GDPR: 3 ways to remain compliant With just six months to go until the General Data Protection Regulation (GDPR) takes force, payroll departments need to ensure they know what’s coming, or risk paying for it later. As of 25 May 2018, a new regulatory regime—the General Data Protection Regulation (GDPR)—is in effect in the European Union (EU). Complying with GDPR’s requirements poses challenges, but it is also an opportunity to evaluate all aspects of your security posture, and to ensure that any existing security gaps are eliminated. But his point about the General Data Protection Regulation (GDPR) is an important one for many businesses around the world that work with personal data. The GDPR is the most significant regulation in recent years. When it starts being enforced in May 2018, it will affect all businesses dealing with residents in the EU.
You may have heard that May 25th, 2018 is going to be a significant date. As well as being a few short weeks before the Fifa World Cup begins in Russia, it’s also the date that GDPR (General Data Protection Regulation) comes into full effect.
GDPR is going to be a huge catalyst for businesses within the UK – who will have to make some fundamental changes to the way in which they operate, and how they manage risk.
Whilst May 2018 might seem like some time away yet, the time to start preparing for GDPR is now. So, we’ve put together a list of 5 things to be aware of – specifically, how the regulation is going to affect you, and how you can put yourself on the front foot in preparing for it.
1) What is it, and how did we get here?
GDPR will introduce new laws that will impact companies around the globe. It will apply to all companies that are based in the European Economic Area and/or target the European Union (EU) markets or consumers.
In a nutshell, GDPR gives new rights to EU citizens over their personal data, such as a right to withdraw consent, and easier access to their own data (there are many more). Understanding the context is key, because this is about recognising the significant responsibility that companies take on when they are given personal data. Now, they must meet a strict set of criteria in order to prove that they are doing all they can to protect it.
There were two drivers to this. The first was about giving control of citizen data back to the individual. No longer will companies be able to gather whatever information they want, without a valid reason.
Secondly, each country currently has their own ways of coming up with legislation to control data rights. GDPR is going to drive some uniformity, and make it easier to legislate.
The penalties for non-compliance are fairly scary…the fines can go up to 4% of your annual turnover or 20 million Euros, whichever is higher.
Crucially, as a business, you don’t opt in, and you don’t opt out; you have to comply. And the sooner you start preparing for it, the better.
2) If GDPR affects EU citizen data, what about the question of Brexit? Do British companies still have to comply?
At the moment, we don’t know exactly when we’ll leave Europe, or what our position in Europe is going to be. However, GDPR refers to the transportation of EU data as well as just collecting it. So, any organisation which holds or transports EU citizen data will still have to comply with GDPR.
Most British companies are dealing with EU citizen data in some way shape or form. If you think you don’t, please take a look at what is meant by personal data, because it includes not only bank account details, email addresses, sensitive personal information, but also IP addresses. If you think about how many companies work with IP addresses, that really expands the scope of who this legislation affects.
It’s also very likely that the UK is going to imminently replace the data protection act of 1988 with something extremely similar to GDPR. The main thing to understand here is that by taking steps to protect your data, you will have a much greater chance of protecting your business against cyber threats. It’s a huge forward step in how the world sees data protection.
3) How do I start planning to meet the criteria?
The way to start is by doing some gap analysis. Work out what you need to do to become compliant, as there are some very specific guidelines. Compare that with processes and structure of what you currently have, and then work out what the gaps are.
From there, you can build a roadmap. Crucially, ensure you raise awareness within your businesses as to what is expected of your employees, at every point in the journey. The later you leave it, the more it’s going to turn into a panic situation. So, start on that road now – and there are experts who can help you if you’re not sure where to begin.
4) Can I become compliant with a particular piece of technology?
GDPR is about security processes and managing risk, more than anything else. Technology plays a part, but just like Ant can’t work without Dec, the technology can’t work unless it’s accepted into the organisation, and everything works together.
Traditionally, we’ve thought of cyber security as being a technology problem – with a technology answer. However, the bad guys have got cleverer. They are sophisticated, well-funded, and targeted.
Take a look at our recently released Annual Cybersecurity Report to find out what sort of escalated activities cyber criminals are now up to. The game has changed, and protecting against data breaches is something which all businesses must have high on their agenda.
GDPR also specifies that organisations have to appoint a data protection officer, who is distinct from a risk officer, and distinct from most other IT functions that currently exist.
Data protection officers have a specific mandate, but importantly it’s a role that has to sit outside of IT, and outside of the boardroom, so they’re not answerable to anyone else. They’re answerable to the regulation.
Again, it’s about ensuring that companies recognise how much responsibility they carry when they collect and transfer other people’s data.
5) How will GDPR affect how I deal with a data breach?
