Here’s a thought; if you would like to have a little fun with the GDPR when you’re next asked in a store for your email address “for your receipt” enquire in turn whether they are now GDPR compliant and what exactly are their terms of consent. We promise blank looks all round…
Fun and the General Data Protection Regulation seldom go hand in hand. Data security and GDPR compliance is a serious subject and ensuring your data integrity and confidentiality is at the core of the GDPR. We wouldn’t advise any company to assume that their current IT security provision necessarily meets the demands of the GDPR.
Confidentiality, integrity and the GDPR
The GDPR lays down specific requirements on all organisations to take all practicable steps to ensure that personal data that they hold and process is secure, accurate and appropriate, and it further introduces obligations on all data controllers and processors with regards to the steps that must be taken should there be a data breach.
This is the guts of the GDPR as it was with the DPA however these requirements are now more explicit and the penalties for failing to take timely action are potentially far more onerous. Having pointed out in a previous article that the GDPR is not just about huge fines we are not going to reverse our position, however the obligations placed on companies are nevertheless real.
Underlying this is an assumption that personal data has value, and that its loss or corruption represents the loss of that value, or worse, a demonstrable negative impact to the individuals whose data has been compromised and to the company itself.
In some respects approaching this issue is no different to how any responsible company would approach its IT security in general, but there are some specific requirements under the regulations which may require that you fully evaluate your current security provisions and decide whether or not they will meet your obligations.
Will existing security suffice?
Simple security, keeping the bad guys out, will not be sufficient. Are you fully logging and reviewing activity at all points of ingress and egress? There isn’t a firewall out there that isn’t capable of producing prodigious logs of all activity, and reviewing these on a regular basis is not a task that we would necessarily wish on anyone. Regardless it has to be done if serious attacks, failed attacks or just probes are to be recognised and dealt with. Should a data breach occur, such logs and records of actions taken will form an important part of your requirement to report data breaches under the GDPR. You cannot wait until the worst has happened.
Confidentiality requires not only security but an ongoing process to identify whether data held by an organisation is still fit for purpose and accurate. Do you have processes in place to ensure that the validity of your data is periodically checked, reviewed and if necessary updated? Will you need to review and renew your consent as part of this process? If you do, can your current systems cope with this requirement? Are they a help or hindrance?
Are your systems sufficiently robust to ensure that data cannot be accessed or manipulated from without or within. It is a sad truth that many data breaches are not the result of some external actor but rather a deliberate or accidental occurrence from within. Are your staff aware of the GDPR and how it might affect them and the work they do?
Privacy Impact Assessments and Data Protection Officers (PIA & DPOs)
These were part of the data landscape before the GDPR and will continue to be so for years to come. The simplest explanation of a PIA is that it is a process undertaken by an organisation to identify and address the privacy issues and risks associated with any new process or policy. It could in theory be applied to existing processes, however that may be better dealt with by a thorough audit of existing processes. The ultimate responsibility for this lies with the organisation but careful and thoughtful placement of those responsible for security, integrity and confidentiality within the company structure can pay dividends.
It cannot be stressed enough the extent to which maintaining data integrity and confidentiality is a management function as much as it is a systems function. Companies and organisations that fail to understand this and act upon it will have issues at some point. The correct placing of Data Protection Officers within the company structure can make or break their integrity and confidentiality aims. We have personal experience of the ‘old boys network’ overriding network security and the results were traumatic for the organisations and relationships concerned.
The GDPR formalises the concept of security by design and encourages the use of Data Protection Impact Assessments (DPIA) as part of this. DPIAs are mandated in certain high-risk situations to wit:
- where a new technology is being deployed;
- where a profiling operation is likely to significantly affect individuals;
- where there is processing on a large scale of the special categories of data.
In these cases there is no freedom to ignore the requirements of the regulations, if you are unsure whether or not this applies to part or all of your business process, talk to us – we’ll be able to advise you where to properly concentrate your resources to achieve the best outcomes.
We apologise if this is starting to read like a doomsday scenario, it really isn’t, but it is a reflection of the world in which we all live these days.
The General Data Protection Regulation is a weighty piece of pan-European regulation and it will be translated into law in all member states. It exists to better address the rapidly changing world of data that we all inhabit and it aims to ensure that all organisations follow best practice. No company can ignore it, although many will find that it’s impact upon their lives is minimal. Others however will face significant challenges in meeting its on-going requirements; regardless of the size and complexity of your business we are ideally placed to offer advice, assistance and guidance in negotiating this brave new world.