GDPR – how this time it’s all about the European Union enabling us to ‘take back control’
The countdown has begun to 25 May 2018, when General Data Protection Regulation (GDPR) will come into force across Europe.
What is it all about?
With a reported 76 percent of Europeans fearing that their data is unsafe in hands of private companies, the primary objectives of the GDPR are to give more control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU — it will supersede the 28 current national data protection laws based on the 1995 Data Protection Directive (DPD).
GDPR was fundamentally designed to protect individual EU citizens and their personal data held by third party organisations, help increase better management of data within organisations, and to standardise the term “personal data” across the 28 EU states. The definition of personal data has been widened to now encompass your computer’s IP address, and your genetic data.
Why is it important?
Preparation for GDPR is of the utmost importance as it is a fundamental requirement for all organisations who manage not just personal data, but any 3rd party data. It’s unlikely that any organisation will remain unaffected; if you hold data on your employees in your HR department, your organisation will fall under the scope of GDPR; if you share data with other organisations (including third parties and cross-border), each party has an obligation to keep that data safe, verification may be required and contracts updated to reflect these accountabilities.
The implications of a data breach could result in heavy fines of either 4% of annual turnover or 20M Euros, whichever is greatest.
What is a breach?
Under the current data protection act a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised to do so. A breach could also be any form of data misuse; from data being corrupted, to data theft. An example is the case of the recent Wannacry ransomware virus outbreak where a large number of NHS records were altered, this would be deemed a data breach under new GDPR rulings. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
What do we need to do to get ready?
Many organisations are aware of GDPR, but still have difficulty determining what to do next.
As with many elements of cyber security, organisational and human factors are just as important as any technical barriers put in place to prevent an attack. GDPR confirms this, stating that to achieve compliance, organisations need to demonstrate that they put in place robust processes for regularly testing, assessing and evaluating effectiveness of not only technical measures but also organisational measures for ensuring data security.
Meeting requirements will not be as simple as imposing new rules within an organisation, but rather will affect business operations down to core processes. Many organisations (public authorities and organisations that carry out “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data”) will need to appoint a Data Protection Officer (DPO), or body, to take responsibility for data protection compliance and assess where this role will sit within organisation structure and governance arrangements. According to a study by International Association of Privacy Professionals (IAPP), this requirement means that in Europe alone, 28,000 DPOs will have to be appointed in next two years!
Expert resources will be key to driving these changes
It is expected that most private organisations will need to augment their existing compliance roles and responsibilities to fulfil GDPR roles.
For public authorities and larger organisations, GDPR specifies that DPOs will need to be responsible for activities including monitoring compliance, educating staff on security and GDPR awareness and improving understanding of how to handle personal and sensitive data across the organisation.
Starting with comprehensive data audit, there should be development & enactment of of scenario based exercises, red teaming, advanced resilience testing based on both covert and overt scenarios, providing advice on privacy impact assessments and co-operating wherever necessary with relevant supervisory authorities.
Clearly to do the above effectively, organisations will need to ensure that assigned DPOs and any other relevant resources are trained and expert in cyber security. GDPR compliance implies implementing Cyber Security Regulations, so the DPO will need to be up to speed with these and with broader organisational resilience. This will help to support data security, integrity and accessibility through disseminating cyber security best practice throughout your organisation.
This sounds hard, doesn’t Brexit get us out of this?
Regardless of Brexit completion of Article 50, the UK will be fully subject to GDPR regulations.The GDPR will replace the UK’s Data Protection Act 1998 from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not change this.
Are there any silver linings?
Interim consultants with compliance and data security expertise will be in high demand to support businesses, large and small, who will be seeking to reduce exposure under this new regulation.
More widely, the new regulation strengthens the rules around consumer consent, giving us all the right to withdraw consent at any point. Through “subject access requests”, we already have the right to see what personal data organisations hold on us ; we can also demand that such data be corrected or deleted. If you worry about embarrassing social media posts lingering online for years, under the “right to be forgotten”, we will soon have the right to ask for them to be removed.
As Consumers, we will have more power — the EU is indeed helping us to get more control over our data.
About the Author:
Tayo is the CEO of Managed IT Services (MITS) who are InfoSec experts in IT security, GDPR/ISO due diligence, Cyber essentials and PCI DSS solutions. MITS services range from providing security strategy to corporate organisations such as Telstra and large financial institutions, to providing a full IT service to SME’s.
With over 30 years of experience working in IT, from software development to IT strategy, Tayo is actively involved in working with start-ups and organisations who aim to accelerate their growth through innovative IT Solutions.