of ensuring that all data leaving your premises is protected. Equally if encryption software or services are already used in the network for customer data, there is no reason this can’t be used to protect business tools also.
Prepare to conduct a data protection impact assessments (DPIA): watch out for the EU’s forthcoming list of the types of data processing it considers to be high risk which will require a DPIA to be conducted (examples include anything that involves a high level of automation, large scale video surveillance in public areas, the use of genetic or biometric data or information pertaining to children). In preparation, DPIA methodologies should be adapted and applied to all relevant systems and compliance requirements integrated into wider risk assessment plans. Organisations should consider how to mitigate those risks using methods such as data encryption and anonymization of data.
Security measures need continued review, and a strategic procedure to protect customers and the business itself from cyber-attacks. The review of alerts and logs to establish incidents and identify improvements is essential. Viewing and analysing the information is a good foundation of security management and will help organisations measure the success of their security strategy.
Security Management is not a process that will be completed overnight. It is an advanced process which maps out the challenged faced and risks run by an organisation. Only then can a decision be reached on the risks and security measure to put in place. Learn More
Further Reading – Encryption
Links to the ICO
Through years of experience working across markets the UK, Axians understand this mix of pressures. That’s why we naturally start looking at Securing the network by building an understanding of the customer’s objectives and challenges through our Security Assessment. We apply our specialist knowledge and expertise to ensure the network can help the business achieve its ambitions in both the short and long term. www.axians.co.uk