There is no escaping the subject of the EU’s Global Data Protection Regulation (GDPR) at the moment, from new services and solutions being offered to blogs, webinars and conference presentations all focusing on the 25th May 2018 deadline for compliance.
And yet, some organisations are still unsure how, or even if, GDPR will affect their business and what steps they need to focus on to meet its requirements. What will be considered “good enough” by Supervisory Authorities when the fateful date comes around? Is this all just an exercise in selling snake oil by the IT security industry (‘another Y2K’ as I’ve heard GDPR referred to on several occasions)? By virtue of the GDPR being a piece of legislation, there is no simple answer to questions like ‘what does good look like?’ and ‘how high will the fines really be – will they really get anywhere near the often quoted four per cent of worldwide annual turnover?’ One certainty is that organisations do not want to be among the first test cases to find out. This is why complacency must be avoided.
Many organisations considering GDPR compliance place their hopes in existing controls or past experience with legislation. Some hope they will be told it doesn’t apply to them. This is why it is paramount that all businesses understand the danger of complacencies over GDPR compliance.
Complacency 1: Understanding what constitutes personal data
If an organisation only processes their employees’ personal data, is that still in scope of GDPR? And what about user id’s that individuals use to authenticate to its IT systems and perform work activities? An employee’s personal data is as much in scope of GDPR as customer personal data. The legal basis for processing the data may be less challenging to clarify and document (to meet the regulation’s ‘Accountability’ principle), but the information must be appropriately secured and managed throughout the processing lifecycle i.e. from collection to removal.
The definition of what constitutes personal data expands alarmingly. The regulation definition is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly…” This can now include data such as an IP address if it is possible to trace its use back to an individual. Even basic contact information like customer names and email addresses will certainly be in scope of GDPR and need to be appropriately protected.
Complacency 2: Relying on existing standards and controls
Another potential area of complacency is the reliance on certification to the ISO 27001 security standard or the Payment Card Industry Data Security Standard (PCI DSS). Implementation of controls aligned to the ISO 27002 standard or certification to ISO 27001 and PCI DSS is a great start, but these controls only meet part of GDPR requirements. Concepts such as Data Protection by Design/Default and Data Protection Impact Assessments are not specified within the ISO 27000 standards and the ability to pass a certification audit at a specific point in time doesn’t necessarily equate to ongoing compliance.
Any controls implemented for these standards will need to be extended and perhaps hardened to include all types of personal data, particularly if data considered to be “special category” is processed. This includes data revealing racial or ethnic origin, political, religious or philosophical beliefs; health related data or sexual orientation as well as genetic and biometric data. Processing of special category personal data is prohibited.
Complacency 3: Leaving compliance to the IT or legal team
Ownership of GDPR responsibilities can be an area where complacency leads to problems. If an organisation’s GDPR compliance activities are being managed by a specific team or department such as legal or IT in isolation, there is a risk that only concerns relating to that group are considered and acted upon. Departments including legal, IT, HR, Marketing and other business functions must all be involved in a GDPR compliance programme with visible support from the executive level.
Complacency 4: Thinking the third party provider has taken responsibility
Outsourcing the processing of personal data to a third party is not an easy answer to achieve GDPR compliance either. Processors are indeed liable for protecting PII under the GDPR but the responsibility is still on the data controller to ensure processors implement the ‘technical and organisational measures’ to protect the information. This can be achieved through inclusion of security requirements in contractual agreements and security assessments of the third party’s implemented security controls both pre-service commencement and regularly as part of audit activities.
There is an argument that the GDPR has many of the same requirements as the preceding Data Protection Directive 95/46/EC and associated national laws such as the UK Data Protection Act 1998. If an organisation has not been found in violation of those laws why would it be considered non-compliant with the GDPR? The difference between the Directive and GDPR is that this regulation has teeth. With increased maximum fines for non-compliance and the likely desire from Supervisory Authorities to set an example, doing nothing is high risk.
Greater awareness of GDPR, and the increased rights of Data Subjects (including withdrawal of consent, deletion and portability), will require a change in the relationship between organisations and their customers and employees as well as between businesses.
As a minimum, organisations need to understand what personal data they are processing, or that third parties are processing on their behalf, and whether that specific data needs to be processed. Are business processes duplicating the collection, transfer or storage of personal data or is too much of the data processed unnecessarily? Reducing the scope of processes, people, locations and technology that need to be considered when implementing security controls can significantly reduce cost and complexity of a GDPR compliance programme.
The importance of risk insight
The word risk appears multiple times in the regulation, and the assessment of risks should underpin any GDPR compliance programme. Evidence that risk assessments have been performed and acted upon, even if mitigating activities are ongoing and not fully implemented, are likely to be looked upon more favourably in the event of a breach or complaint from a data subject, than a plea of ignorance or wrongly judged complacency.
Getting specialist advice on the legal basis for processing of personal data and challenges like cross-border transfers is essential, as is the need for IT security expertise around aspects such as;
- Implementing appropriate technical / organisational measures and measuring their effectiveness through healthchecks and maturity assessments
- Reviewing and testing incident response processes to meet the GDPR requirement of breach notification to a supervisory authority within 72 hours. If considered high risk, individuals affected must also be notified.
- Managing third part processors by assessing their implemented security controls and meet requirements specified in contractual agreements
- Perform Data Protection Impact Assessments (DPIA) processing data that is likely to be considered high risk and implementing identified mitigating security
- Applying the concept of Data Protection By Design or Default when developing, designing, selecting and using applications, services and products that process personal data
- Applying the concept of Data Protection By Design or Default when developing, designing, selecting and using applications, services and products that process personal data
Organisations can’t hide from GDPR compliance, so don’t be complacent. In fact, it could well be the new differentiator and benchmark to promote brand confidence.
Rob Bickmore, Principal Security Consultant, NTT Security
Image source: Shutterstock/Wright Studio
No comments:
Post a Comment