Is your organisation ready for GDPR?

As you will already be aware from the many blogs and online posts, GDPR is coming into force in the UK on the 25th of May 2018. Those organisations already complying with the current Data Protection Act 1998 based on the Directive 95/46/EC will already meet some of the requirements so rather than focusing on existing requirements this article looks at the changes and additional activities required to meet the expectations of GPDR.

Application

GDPR applies to Data Controllers and Processors that process, store or handle personal identifiable information relating to living individuals.

Those familiar with the existing Data Protection Act 1998 know that a Data Controller is usually the organisation collecting the personal data. For example when you provide details to your bank, your bank becomes a Data Controller.

Data Processors such as IT outsourcing organisations, data processing organisations, outsourced contact centres, and cloud providers need to ensure that they take steps to protect data and process and store it in a suitable manner

Unlike existing legislation, GDPR now applies to Processors too, so for example if the bank outsources data processing to a third party that third party is required to comply with the requirements of GDPR. This does not however mean the Data Controller is no longer accountable. A Data Controller will still need to demonstrate that it performed due diligence when selecting a Processor, implemented suitable contracts and performs pro-active monitoring of the Processors performance and compliance with GDPR requirements.

Data Processors such as IT outsourcing organisations, data processing organisations, outsourced contact centres, and cloud providers need to ensure that they take steps to protect data and process and store it in a suitable manner. In the absence of (at the time of writing) a specific GDPR action checklist organisations could consult with the principles in ISO 29100 – Information technology – Security techniques – Privacy framework in order to lay down the fundamental processes and a management system which will allow not only compliance but also the tools and techniques to demonstrate that commitment to data privacy.

GDPR Are you ready
Unlike existing legislation, GDPR now applies to Processors too, so for example if the bank outsources data processing to a third party that third party is required to comply with the requirements of GDPR.

Personal Identifiable Data (PII)

There are many arguments about what constitutes PII, but in simple terms it refers to information which can identify a living individual. Clearly name, address, telephone number etc. applies here. The new GDPR requirements go on to add other considerations, for example an IP address used to track activity can now be considered PII. Many organisations use pseudonym’s to protect PII which is still acceptable however pseudonyms may themselves be classed as PII depending on how easy it is to relate them to a real person. Any pseudonym process therefore needs to be thoroughly thought through, designed and protected accordingly.

Further there is a separate category of data known as Sensitive PII which covers things such as religion, sexuality, political views etc. Equally biometric data will fall into this category and therefore needs much closer protection from a security perspective.

Consent

When collecting PII the organisation collecting the data must have consent to do so, and this explicit consent must be demonstrable i.e. evidence of the consent must be available. The Information Commissioner’s Office (ICO) has clearly stated that “Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.” This means that a key part of the GDPR compliance process will involve reviewing and possibly re-designing the consent processes.

Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.

Children’s Personal Data

Services aimed at Children come in for particular attention, requiring privacy notices aimed at children to be written in a clear way understandable to a child. Furthermore services aimed at children must include a mechanism to obtain the consent of parents/guardians.

The Right to Data Portability

This new right allows individuals the right to obtain reuse their own personal data across different services, for example moving data from one IT environment to another. Clearly this means that organisations will need to closely examine their data architecture, storage processes and the procedures for allowing the removal and transfer of data. In the banking sector midata is a tool to allow customers access to their transactional account data which they can upload to price comparison sites.

Data collection
Organisations will need to closely examine their data architecture, storage processes and the procedures for allowing the removal and transfer of data.

Governance and Accountability

Perhaps one of the biggest developments in GDPR is the development of specific requirements related to ensuring that clear governance processes are implemented within organisations with clear roles, responsibilities and accountabilities established.

Establishing management systems based on ISO/IEC 27001 and ISO/IEC 29100 is a great place to start as such a management system will ensure that the following elements are in place:

  1. Executive management support for a pro-active risk based approach to Data Protection;
  2. An appointed Data Protection Officer who will oversee the management of Data Protection and management;
  3. A multi-disciplinary committee focused on making policy decisions, reviewing the output of risk assessments and privacy impact assessments;
  4. A clear process for identifying and addressing privacy and data security risks;
  5. Procedures for managing the rights of data subjects (such as access, erasure, rectification, process restrictions, and portability);
  6. A process for identifying and handling data security breaches in an effective manner;
  7. Processes for regularly reviewing compliance such as internal audits and management review.

If these elements are implemented effectively this will provide real foundations for success when aiming to comply with GDPR and moreover effectively handle and manage PII.

Incident and Breach Management

Another major change now means that organisations suffering from breaches which contain PII will need to report this to an official authority (Information Commissioners Office for the UK) within 72 hours of becoming aware of the breach. The ICO will allow graduated reporting as sometimes full information relating to the breach may not be available after 72 hours but this is not an acceptable excuse not to report.

Most attacks today (with the exception of Denial of Service and Website defacement) are designed to “go under the radar” and an organisation needs to be equipped to detect such breaches

Clearly investigating incidents and reporting them to the ICO is one thing, identifying that incidents have occurred in the first place is quite another. Quite often organisations state that they have never had an incident or breach but sometimes this is because they do not have the processes, tools, people and technologies to detect breaches. Most attacks today (with the exception of Denial of Service and Website defacement) are designed to “go under the radar” and an organisation needs to be equipped to detect such breaches.

Establishing detection processes such as utilising SIEM solutions and engaging the Security Operations Centre (SOC) can provide excellent support along with user reporting processes, increased staff awareness and review processes such as internal audits and management reviews.