Currently, if an organisation suffers a breach, they don’t have to tell anybody. Ethically and morally, some companies feel obliged to, particularly if the breach directly affects their customers.
GDPR will force you to. The fines will kick in if you fail to notify a breach within 72 hours.
If organisations are not set up with the right processes or technology, they can’t always tell how bad the breach is. So, when they have to reveal it and then get asked questions like, “What’s been taken?”, “What are you going to do about it?” and “Can you assure me this won’t happen again?”, their answers aren’t going to be that convincing.
Secondly, the average amount of time to detect a breach in a business is between 100-200 days, which is an extraordinarily large amount of time. At Cisco, we bring that down to 9 hours across the globe, which is significant. This, coupled with our Stealthwatch technology, which helps quarantines breaches, will help businesses identify what has happened and how best to stem the damage – both now and in the future.
This is about making an attitudinal shift. Organisations must be aware of the current threat landscape, and be prepared for an attempt on their data. This is very process orientated – it’s about recognising a breach, and then dealing with it. Which is what GDPR is trying to encourage.
Tags:Obelisk Support consultant Alisha McKerron Heese provides some advice on how data processors can comply with upcoming GDPR legislation.
We are fast reaching the countdown phase for the General Data Protection Regulation (GDPR) which comes into effect in just over six months on 25th May 2018.
Preparing for GDPR is a complex process which requires far more than merely updating your processing agreements and fulfilling your contractual obligation. While the regulations stipulate that certain provisions be inserted in processing agreements (art. 28(3)), they do not stop at that. For the first time, statutory data protection requirements (which previously only applied to data controllers) will place direct obligations on you as well. This enables data subjects to enforce their rights directly against you. Non-compliance is also more severely punished, through significantly heavier fines. To be precise, under the current law, the maximum fine the Information Commissioner can impose is £50,000. Under GDPR, however, that fine can be anything up to 4% of an organisation’s annual worldwide turnover, or 20,000,000€, whichever is largest.
So, what are these new requirements and what steps should you take to ensure that you will be compliant from 25 May 2018?
Your processing agreements must be GDPR compliant. This means that you have agreed to:
More details here.
You must have determined if you are required to maintain written records of categories of processing activities (art. 30). This requirement originates from the accountability principle (art. 5), a re-occurring theme throughout GDPR which puts the onus on you to be responsible for, and to demonstrate compliance. Information which must be captured includes details of any other processors, your client’s details and those of Data Protection Officers (DPO), categories of processing, details of transfers to third countriesand a description of general technical and organizational security measures (art. 30 (2)). These records must be provided to the supervisory authority on request.
If you employ 250 employees or less, you will be excluded from this requirement provided that the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional, and does not include special category data.
Note: Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, and biometric data or data concerning healthor data concerning a natural person’s sex life or sexual orientation (art. 9(1)).
You must have appropriate security measures – referred to as appropriate technical and organisational measures (art. 32). If you are wondering what appropriate technical and organisational measures means, you are not the first. No definition is provided by the regulation, thereby putting the onus on you to decide. You must consider a variety of factors: the sensitivity of data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and nature of processing.
This requires you to have a comprehensive understanding of your systems and the type of data processed. While they can vary, appropriate measures include pseudonymisation and encryption of personal data. Regular testing of any security measures is also required where appropriate. This will enable you to detect any weaknesses and pick up any problems quickly which is particularly important in the event of a breach.
More details here.
You must be able to detect data breaches and notify the controller without undue delay upon becoming aware of a breach (art. 34). It may be in your interests to clarify in your processing agreement (if you have not already done so) when delay may be undue as this is not made clear in the regulation.
More details here.
You must have a DPO if required, although you may have one even if not required. A DPO is required if you are a public authority, if processing requires regular and systematic monitoring of data subjects on a large scale, or if your core activities consist of processing large scale special categories of personal data. A DPO’s primary role is to independently advise you on compliance with the GDPR, and they are the contact point for any data subjects and for the supervisory authority.
More details here.
You must have prior specific or general written authorisation from your client ifyou enlist another processor or replace a sub-processor (art. 28(2)). You must reflect the same contractual obligations you have with your client in a contract with any sub-processor and shall remain liable to your client for the action or inaction of any sub-processor.
You must ensure that you have appropriate safeguards for any transfers of personal data to a third country (in the absence of an adequacy decision) and that the data subjects have enforceable rights in that country with respect to the data. This is your decision to make, and is independent of any instructions from your client with regards to data processing.
More details here.
Making your processing agreement GDPR complaint is just the start. The steps outlined above are by no means an exhaustive list, but should hopefully assist you in your journey to becoming GDPR compliant. Not long to go before the clock stops ticking!