A new regulation relating to data that can be used to identify an individual comes into force in May next year. All customer organisations need to be aware of the rules or risk huge penalties. In this special feature, we look at the essentials of GDPR and help our clients and friends address the challenges.
General Data Protection Regulation (GDPR) is coming and it can’t be avoided or ignored. After 25 May 2018 organisations that don’t know what personal data they hold, or don’t do enough to protect it, face potential fines of up to 4% of their turnover, or €20 million.
Many businesses have very little understanding about what GDPR is, what it means and what is required. After May 25th, 2018 businesses will need to show that they know what information they’ve got and are protecting data sufficiently.
Denial of Service Week
Under GDPR, the regulator as well as individual citizens will be entitled to ask organisations what information is being held – and every business or organisation will be expected to respond swiftly and appropriately. One major concern, especially for large organisations, public-sector departments and county councils is that come 25 May 2018, there will be thousands of requests being made by members of the public. In security circles, this is being referred to as “Denial of Service Week” because it is believed that some organisations will be totally swamped by requests, to which they will have to respond within a set period.’
While this may throw up major challenges especially during that first week and possibly stretching into several weeks, it is up to every business and organisation to be prepared for GDPR and take action to ensure they meet its requirements.
Organisations with 250 employees or more must appoint a Data Protection Officer (DPO) who is responsible for ensuring that personal data is collected and secured responsibly. Businesses with 250 staff will also need to adhere to GDPR if any of the data they hold or process could lead to the rights and freedoms of individuals being put at risk. This basically means if the data could be used to identify them, such as a PPS number, a person’s bank account details and home address. This is information that’s stored in any payroll system.
As businesses start the discovery process locating and correctly cataloguing the client and customer data they have on file, it also affords them the opportunity to gain a better insight into their own business and their customers. GDPR also presents opportunity for the vendors of business analytics and data mapping solutions.
Once discovered, data needs to be classified and secured once again creating opportunity for vendors who provide encryption and secure cloud storage solutions. It is however your responsibility to ensure that whatever solution you use has good all-round security backed up by your own appropriate digital security policy.
No matter what solution you use, be it advanced encryption tools or a simple spreadsheet, it is by researching and following best practices that will ensure your are GDPR compliant. A lot of the leaks you hear about are down to best practice not being followed anyway. With the additional threats of ransomware and other malware phishing menaces now very apparent, it is by applying best practices across your business or organisation that will likely save you from any future threats. In fact, in a piece we published on our blog, earlier this year we highlighted that “Common bad practices are your biggest threat”. In other words, not following best practices.
What is GDPR
The General Data Protection Regulation (Regulation EU 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the EU. Published on 27 April 2016, it will come into effect on 25 May 2018 and immediately replace the UK Data Protection Act 1998.
GDPR dictates how businesses, governments and public sector collects, uses and shares data on EU residents. It means that all companies that have data on EU residents must build data protection into their infrastructure or risk severe penalties.
The requirements of GDPR summarised
- All organisations need to be able to discover, classify, secure and report on all EU citizen Personal Identifiable Information (PII)
- Regulators can request an Information Governance report detailing what PII is stored, why it is stored, what it is used for, how it is stored, how it is processed, who it is shared with and how it is classified
- PII data must not be leaked or assessable to unauthorised parties – any breach will also result in a fine
- Failure to provide the report or any leakage of data may result in substantial fines (€20 million or 4% of global revenues, whichever is greater) from the regulator.
Questions and Answers
What constitutes 'data'?
Under the GDPR it is not just passwords, pin numbers or dates of birth that companies and other organisations will be legally obliged to protect and treat ethically. Anything that could be construed as 'personal data', must be protected. This also includes PPS numbers, IP addresses, email addresses, as well as any and all details on physical characteristics such as age, race, physical attributes, or gender.
Why is the GDPR needed?
There are two main reason why the current data protection regulations are being replaced with GDPR. Firstly, it is out of date and pre dates data rich platforms such as Facebook, Twitter, Snapchat etc.
Secondly, the penalties for beaches of the current regulations are simply too low. It is known that some companies include fines for illegal direct marketing campaigns as part of their budget. That will not be possible under the new legislation, with fines of up to 4% of turnover or €20 million, whichever is greater. Research has also shown that serious data breaches negatively affect consumer and investor confidence, and can hit share prices hard.
Who (or what) is a DPO?
Under the GDPR many companies will be required to appoint a Data Protection Officer (DPO) to oversee how consumer data is collected, stored and disposed of.
For small companies which do not collect much consumer data this may be someone who takes on the role overall responsibilities in the company.
For consumer-facing companies which collect a lot of consumer data, the role will likely have to be a dedicated position.
The role will not be a middle-management appointment either - under the GDPR, the DPO must report only to the CEO of the organisation. It is permissible to appoint a third-party consultant as your DPO.
Are we starting too late?
Most Irish companies are aware that the GDPR is coming, but simply aren’t prepared.
A recent survey conducted by the Irish Independent found that just 6pc of those questioned said their GDPR plans were at an advanced phase.
Where should our company start?
Reading articles like this or the many hundreds available online is a good starting point to get your head around GDPR. It is recommended you visit the website of the Data Protection Commissioner where you will find plenty of information including the very useful “GDPR and You”
You may need to have to look at an organisational overhaul, in how your company treats consumer data, which will need to be addressed on an ongoing basis.
Even small businesses should appoint someone either a qualified member of staff or outside consultant - to oversee the process, and to begin implementing some of the more straightforward practices, including amending consumer privacy statements.
You must finally begin the process of training staff to understand compliance with this legislation and ensure every member of staff than handles or has access to data is actively implementing it.
What you need to know
- GDPR relates to data on EU citizens and so organisations that hold data on EU citizens regardless of whether the company is based inside or outside of the EU, fall under the scope of GDPR.
- Data must only be used for the purpose agreed when the data was collected. It can include names, addresses, emails, telephone numbers as well as social media updates, pictures and IP addresses
- Organisations must ensure that they provide the ‘right to erasure’ on an individual demand (Article 17 of the GDPR).
- Data must be portable via open and popular file formats
- Processes and workflows will need to be reworked to build in ‘privacy by design’
- Organisations of all sizes will need to appoint Data Protection Officer(s) who will be answerable to the Data Protection Commissioner
- Notification of a Data Breach must be within 72 hours of the discovery of a breach and should be to:
- The Data Controller (if you are a Data Processor)
- The Data Protection Commissioner
- The Data’s subjects
- A Data Controller is a person who specifies the purposes for which personal data will be used and how data will be processed
- A Data Processor is a third-party person (not employed by the Data Controller) who organises, adapts, retrieves, discloses or shares the data on behalf of the Data Controller
- The notification must at a minimum describe the personal data breach, the scale of the issue, the data protection officer’s contact details, likely consequences of the breach and how this is being dealt with
- There is no certification or accreditation for GDPR which means that organisations are never going to achieve GDPR compliance. If an organisation does leak/lose any EU resident’s PII, the ICO will take into consideration the processes, workflows and security it has put in place to protect the EU resident’s PII when determining the size of the fine
You can view the EU’s guidelines and get more information on GDPR at www.eugdpr.org