THE FINAL COUNTDOWN: WHAT NEXT AS ONE YEAR TO GO UNTIL GDPR COMES INTO FULL EFFECT
The final countdown has now begun for the European General Data Protection Regulation (GDPR), a huge and complex piece of legislation designed to update EU law in this area for the digital age.
Although there are some exemptions for the smallest firms, all those UK organisations currently governed by the Data Protection Act (DPA) will be expected to comply with the GDPR, in order to ensure the regulation’s two primary aims: to facilitate the free transfer of data between EU states; and to uphold EU citizens’ right to privacy.
However, withsome recent stats estimatingthat as many as 84% of small business owners are unaware of the new regulation, there’s much to be done in the final 12 months before the 25 May 2018 compliance deadline.
The new regulation is broader in scope than the current DPA, and crucially is likely to apply even after Brexit, so there’s no hiding from this.
The GDPR expands the list of those who need to comply beyond data controllers to also include the data processors which usually work on behalf of the controller. As for the size of the organisation, Article 30 explains that “each controller … [and] processor … shall maintain a record of processing activities under its responsibility”. That is, except for those who employ fewer than 250 people, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … or personal data relating to criminal convictions and offences”.
In short, this means that small organisations which occasionally process data and don’t do so as part of their “core” activity may not be required to keep strict records on information processing. Think a small car parts maker whose core business is manufacturing exhaust pipes, rather than a small marketing agency whose day-to-day work primarily involves emailing EU citizens with new offers.
However, as the ICO recommends, if you comply with the DPA, then the GDPR will apply to you. It’s also just good practice to get up to speed, whatever size of organisation you are.
The GDPR applies to all personal data. This means “any information relating to an identified or identifiable natural person”. This is a much broader definition than in the previous regulatory regime. In fact, it’s so broad that organisations should look to minimise their exposure to possible data theft and compliance by deleting any customer data they don’t need, and anonymising or pseudonymising what’s left.
There are three key new responsibilities UK firms will need to familiarise themselves with:
- Appoint a Data Protection Officer (DPO) to handle the GDPR compliance process on an ongoing basis. This is likely not to apply to those with fewer than 250 employees unless the organisation’s core work involves: the systematic monitoring of data subjects on a large scale; the monitoring of special categories of data; or the monitoring of data relating to convictions and offences
- Consent now has to be given for the use of any personal customer data via an opt-in. This will apply to any data previously collected, so new opt-in requests will need to be sent to customers
- Mandatory breach notification to the ICO within 72-hours of becoming aware of the breach. This is the big one for many as it will force greater scrutiny of the organisation’s security posture and new tools to improve transparency, so that firms know when they’ve been hacked
The bottom line is that if you fail to meet your responsibilities, potentially major fines will be levied: in the most serious cases, up to 4% of global annual turnover or €20m, whichever is larger. There will certainly be a crossover phase while regulators monitor the compliance status of organisations; but don’t think that as an SME-owner you won’t be scrutinised. In fact, the stakes might be higher for smaller organisations, as a major fine could effectively put you out of business.
The first step should involve putting together a team to handle compliance; in larger organisations this will be overseen by the DPO. Their first job will be a major data classification and mapping exercise, to find what data your organisation handles, how much of it comes under the scope of the GDPR, and where it’s stored and shared. Evaluate the technologies, processes, and oversight mechanisms currently in place and consider whether they need updating.
The GDPR is short on details when it comes to prescriptive security technologies, so consider best practice standards. If implemented correctly, they should be enough to satisfy regulators you’ve done enough to mitigate the risk of a breach. There are a number of things to consider here, including employee security education; regular patching; pen testing; endpoint, network, gateway and server security; and tighter access controls.
Many breaches come about because of password-based authentication, making it easy for attackers to crack or hack privileged accounts to access your most sensitive data. Risk-based multi-factor authentication (MFA) is therefore a must. It will evaluate each transaction and ask the user for more info if a log-in attempt looks risky. Combine this with a “least privilege” approach to minimise staff access to systems, and you’ll be on the way to effective GDPR co