Can you ignore GDPR?
The truth about The General Data Protection Regulation and common misconceptions
We have heard many worrying comments made with regard to the biggest overhaul in data protection for the last 20 years.
These comments range from “we don’t think it’s a big deal” to “Brexit means that it won’t happen”.
Not only is this is very dangerous language, it’s also plainly just not true! The GDPR will affect UK organisations regardless of Brexit, any organisation ignoring that will potentially face astronomical fines that could stop them from trading. It really is that simple!
The most significant change in data protection for twenty years
The General Data Protection Regulation (GDPR) imposes new rules on organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents, no matter where they are located. LAN2LAN believes the GDPR is an important step forward for clarifying and enabling individual privacy rights:
– Enhanced personal privacy rights
– Increased duty for protecting data
– Mandatory breach reporting
– Significant penalties for non-compliance
The last time we made a data protection law of significance was 1998. To put that in context, it was a time when Bill Clinton “did not have relations with that woman”, France had just won the Football World Cup, a very young Matt Damon and Ben Affleck won Oscars for ‘Good Will Hunting’, and Pokemon dominated the school playgrounds.
So what has been the driving force for this legislation? Well it all started with this guy:
Mario Costeja Gonzalez took Google to court in Spain for his right to be forgotten. The outcome of the ruling is that an Internet search engine must consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name.
This was the catalyst that started the journey towards the conclusion that the current law does not reflect the technological developments that can impact on consumer data privacy, such as social networks and cloud computing. The world is changing and we must protect against data breaches from a legislative posture, and with hacking being the new normal, protection is a must!
To use an analogy, companies take Health & Safety and Fire Safety as standard. The GDPR ensures companies treat information governance and data protection as standard too.
How does the GDPR become defined and applied?
There are EU Directives, which insist EU Member States legislate a set of principles., and there are EU Regulations, which mandate a law and are directly applicable. The GDPR is an EU Regulation that will be interpreted in UK courts. It applies to organisations selling goods into the EU. But regardless of that, the UK will not be leaving the EU for at least 18 months and given that this regulation starts in May 2018, we will be regulated by it until Brexit takes place, whereby we will either continue with the regulation or spend time creating our own that accurately mimics the GDPR. So either way, it’s here to stay!
“The fact that controllers in third countries will have to comply with the same rules as EU companies under certain circumstances creates a more level playing field for competition purposes.”
– Bernhard Schörghuber, Vienna
It’s about Personal Data! But what is Personal Data?
Art.4(1) of The GDPR states that:
‘”Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.’
Six Principles of GDPR. Personal Data must be:
– Processed LAWFULLY, FAIRLY and in a TRANSPARENT MANNER
– Collected for SPECIFIED, EXPLICIT and LEGITIMATE PURPOSES
– ADEQUATE, RELEVANT and LIMITED to what is necessary
– ACCURATE and REASONABLY KEPT UP TO DATE
– Kept for NO LONGER THAN IS NECESSARY
– Stored with protections against UNLAWFUL PROCESSING, LOSS or DESTRUCTION using APPROPRIATE TECHNOLOGICAL MEASURES
One Stop Shop
Organisations will be regulated by a single regulator in the place of their main establishment. The main establishment will be the main administrative location in the EU unless the main decisions about data processing are taken in a different Member State in which case that will be the main establishment.
In the UK, this is the ICO, the Information Commissioners Office, based in Cheshire, whose role is to uphold information rights. The current Information Commissioner is Elizabeth Denham. The ICO’s biggest fine to date is £400,000 for TalkTalk. Elizabeth oversaw this, and is notably tough with fines.
The GDPR significantly raises the stakes in terms of compliance, with maximum penalties of 4% annual global turnover or up to 20m Euros (whichever is higher).
Data Protection Officers
There is a requirement to appoint a data protection officer (DPO) where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Member States will have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs.
This is a step back from the original provisions around DPOs which were more stringent. Clearly though, accommodation has had to be made for jurisdictions like Germany which have had DPO requirements for some time.
72 Hour Breach Reporting
Breaches must be reported to the relevant regulator without undue delay and, where feasible, within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The breach reporting provisions have undoubtedly been watered down from the original proposals but they remain potentially onerous.
“The new rules on breach reporting will surely ensure a greater degree of focus on compliance with security obligations”
Data Protection Impact Assessments
Organisations will be required to carry out data protection impact assessments (DPIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of people profiling. If the DPIA reveals a significant risk, organisations must consult with their regulator before beginning the processing.
The Right To Be Forgotten and Data Portability
The GDPR contains new rights around data portability, the right to be forgotten and to prevent profiling. It also continues the right to object to processing, to rectification and erasure.
Accountability and Privacy By Design
The GDPR now requires that businesses take, on a wholesale basis, a proactive, systematic and answerable attitude towards data protection compliance. Central to this approach are the concepts of ‘privacy by design’and ‘privacy by default’ which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.
What accountability measures will be appropriate to address privacy risk will depend on the nature, scope, context and purposes of the relevant data processing as well as the gravity of any impact upon the rights and freedoms of individuals.
How does LAN2LAN help you prepare for the regulation?
Using our unique and proven data discovery software, and practical techniques, we identify what personal data you have, in the the content, and where it resides.
In-Scope: Any data that helps you identify a person
– Social media posts
– Physical, physiological, or genetic information
– Medical information
– Bank details
– IP Address
– Cultural identity
Inventory: Identifying where personal data is collected and stored
– Mobile endpoints
– Removable media
– Log files
– Tape storage
As a business you need to be able to answer ‘What’s in your structured and un-structured data?’ and ‘How much data do you have?’
The risk is in the content! Have you analysed it?
We then help you manage and govern how personal data is used and accessed within your organisation.
Is your data classified for ease of access if a FOI request comes in following the GDPR? Do you know who your data owners are? Do they know about the GDPR? Do you have your data encrypted? What about mobile endpoints?
We then protect your data by establishing security controls to prevent, detect, and respond to vulnerabilities and data breaches.
Do you have defensible measures in place protecting your personal data? If you get hit by a cyber attack tomorrow, what then? Are your staff trained? Many ‘breaches’ are from unaware staff!
And finally, we report so that you can keep the required documentation, manage data requests and breach notifications.
If the ICO come knocking tomorrow, do you have substantial reports to show them? Are you documenting your GDPR endeavours? Could you ask an intern at your company to manage a GDPR audit trail?
Where To Start? Our Recommended GDPR Step-By-Step Approach
Three pivota lquestions you must have comprehensive answers to:
I. What are the new obligations under the GDPR which will apply to your organisation?
II. Do you know the gaps that exist between your existing state of compliance as against the standard required under the GDPR?
III. What changes should you make to achieve compliance with the GDPR, on what timetable, with what order of priority, and at what cost?
Step 1: GDPR Information Records Management Consultancy
Step 2: Unstructured Data Personal Information Content Analysis (Data Crawl)
Step 3: Automated Data Remediation, Structuring and Records Management
Step 4: GDPR Security, Ransomware, Data Encryption and Mobile Endpoint Data Consultancy
Ongoing: Security and Data Encryption Remediation Activities
It is critically important for you organisation to take notice of The GDPR regardless of opinions on Brexit and how the EU will operate with the UK after we leave. This regulation starts in May 2018 which gives you 7 months to prepare for the beginning. So please don’t ignore the warnings
Start your journey towards GDPR compliance by downloading and completing our GDPR Audit Form here and contacting GDPR@lan2lan.com!
0870 787 4001