Acting on Data Protection
Posted by Charlie Mayes, Managing Director, DAV Management.
New legislation and expected changes to regulations such as the General Data Protection Regulation (GDPR) can be extremely daunting for both public and private sector organisations. One of the principal reasons for this is that many of these don’t always have the manpower and/or expertise to deal with some of this legislation, which can make the task in hand feel onerous.
However, there is good reason why we must ensure that we comply. You only have to look at last year’s global ransomware attack, WannaCry, to understand why it is so important to make sure that we have the right processes, policies and practices in place to not only comply with regulation but also protect our businesses and our customers. WannaCry infected hundreds of thousands of computers in more than 150 countries. This included at least 16 organisations affiliated with the NHS, wreaking havoc for hospitals and patients alike.
The attack was a timely reminder of the inherent vulnerabilities of the Internet and stark evidence that many of the technologies on which we have come to rely are not always as resilient as we would like to think. It is a perfect example that highlights why robust information security is so important. The most basic of practices like backing up data, updating software and repeating these activities routinely, might have prevented these organisations from falling victim.
Protecting such data has long been an obligation of all organisations and the Data Protection Act (together with its various antecedents) has provided the legislative core for protecting the associated rights of citizens in the UK for the last few decades. Yet, in the absence of an identifiable data breach, how easy or otherwise is it to test for widespread compliance? Particularly within the SME community, a group which some reports suggest is somewhat delinquent in this respect. However, with the advent of GDPR, the stakes are about to get higher and the pressure is on organisations to get their house in order.
Four years in the making, GDPR is the new EU legislation that will come into effect from May 2018. It builds on the previous EU directive, which has not changed since 1995 and had been deemed by many to be outdated. The UK, despite Brexit, is set to adopt the new legislation.
The good news is that with the introduction of GDPR most of the complexity around understanding the various local data protection regulations in Europe will be cleared up. Furthermore, GDPR is preparing for a new era now defined by cloud, mobile, social, big data and an increased exchange of data across national borders. In essence, GDPR affects all companies that process the personal data of EU-citizens. This also extends to companies that process data of EU citizens without having a physical presence in the EU.
Over the last few months there has been a proliferation of articles, covering GDPR. Most have echoed similar points about the need to prepare and what impact GDPR will have on organisations of all sizes. However, despite this and the fact that the GDPR is only some 3 months away, it would appear that many organisations are still not prepared or indeed preparing.
According to a survey of 700 companies of various sizes across seven European countries undertaken by analyst organisation IDC last year, almost 80% of IT decision-makers in these organisations had a poor understanding of the impact of GDPR or had not even heard of it. Of the 20% surveyed who said they were aware of GDPR, only 20% said that they already met the new requirements.
It feels like one of those scenarios where, for many organisations, the hardest part is getting started. Although GDPR builds on the existing Data Protection Act, it’s a sizable piece of legislation and I can understand why it may feel quite daunting, particularly for those organisations not blessed with subject matter experts or other resources that can step into these roles. But with closer regulatory oversight anticipated, especially on the SME community, it’s important to get going now.
Bear in mind that, for most organisations, there’s a good chance that many of the underlying processes will already be in place, at least in part and so the route to compliance may be shorter than anticipated. The key is to ensure that, as a business, you know what you need to do in order to prepare and that you give yourself adequate time and resources to ensure that you do this properly. Treat it as a project, with suitable terms of reference, clear accountability and appropriate governance. Within this framework, ensure your organisation becomes familiar with the changes that GDPR will require, carry out a thorough review of your relevant processes and undertake a focused risk assessment. The results will enable you to build and execute a plan that gets your organisation to where it needs to be, whilst managing any impact on business as usual operations.
Here are a few steps to help with your planning for GDPR:
- Raise awareness – make sure that decision makers understand the reasons for compliance and what the journey to compliance involves.
- Brief staff on the changes they can expect to the way they work, in particular, how they handle personal data.
- Perform a data audit and a risk assessment. It is impossible to implement an effective security policy unless you understand what you hold and the relative value of different types of data.
- Communicate clearly to data subjects – GDPR specifies that all data subjects should be made aware in clear language that their personal data is being collected, for what purpose, and how long it will be stored.
- Consider the purpose of data collection and think about how data is deleted.
- Understand data subject rights – data subjects have the right to request access to personal data related to them that an organisation may be storing or processing.
- Provide data subjects with the means to move their personal data away – this is a new and unexplored requirement. Organisations need to think about a common framework between others in order to comply with data portability.
- Make sure that you conduct a data protection impact assessment – especially in scenarios where data processing is likely to result in a high level risk to the data subject rights.
- The confidentiality, integrity and availability of data processing systems must be guaranteed and documented.
- Overall ensure you have effective policies and technology in place to limit your risk exposure.
It may feel as though there are priorities other than GDPR right now, but May will come round very quickly and the consequences for getting it wrong will be exponentially more severe. Transgressors will face fines of up to €20m or 4% of worldwide turnover, whichever is the larger, plus claims for compensation from individuals. That’s a pretty large incentive in itself, but as the UK’s Information Commissioner has recently commented: “The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.” Therefore, it is in the wider, best interests of businesses to ensure they get their act together when it comes to the new data protection legislation.