Failing to report incidents to the ICO because they were not detected could potentially result in a much more high profile event in the future.

Understanding how to establish effective processes to identify, respond to, investigate and manage incidents and breaches is therefore fundamental. For clear guidance the ISO/IEC 27035 gives a detailed view of all of the steps involved in effective incident and breach management.

Advertisements

Smart Cities and a Sustainable Future

One of these latest “hot terms” is Smart Cities but what exactly is a Smart City and how can a Smart City deliver a sustainable future?

Firstly, it is worth saying that sustainability can mean many things but in general the aim is to ensure that going forward into the future people can lead a healthy, prosperous life without damaging the environment and compromising resources and opportunities for future generations. The United Nations (UN) Sustainable Development Goals give a good view into the wide spectrum of issues that sustainability can cover.

The following numbers from the UN give some ideas of the challenges ahead:
  • 50% of today’s world population lives in urban areas (3.5 Billion), and by 2030, 60% of the population is projected to be urban;
  • 60% in 2030 will be much greater than 60% today;
  • By 2050, 75% of the world’s population will live in cities;
  • 1 in 8 currently live in one of the world’s 28 “Mega Cities”;
  • By 2050 it is predicted that 64% of the developing world and 86% of the developed world will be “urbanized”;
  • 95% of Urban Growth by 2050 is expected to take place in developing countries;
  • Cities account for more than 70% of global CO2 emissions;
  • 75% of urban settlements are at risk from climate change impacts.

The challenges associated with these numbers include a greater demand for resources like water and energy, increased demand on services such as healthcare and education and an increasing pollution and impact on biodiversity. Equally increased demand on housing can lead to rises in crime and social problems. From an energy perspective, it is worth considering that cities take up 2% of Earth’s land surface but account for 80% energy use and 75% carbon emissions (UN 2014).

‘‘An urban ecosystem that uses information and data to anticipate problems and better utilize resources across multiple disciplines.’’ And the applications of data and analytics across the domains of an urban setting led to the term “Smart Cities”.

The idea of a Smart City is of one that tackles these real problems head-on in creative ways, not just by using technology but through new approaches, ideas and citizen engagement. It is quintessential to take a holistic approach when dealing with complex problems. A definition that further captures the dynamics of a Smart City development is the one adopted by the New Urban Informatics, a specialist in Smart City development.

infographic-rapid-urbanization

The simplest way to grasp the concept of sustainability in the context of a city is to overview two examples:

1. Stockholm Carbon Reduction Strategy – Congestion Charging

Whilst the concept of congestion charging is politically controversial, Stockholm demonstrated how such an approach can actually lead to improvements in air quality and a drop in airborne pollutants. The aim of the project was designed to reduce congestion, emissions and improve health and well-being. One of the major points about this plan was the fact that it was established via a political consensus. Ensuring citizen support and engagement for any smart city initiative is imperative for success. There are many cases where solutions implemented top-down by the government have been treated with suspicion or not even utilised due to a lack of awareness, and conformity.

The solution included the implementation of the Automatic Number Plate Recognition (ANPR) technology to track vehicles traveling in and out of the designated central zone. Policies were adjusted to charge users based on vehicle type and exemptions for “green cars.” This also stimulated the market for electric and hybrid vehicles. Since the implementation of the ANPR, Stockholm has experienced a 10-14% drop in the airborne pollutants and an 8.5% reduction for (NOx).

2. London Heygate Estate Redevelopment (Elephant Park)

The Heygate Estate in London was a well-known residential area due for re-development. In this case, the major project to regenerate a housing estate had sustainability at its heart with clear sustainable construction principles. The project included ensuring that all construction was formed from energy efficient materials, and the solar energy was utilized for power generation with LED efficient lighting. It also incorporated the development of green spaces with 283 new trees and communal “grow gardens” to encourage community building and provide access to fresh local food markets.

The project was recognized by C40 cities as a climate positive development with the aim to be climate positive for 2020, meaning that the redevelopment will be carbon neutral by 2020.

building-sustainable-smart-cities-1024x680
The Heygate Estate in London was a well-known residential area due for re-development. In this case, the major project to regenerate a housing estate had sustainability at its heart with clear sustainable construction principles.
Potential Opportunities

The two examples above give a view of a smart city approach to sustainability but there are many others driven either by city authorities or governments, or citizens themselves. Ideas include:

  • Smarter public transportation and mass transit solutions;
  • Provision of alternative vehicle technology to reduce or eliminate emissions;
  • Use of sensor technology to measure real-world emissions allowing policy actions to be taken on factual data. This approach gives rise to the potential positive use of blockchain technology to accurately capture and measure such data and provide rewards for positive behavior e.g. Solar Coin;
  • Improved urban planning and public policy ideas to move living and workspace closer together, while reducing movements as well as improving green spaces to provide more carbon sinks. The development of urban agriculture such as vertical farming reducing the need for intensive farming and high food miles;
  • Improved water management means more supply of potable water, less energy spent on production, less pollution, and damaging climate impacts. Additionally, better quality of water means less diseases (A significant percentage of all human diseases is connected to water);
  • Improving reuse policies (and by extension recycling) results in less landfill and consequently a reduction in Methane and other greenhouse gas emissions. Equally this policy leads to more reclaiming on basic raw materials (glass, metals) resulting in less energy being spent on extraction/mining.

So, a Smart City is not simply a technology, its an approach aided by technology to tackling some of the major issues in cities, towns and municipalities which when adopted in the right way can increase efficiency, citizen engagement and quality of life and can help us directly tackle major challenges such as climate change and air pollution head-on.