With the General Data Protection Regulation (GDPR) entered into force on the 24th of May 2016 and will be applied to all EU Member States on the 25th of May 2018, this has given organisations only one year to prepare for compliance, and now only a matter of weeks left to prepare. Only one in five businesses are GDPR ready. Here we have some information on how to prepare your business for GDPR, and more specifically information on how to prepare your company’s technology to be GDPR compliant.
“GDPR states that businesses must handle personal data securely, transparently, and in a lawful manner throughout the entire data processing lifecycle.”
A common misconception of the GDPR is that it only applies to organisations established in the European Union, this is incorrect, the regulation not only applies to all these organisations but also any non-EU established organisations that handle or process data of individuals in the EU. Whether this data is used to offer them goods and services, or monitor their behaviour within the EU, this data must be handled in line with the new regulations.
The GDPR is a replacement for the old data protection laws, the purpose of it is to protect people’s personal data at all stages of data processing. It is there to iron out the creases of the old data protection laws and to create a thorough, strong and unified set of rules for data privacy and security. The old data protection procedures were confusing and could cause problems for businesses trading across borders, the new regulation intends to unify the data protection laws for these businesses, including information in the new regulation on how to correctly handle EU individuals’ data from outside of the EU.
The main difference between the old and new regulation is the entity held liable. The new GDPR names two roles that are responsible, data controllers and data processors. Under the old regulation, the EU Data Protection Directive, only data controllers could be held liable. Also, under the new regulation data processors have strict data protection requirements and obligations to follow. This is to ensure the protection of the privacy rights of the data subjects, a data subject is an “identifiable natural person” or any person that a business collects information on in connection to the business and its operations.
The difference between a data controller and data processor is, a data controller determines why the company are in possession of the data in the first place, if the business handles data for its own purposes and needs then they are a data controller. They must be able to justify the purpose of the data, the conditions in which it can be used, and the procedure put in place for how the data is handled. A data controller is any business that manages the personal data of their employees and customers. A data processor is different to this, they work on behalf of the controller and process the personal data for them. An example of a data processor is a cloud provider also Software-as-a-Service companies such as a CRM system. A company can be both a data processor and data controller depending on the type of data they are handling and how they plan to use the data. A software company based in the cloud can be both a controller and processor of data, this is because they act as a data controller when handling the data of their own employees, but they also act as a data processor when handling the data that their client’s process with their software. There are no set retention periods for data under the GDPR, however, the data controller must be able to justify that they have a purpose for the data, how they are going to use it and the handling procedure. If they do not have this information, then the data must be deleted as it is being kept unlawfully.
In article 5 of the regulation the 6 most important principles regarding the management of personal data are summarised:
- Processing – Personal data shall be processed lawfully, fairly and transparently.
- Purpose – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes.
- Relevance – Personal data shall be adequate, relevant and limited to what is necessary for the purposes of collection.
- Accuracy – Personal data shall be accurate and kept up-to-date; inaccurate data must be erased or rectified without delay.
- Retention – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary.
- Security – Personal data shall be processed in a manner that ensures appropriate security, using appropriate technical or organizational measure.
Within the regulation there are different classifications of personal data, personal data regarding GDPR is any information that can directly or indirectly identify a data subject, this information can be in any format. The new regulation separates data into two categories, personal data and special categories of personal data. The inclusion of genetic and biometric data is new as these were not mentioned in the old regulation.
The fines under the new regulation are much higher than those under the current EU Data Protection Directive, and while this is causing people to panic about GDPR it may not be as much of a cause for concern as it looks. Last year (2016/2017) there were 17,300 breach cases and only 16 of them resulted in fines for the organisations concerned. Clearly, a breach does not necessarily mean a fine, if the company can show the process they have in place for handling the date and the process they have for handling a breach.
However, the fines are considerably larger under the new regulation, a good example of this is the mobile phone company Talk Talk, who suffered a data breach in October 2015. The company admitted to a security failure in which some personal details of customers had not been encrypted, and the company admitted they had not taken the basic steps they could have to protect customer information. The information stolen included bank account details, birth dates and addresses. Due to the company not having even basic protection in place for the personal information of their customers the breach resulted in a fine for the company. The fine was £400,000 which for a large company like Talk Talk is not an unduly damaging fine, however, under the new GDPR, this fine would have been £73,000,000 almost 20 times the amount they paid. This shows why everyone is understandably worried about the new fines, due to the number being a lot more damaging to the business, however as stated before if your company’s data handling process is justifiable along with the process for handling a breach the likelihood is a breach will not result in a fine.
A fine is not the only thing a company has to worry about when suffering a data breach, another thing to consider is company share price. Publicly-listed companies that had a data breach saw on average an immediate 5% drop in share price, showing a drop in the reputation of the company and resulting in a decrease in revenue. Response time is essential to the damage a breach can have on a company, share price of a company generally recovered within 7 days with a strong security response, but with a weak response, it hadn’t recovered after 90 days. Lastly, the company’s customers could drop because of the tarnished reputation of the company, a 2-5% loss of customers could be expected after a breach (average £2.08m to £3.07m loss).
One aspect to consider when looking at how you can prepare for GDPR is your company’s technology stack, and that the compliance with GDPR should be driven by a global business process. Within the regulation document, it specifies that security should be “by design, and by default”, meaning that it should be included in the business process from the beginning and not just integrated when a breach occurs. There are three things you can do to prepare your technology for GDPR;
- Prepare for compliance audit – To prepare for a compliance audit, IT teams should ensure they can effectively monitor their entire IT infrastructure including endpoint devices like PCs and printers. They should also schedule regular assessments to keep every endpoint device, including the entire printer fleet, in compliance with the policy.
- Carry out a complete audit – IT teams must identify every device that can access their company and customer data and assess the level of security it has built in.
- Embrace security by design – IT teams must put the right IT policies in place so that compliance requirements are not an afterthought but an intrinsic way that new devices and services are introduced into the network. Ensure you can monitor every device and feed anomalies or incident information into your network-wide vulnerability assessment and monitoring tools.
When researching GDPR it is common to come across sales pitches stating that by deploying encryption, you will become GDPR compliant. Some even state that through encryption alone you will be 70% compliant. While encryption is mentioned in the regulation, it is not offered as a solution, and the regulation gives no instruction on the type of encryption to use or where you should be using it. Encryption is not the one solution needed to become GDPR compliant, GDPR is far-reaching but complying with it is not just a technical challenge. It needs to be addressed as a business.
One way to help your technology to become more secure is to move your data over to a Cloud environment. There are steps you can take when moving into a Cloud or Hybrid Cloud environment to support your businesses GDPR compliance. One option is a secure digital workspace, which is a flexible and an integrated way to deliver and manage the apps, desktops, data and devices your users need in a contextual and secure fashion. A unified, contextual and secure digital workspace enables you to do all of this and realise the full benefits of hybrid- and multi-cloud environments while simplifying management and overcoming security challenges. A complete secure digital workspace must be:
GDPR is not the end of the world, embrace the change if you have basic processes in place already you are on the way of being GDPR compliant anyway! It is just best practice to ensure you to protect your business data and your customers!