Throughout 2017 there has been an outstanding number of major data breaches. The most recent example being the leak of 13.4 million files, known as the Paradise Papers, which exposed some of the world’s biggest businesses and global figures, such as the Queen of England, Apple and Nike, for tax abuse/avoidance. Other cyber scandals with heavy press coverage this year include TalkTalk’s data breach of 21,000 customers and the NHS data breach of the records of 21 million patients. Cases like these show that cyber crime is on the rise and will continue to be a huge problem, unless procedures and policies are put in place to prevent it.
Along with cyber crime, there is the revelation that the government harvest our information for surveillance purposes and companies such as Facebook, Amazon, Google hold our personal details that we’ve given up in return for a service. In recent news, Quartz magazine discovered that Android phones tell Google a user’s whereabouts, even if location services are turned off. There is always a chance that personal data is being passed onto third parties without our authority and this could eventually end up in the wrong hands.
So, what can be done to eliminate the threat of a cyber attack and to ensure that we feel safe when disclosing personal details online?
A new set of laws is to be put into place that will affect any systems that hold and process our data, any monitoring and reporting on compliance of those measures and the detection of data breaches and security incidents. These new laws for data protection are known as the General Data Protection Regulation (GDPR), which the EU parliament has been preparing for the past four years.
What is Personal Data?
According to the Information Commissioner's Office (ICO), the body responsible for enforcing GDPR in the UK, personal data refers to any information related to a natural person that can be used to directly or indirectly identify them, such as; a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What is the GDPR?
As of May 2018, the GDPR will replace the current European Data Protection Directive that was implemented back in 1988, before technology played such an increased role in our daily lives. The new GDPR will be relevant for the modern economy and will fully embrace the advent of the cloud and distributed computing.
The aim and purpose of the new regulation is to guarantee that a ‘data subject’ is always completely protected, by ensuring that adequate data protection is incorporated into the procedure of collecting personal data.
The GDPR also defines the data subject rights as the following:
Breach notification: Notifying data subject of a breach within 72 hours.
Informed Consent: The right to be clearly informed why the data is needed and how it will be used.
Right to Access: The right to access, free of charge, all data collected, and to obtain confirmation of how it is being processed.
Right to be forgotten: The right to request erasure of one’s data.
Correction: The right to correct data if inaccurate.
Data Portability: The right to retrieve and reuse personal data, for own purposes, across different services
Privacy by design: The inclusion of data protection from the onset of the designing of systems
Who will be affected by the GDPR?
GDPR applies to all companies processing and holding the personal data of EU data subjects, regardless of the company’s location.
So, it not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, data subjects in the European Union.
The GDPR will have an internal impact on all companies, whether IT service-based or not. As all companies have employees, who are people with personal data that is stored. In this sense, the GDPR will impact sales and finance interactions with clients and employee information stored through Finance or HR.
Externally, the GDPR will impact how you store client data e.g sites with users, sites with newsletters, sites with form submissions, and preference centres (especially!).
Regardless of Brexit, all United Kingdom companies that hold and process a person’s data will have to follow the rules of the GDPR. As Article 50 has not yet been triggered, the United Kingdom will still be a part of Europe in 2018.
See ICO for reference and more information.
How will the GDPR affect IT services?
The details of the new GDPR effectively mean that almost every website will need to make sure they are compliant in one form or another. As such, GDPR compliance obligations will fall on the IT services business sector very heavily.
IT services providers will also have to protect their own data, which they process as data controller, as well as having to create a safe environment for controllers’ data as data processor.
The ‘controller’ is the company who owns the data and makes the decisions about what happens to it. The ‘processor’ is contracted by the controller to move, augment, update or even just hold the data.
See network and computing security company, Fortinet, for reference and for more information.
How you can prepare for the GDPR
According to a survey conducted by leading provider of security solutions, Imperva, under half (43%) of IT security professionals are preparing for the arrival of the GDPR, despite an overwhelming majority of them being aware of it.
If you’re a company that provides IT services, you’ll need to asses the impact that the GDPR will have on your company and role and begin to think about changing your practices to stay in step with the new data protection regulation.
There are a few things that you’ll need to be aware of, as there will be many changes within the new regulation that weren’t in the original legislation, such as the following:
More rules/wider definition
The definition of personal data has been expanded under the GDPR to reflect the types of data organisations now collected about people e.g online identifiers and data on economic, cultural or mental health information.
Data subject consent
Data subjects can no longer give their consent by a simple pre-ticked box or opt-out, it must be an active, affirmative action.
You must keep a record of how and when an individual gave consent, and that individual can withdraw consent whenever they please.
Individuals also have the right to demand that their data is deleted if it's no longer necessary to the purpose for which it was collected.
An individual’s data needs to be stored in a commonly used format, such as a CSV file, so that it’s easy to move to another organisation if the person requests this to be done. You’ll have no longer than a month to do so.
Much larger fines are being put into place. The previous maximum fine under the data legislation was £500,000. TalkTalk held the record for the highest fine for data breach, reaching £400,000.
Following the GDPR, organisations can be fined up to 4% of annual global turnover for breaching, or a maximum of 20 million euros. Under the GDPR, TalkTalk’s fine would have actually resulted in a total of £59 million.
It will be your responsibility to inform your data protection authority of any data breach that risks people's rights and freedoms within 72 hours of your organisation becoming aware of it. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or a maximum of €10 million.
Wondering when to act? There is no better time than right now. The sooner you start preparing your organisation for the GDPR, the easier it will be to avoid any severe repercussions. Slowly making small changes to your policy and approach towards handling data will make all the difference.
Start off with the Information Security Compliance 27001 (ISO27001). This is as close as you can get to being compliant with the GDPR. You should discuss it with your clients and suppliers to ensure that they’re aware and prepared for the GDPR and also ensure that your third party hosting services are ISO27001 certified.
To make things easier, ICO provide a data security checklist that you can refer to for guidance in taking the correct steps to ensure you don’t breach and to avoid being fined.
Life beyond the GDPR looks to be more data-centric, which can only be a benefit. Organisations will take privacy seriously, resulting in a more trustworthy services and customers/clients that feel secure and protected. Organisations can use this change for market opportunity, offering help from data analysis, process workflow, security, legal and more areas.
"The new law equals bigger fines for getting it wrong but it's important to recognise the business benefits of getting data protection right...There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals - and gain a competitive edge… But if your organisation can't demonstrate that good data protection is a cornerstone of your business policy and practices when the new law comes in next year, you're leaving your organisation open to enforcement action that can damage both public reputation and bank balance." - ICO spokesperson (reference).