Search in Features

Jon Fielding: GDPR: It’s time to find the chinks in your armour

Friday December 1st, 2017

The path to compliance with GDPR looks different for every organisation; it’s a tweak to an existing security policy for some, and a vast project for others. For many UK organisations, the journey is far from over: research from Apricorn has found a significant gap in understanding of what is required to comply. While 24% were not even aware of the GDPR and its implications, 17% were aware, but had no plan for ensuring compliance.Jon Fielding

Until the GDPR comes into force, the EU will continue to rely on the 1995 Data Protection Directive, which suffers from varying levels of enforcement across the EU. GDPR will ensure all countries comply with the same comprehensive controls so that the personal data of European citizens has a consistent level of security and protection across each country processing their data.

There are many lingering misconceptions and complexities around GDPR. These include two common myths: that there will be a ‘grace period’ after the May 2018 deadline and that organisations will only be penalised in the event of a data breach. Neither of these is correct.

Steve Wood, Head of International Strategy & Intelligence at the Information Commissioner’s Office (ICO), has stated that: “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” The ICO plans to focus on risk, and while it will be happy to work with organisations in areas that seem unclear, there will be no grace period. The challenges UK businesses face with the GDPR are just around the corner. It would be prudent to be prepared now and address areas we know will be required so that the foundations are in place once the regulation comes into force.

The directive is not about when a breach happens, and how an organisation responds, but more about being proactive about security. Organisations can be fined under the new rules if they are unable to demonstrate that good data protection is a foundation of their business policy and practices. A report conducted by YouGov found that 71% of organisations haven’t realised they will be heavily fined if they fail to follow the guidelines. The onus of GDPR on businesses is significant. Non-compliance can come at a huge cost, with fines of up to €20 million or 4% of a company’s annual global revenue, whichever is the greater.

Laying down the rules
Under the new rules, EU citizens will have much more control over their personal data. The request for their consent must be explicit, and the reason for collection of their data and how it will be used and stored must be clear. They also have the right to demand their data in a portable format, and the right to request that all their data is deleted from the system. Businesses must have systems and processes in place to comply with citizens’ rights and many will need to appoint a dedicated data protection officer. Employees will also need educating about their responsibilities as they are often unaware of their role in protecting sensitive information, and unwittingly put confidential data at risk. Employees require adequate training, and necessary policies should be created and enforced, particularly when the data is taken beyond the network perimeter. The Apricorn survey found that 29% of organisations have suffered a data breach or loss as a direct result of mobile working, and 44% expect mobile workers to expose the business to data breaches.

Keeping track of data
The aforementioned survey by Apricorn found that 38% of surveyed respondents believe they have no control over where company data goes and where it is stored. GDPR requires that organisations should be able to trace all personal data, and understand where it resides and how it’s used.

Organisations will need to document exactly how data is processed, stored, retrieved and deleted through its lifecycle to pinpoint where data may be unprotected and/or at risk. As part of the new GDPR requirements, they must demonstrate that they are limiting who is authorised to access certain information, and why. They also need to consider how data is protected outside of their central systems, both on the move and at rest. If data is being transferred outside of the network or between systems, they need to research, identify and mandate a corporate-standard encrypted mobile storage device, and ensure its use is enforced across the organisation through policies – such as locking down USB ports so they can accept only approved devices. These processes will then enable organisations to identify shortcomings in their technologies and policies. USB devices can offer a convenient way to transfer data between computers, and PIN pad authenticated, hardware encrypted USB devices can provide the necessary encryption capability embedded within the device, so data can be decrypted without the need for the user to install additional software.

Employee education
Having the right tools and policies in place is a significant part of GDPR compliance, but ultimately it is the users that pose the biggest threat. If employees do not recognise and understand the legislation and its consequences, the likelihood is that failings will ensue. Educating staff about the rules and their responsibilities is crucial. Employees should be aware of, and trained to understand, the necessary policies and regulations, and these must be enforced to avoid putting company data at risk.

Data encryption
The GDPR Article 32 states that data encryption is a means to protect personal data and that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data”.

Additionally, Article 34 notes that if a breached organisation “has implemented appropriate technical and organisational protection measures such as encryption”, it can avoid the regulation’s breach notification requirement to contact each individual affected and the resultant administrative costs.

In some instances, regulations will mandate encryption in clear, unmistakable terms; those that don’t adhere to these terms will be in violation of the law. Other times, regulations remain vague about requiring encryption. GDPR, for example, may require that sensitive and/or personal data be protected without explicitly stipulating that it be protected via encryption, a less than ideal situation. If there are questions about implementing encryption that are not black and white, following industry best practices will help keep organisations protected.

By following these steps organisations will be in good stead for compliance with the impending legislation. GDPR is essentially about keeping organisations – and the data they house – secure, and in a better position to deal with a security breach should it occur. Having the necessary systems and processes in place will ensure compliance and help to avoid the repercussions of a data breach.

Leave a Reply