One IT issue stands head and shoulders above others in terms of importance in 2017 – the General Data Protection Regulation (GDPR). Its impact goes well beyond the IT team; it has wide-reaching implications at board level, and any organisation which does not begin serious preparations in 2017 will struggle to meet the May 2018 deadline and put itself at serious business risk.
Risk management expert Mark Child of Newable Consulting, who has worked extensively with the Information Commissioner’s Office on this and previous legislation, describes it as “the most seismic shift in data protection in the last 50 years”. What makes GDPR different is the high and potentially disastrous cost of getting it wrong.
Having spent most of my career working with clients in the financial sector, one of the questions always asked was: “What is the cost of mitigating this risk versus the cost of carrying it?” The stakeholders would evaluate potential impact against probability and after contemplating the cost of a solution would often decide to carry the risk.
The balance has tipped for GDPR because the penalties for a serious breach are substantial. First, there is a large and damaging fine for the organisation concerned – €20million or four per cent of annual worldwide turnover, whichever is the greater. If GDPR had been in force for the recent Tesco Bank breach, the fine would have been calculated on the turnover of the entire Tesco group (£48.4bn), so would have been £1.94bn.
In comparison, the maximum fine for a breach of the Payment Card Industry (PCI) Data Security Standard has been £500k. Secondly, there is a potential personal penalty for senior executives. The Culture, Media and Sport has suggested that a portion of CEO compensation should be linked to effective cyber security, and there should be a full range of sanctions for a serious breach, including custodial sentences.
The government has confirmed that Brexit will have no impact on GDPR implementation. It applies to every entity that collects, processes, accesses, shares, stores, hosts and/or transfers European personal data both inside and outside Europe – in other words, any organisation that does business with the EU or employs EU citizens.
Service providers or ‘data processors’, who were not previously subject to the more restrictive aspects of data protection legislation, will also now be affected. Organisations that use third parties will have to ensure that their data provider complies with the regulations as, if there is a breach, both data processor and data controller will be considered to have shared liability and will be fined.
Scoping the compliance challenge
The good news is that GDPR only applies to Personably Identifiable Information (PII). Organisations should beware of both scaremongers telling them that the regulations apply to all data and of GDPR following the ‘cloud washing’ trend i.e. vendors rebranding an old product or service by associating it with GDPR. Technology may help, but its role is to enforce policy and support process and people to ensure compliance with the regulation.
PII may comprise as little as two per cent of an organisation’s data, so the first step is to categorise data. Systems such as email, for example, may not hold PII and therefore do not need to become part of the compliance envelope. Once the organisation knows where PII is held, it can be segregated and appropriate controls and processes put in place. Businesses will have to invest time and effort in designing processes with data protection at their heart and in ensuring that they meet record-keeping obligations. They will also need to delete data if it is no longer used for the purpose for which it was collected – and they may hold it in multiple places. Those which have achieved ISO27001 will find that this will help, but are likely to need to overhaul their framework to ensure compliance.
Organisations will need to review their contracts with third parties, and include a right of audit in their contracts. Regular data protection training will be required and will have to be extended to contractors and other third parties, and every organisation should have a breach response plan which is tested annually. The people behind these processes need to be educated. There is also a new requirement that all public authorities and any organisations where the core activities of controller or processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data’ will have to employ a dedicated Data Protection Officer.
Organisations need to build a transparency framework that re-thinks how they engage with individuals, from contracting and permissions processes to providing clear and comprehensive information on how they handle PII. They can no longer have pre-ticked boxes or assume consent, but have to obtain unambiguous, positive consent from each individual. If existing data does not meet these criteria, they will have to seek consent. GDPR covers a wide range of PII, and can include URLs, biometrics and physical data, as well as pseudonymised data if it can be reversed back to its original form.
There are therefore significant advantages in having personal data encrypted. A clear process is required to handle Subject Access Requests i.e. a request from an individual for the information held on them. Individuals will have enhanced rights of access to their data and to demand cessation of use, termed a ‘right to be forgotten’. They will also be able to sue for compensation if they are impacted by acts of non-compliance.
When a breach of security or confidentiality occurs, organisations will have to notify the regulator within 72 hours of learning about the breach. In serious cases, they will also have to notify the people affected. This places increased responsibility on organisations to be able to identify when a breach has occurred. Regulators will have unprecedented powers to intervene in business and shape how organisations conduct their operations – and to impose the heavy penalties already discussed.
Preparing for GDPR
In order to be ready for the GDPR deadline, organisations need to begin preparing now. Surprisingly, we are still finding clients who have not heard about the new regulations. There is excellent technology available which can help, but the first step must be to examine data privacy compliance and to understand how not only how data is collected, stored, used and deleted, but what data is actually needed to manage the business and employment relationships. Becoming GDPR compliant will be a significant achievement, and potentially one of the screening criteria for tenders in the future.
The first organisations to become compliant should use it as an accolade, enabling them to show that personal data is safe in their hands.
Image source: Shutterstock/alexskopje
Mike Gallagher, solutions director, EACS