The security of data is becoming a huge area of concern for businesses and with good reason. In the early days of computers in businesses, storage space was the challenge. Then backing up the data in case of a crash became important. Then securing the network in case of an attack or some malicious intent became the concern. None of those concerns have gone away, but, now we need to ensure the privacy of that data or risk being taken to court!
There has been a lot of discussion (and some would say confusion) about data protection laws and the obligations of businesses and data controllers, but very little real action from a legal point of view. Because of this, most businesses haven’t put any significant measures into protecting the data that they hold from a privacy point of view and most likely the priority has been to protect data in order to protect the business. However, we now have to provision for protecting the data in order to protect the subjects of that data – and it’s going to be law.
The latest update to our data protection legislation is coming into force on the 25th of May 2018 after being adopted in April 2016. This is a regulation not a directive. It applies to any company trading within and with the EU and from May 2018, the new law will apply, no questions asked. Make no mistake, the General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. (See: http://www.eugdpr.org/)
We are all more or less aware that we have obligations when it comes to securing any 3rd party data. But these new changes make our obligations clearer and with real consequences. Business owners need to take the time to inform themselves and to put in place the measures required to ensure compliance.
As usual, the act is onerous and requires a lot of reading and interpretation. However, here are some of the main points:
- Understand what a “Data Controller” is and what a “Data Processor” is – If you, as an individual or an organisation, collect, store or process any data about living people on any media, then you are a data controller.
If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the “data controller” and your organisation is a “data processor”. An example of this might be, using a third party for processing your payroll. You are the data controller but the service provider you are using for payroll is the data processor.
- Appoint a DPO – Data Protection Officer. If you are a data controller and therefore have a policy in relation to Data Security, you should have a DPO. You can be both the data controller and the data protection office. Someone who takes responsibility for ensuring data compliance. However, before you engage in heated discussions about who takes the responsibility – DPOs are not personally responsible in cases of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)).
- Increased Penalties –There are very few prosecutions under the data protection act to examine for precedent. This is expected to change from May 2018. Companies that breach data protection law can face fines calculated with reference to their annual turnover. Companies can be fined up to €20,000,000 or 4% of annual global turnover, whichever is higher. Needless to say, that’s at the high end, but you get the point!
- Data subjects’ right to privacy – the Data controller needs to be able to demonstrate that privacy concerns are a key part of the decision making in the business. It’s not just a question of awareness or acknowledgement, it needs to be demonstrable. Documented considerations of the privacy of the data subjects needs to part of every business decision and project going forward.
- Consent – The data controller cannot use a data subject’s information for any purpose other than the original reason the subject shared their data. For any additional use, the data controller needs to seek the permission of the subject in a clear, concise and unambiguous manner. The data controller will need to be able to show this to an inspector.
The minimum age of consent to data processing will be at the discretion of the state where the data subject resides. If you or your organisation is dealing with minors this gets tricky, as you need to demonstrate that requests for information were acknowledged and agreed to by legal guardians, and expressed in a language appropriate to the data subject if addressed directly.
- Requests for deletion or alteration – A data controller has an obligation to have in place a process that facilitates the clear and compliant cooperation of the organisation in the event of a data subject requesting his/her information be removed and/or altered/corrected. This also needs to be done in a timely fashion.
- Data breach – If there is a data breach, you have 72 hours to inform your local Data Protection Agency (DPA). Depending on the data that was breached, you then have to inform the data subjects of the breach without delay. Open to interpretation for sure, but I suppose the circumstances will differ from case to case.
So, those are the big points. What do you do now?
- Get informed on the definition of a data controller and a data processor. You might be both in your organisation.
- Decide who will be your DPO – Data protection officer – and work with that person to ensure compliance.
- Do an audit of your data:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
- The GDPR is clear that controllers must be able to demonstrate that consent was given by the data subject to record personal data. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.
- Identify the sensitive data and how attractive your organisation might be to a criminal.
- Whether you are using 3rd party IT support or in-house, bring your IT people in on the project.
- Educate your staff on two fronts. Firstly, they need to understand your Data Protection Policies and where they are coming from. Secondly, they need to understand how their behaviour can put data at risk. Get some training on cyber-security.
- Only allow the key users, that really need it, access to the valuable data.
- Investigate organising penetration tests on your site.
- With your appointed DPO, have an incident response plan in place, just like a fire drill, for when a breach occurs. Remember you need to be able to demonstrate that you have the right procedures in place to detect, report and investigate a personal data breach.
- Enhance what IT systems you can to further secure your site. Don’t forget about mobile devices and access to cloud data.
- The GDPR introduces mandatory DPIAs for organisations involved in high-risk processing. A DPIA is a Data Protection Impact Assessment. This is a considered assessment of the potential impact that a project or initiative might have on the privacy of individuals. Again, this must be demonstrable. The rule of thumb here is to adopt privacy by design as a default approach. Only gather the minimum amount of data and be sure you know who will gather it? Is there any other party involved? And will the data be held centrally or locally? Again, know where and why the data is gathered.
The purpose of the GDPR ultimately, is to protect the rights of private citizens. All of us are data subjects somewhere. Anyone with an insurance policy, a bank account, a credit card, a business account, all are data subjects. Our increased dependence on e-commerce and social media make us all vulnerable. So, while it seems like another hassle from a business point of view, it protects us all.
Depending on your industry – your particular sector might have specific requirements in relation to data protection and the obligations of your data controller – be informed and stay up to speed. Some sectors are working very closely with the Data Protection Commissioner and examining their particular industry’s obligations in relation to GDPR. If you are unsure about where you stand or what applies to you, then remember, at the end of the day this is a legal issue, so get legal advice.
At the end of the day, this boils down to two main actions from an IT point of view for consideration:
- Encrypt your data – if you can show that the data is unreadable to anyone without the appropriate security credentials, and you maintain good password policy in your organisation then you are largely protected from a breach point of view in relation to GDPR.
- Develop a data protection policy – This is the complicated bit, and depending on your industry, you might take legal advice with regard to same. Once a policy is developed you need to be able to show that you are adhering to it. It’s not enough to have one, it must be actioned.
At BITS we understand all of the IT aspects of the GDPR and we can work with you or your organisation to carry out an Audit of your current data handling procedures and policies and we can work with you to close any gaps that there might be. We work with organisations to produce a Data Protection Policy. Contact us today for more information.