As you will already be aware from the many blogs and online posts, GDPR is coming into force in the UK on the 25th of May 2018. Those organisations already complying with the current Data Protection Act 1998 based on the Directive 95/46/EC will already meet some of the requirements so rather than focusing on existing requirements this article looks at the changes and additional activities required to meet the expectations of GPDR.
GDPR applies to Data Controllers and Processors that process, store or handle personal identifiable information relating to living individuals.
Those familiar with the existing Data Protection Act 1998 know that a Data Controller is usually the organisation collecting the personal data. For example when you provide details to your bank, your bank becomes a Data Controller.
Data Processors such as IT outsourcing organisations, data processing organisations, outsourced contact centres, and cloud providers need to ensure that they take steps to protect data and process and store it in a suitable manner
Unlike existing legislation, GDPR now applies to Processors too, so for example if the bank outsources data processing to a third party that third party is required to comply with the requirements of GDPR. This does not however mean the Data Controller is no longer accountable. A Data Controller will still need to demonstrate that it performed due diligence when selecting a Processor, implemented suitable contracts and performs pro-active monitoring of the Processors performance and compliance with GDPR requirements.
Data Processors such as IT outsourcing organisations, data processing organisations, outsourced contact centres, and cloud providers need to ensure that they take steps to protect data and process and store it in a suitable manner. In the absence of (at the time of writing) a specific GDPR action checklist organisations could consult with the principles in ISO 29100 – Information technology – Security techniques – Privacy framework in order to lay down the fundamental processes and a management system which will allow not only compliance but also the tools and techniques to demonstrate that commitment to data privacy.
Personal Identifiable Data (PII)
There are many arguments about what constitutes PII, but in simple terms it refers to information which can identify a living individual. Clearly name, address, telephone number etc. applies here. The new GDPR requirements go on to add other considerations, for example an IP address used to track activity can now be considered PII. Many organisations use pseudonym’s to protect PII which is still acceptable however pseudonyms may themselves be classed as PII depending on how easy it is to relate them to a real person. Any pseudonym process therefore needs to be thoroughly thought through, designed and protected accordingly.
Further there is a separate category of data known as Sensitive PII which covers things such as religion, sexuality, political views etc. Equally biometric data will fall into this category and therefore needs much closer protection from a security perspective.
When collecting PII the organisation collecting the data must have consent to do so, and this explicit consent must be demonstrable i.e. evidence of the consent must be available. The Information Commissioner’s Office (ICO) has clearly stated that “Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.” This means that a key part of the GDPR compliance process will involve reviewing and possibly re-designing the consent processes.
“Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.”
Children’s Personal Data
Services aimed at Children come in for particular attention, requiring privacy notices aimed at children to be written in a clear way understandable to a child. Furthermore services aimed at children must include a mechanism to obtain the consent of parents/guardians.
The Right to Data Portability
This new right allows individuals the right to obtain reuse their own personal data across different services, for example moving data from one IT environment to another. Clearly this means that organisations will need to closely examine their data architecture, storage processes and the procedures for allowing the removal and transfer of data. In the banking sector midata is a tool to allow customers access to their transactional account data which they can upload to price comparison sites.
Governance and Accountability
Perhaps one of the biggest developments in GDPR is the development of specific requirements related to ensuring that clear governance processes are implemented within organisations with clear roles, responsibilities and accountabilities established.
Establishing management systems based on ISO/IEC 27001 and ISO/IEC 29100 is a great place to start as such a management system will ensure that the following elements are in place:
- Executive management support for a pro-active risk based approach to Data Protection;
- An appointed Data Protection Officer who will oversee the management of Data Protection and management;
- A multi-disciplinary committee focused on making policy decisions, reviewing the output of risk assessments and privacy impact assessments;
- A clear process for identifying and addressing privacy and data security risks;
- Procedures for managing the rights of data subjects (such as access, erasure, rectification, process restrictions, and portability);
- A process for identifying and handling data security breaches in an effective manner;
- Processes for regularly reviewing compliance such as internal audits and management review.
If these elements are implemented effectively this will provide real foundations for success when aiming to comply with GDPR and moreover effectively handle and manage PII.
Incident and Breach Management
Another major change now means that organisations suffering from breaches which contain PII will need to report this to an official authority (Information Commissioners Office for the UK) within 72 hours of becoming aware of the breach. The ICO will allow graduated reporting as sometimes full information relating to the breach may not be available after 72 hours but this is not an acceptable excuse not to report.
Most attacks today (with the exception of Denial of Service and Website defacement) are designed to “go under the radar” and an organisation needs to be equipped to detect such breaches
Clearly investigating incidents and reporting them to the ICO is one thing, identifying that incidents have occurred in the first place is quite another. Quite often organisations state that they have never had an incident or breach but sometimes this is because they do not have the processes, tools, people and technologies to detect breaches. Most attacks today (with the exception of Denial of Service and Website defacement) are designed to “go under the radar” and an organisation needs to be equipped to detect such breaches.
Establishing detection processes such as utilising SIEM solutions and engaging the Security Operations Centre (SOC) can provide excellent support along with user reporting processes, increased staff awareness and review processes such as internal audits and management reviews.
Failing to report incidents to the ICO because they were not detected could potentially result in a much more high profile event in the future.
Understanding how to establish effective processes to identify, respond to, investigate and manage incidents and breaches is therefore fundamental. For clear guidance the ISO/IEC 27035 gives a detailed view of all of the steps involved in effective incident and breach management.