Most organisations will now be aware that the EU’s General Data Protection Regulation (GDPR) is already law and will be enforced from 25 May 2018.
All businesses that currently process and store data regarding EU citizens should review the need to continue doing so. Where the activity is to be carried on, then the processes and applications involved should be checked for GDPR compliance.
Perhaps the most important thing to note is that GDPR is as much about process administration as it is about data security. The mass of organisations that process some personal data are still considering how to respond to the regulations.
The primary target of GDPR is undertakings; the processing of personal data relating to EU consumers as part of an economic activity. An undertaking may not be your organisation’s primary activity, but a worthwhile one that you want, and as such must continue compliantly.
Brexit will make no difference
The UK aims to cease being an EU member on 29 March 2019. UK-based organisations will therefore face a 10-month period of compliance enforced by the EU itself. However, the terms of the General Data Protection Regulation will pass into UK law unless the government specifically repeals it.
GDPR enables data subjects to take back control of their data, so it would be hypocritical of Brexit advocates, who used the same slogan, to suggest UK citizens should have less control of their own data than their EU counterparts. Furthermore, the UK’s Information Commissioner’s Office took a lead in defining GDPR and, as it stands, supports its core principles.
Tool up for GDPR
With enforcement of GDPR looming, almost every IT supplier has something to say about it. This ranges from the highly relevant, such as data processors stating that their services and applications are compliant, to vague buy-me-too claims from suppliers with only peripheral relevance. The lists are long, so we have only included a few examples in this buyer’s guide, mainly suppliers that provided input. The first stop should be to consult the suppliers your organisation already works with.
Few organisations will be starting from scratch. Data protection laws have been in force in most EU countries for about 20 years. Many will have the basics in place. Many will also be complying with other regulations and standards which overlap with GDPR, for example the Payment Card Industry Data Security Standard (PCI DSS). For some, this will amount to what Quocirca terms a compliance-oriented architecture (COA). If this is the case, your organisation has a good starting point, and may not need many adjustments to comply with GDPR.
Standards organisations are also providing guidance. The ISO27000 forum provides a mapping of GDPR to the ISO27001 data protection standard. In the UK, the British Standards Institute (BSI) has a new edition of BS-10012, a framework for a personal information management system that is GDPR compliant.
Privacy by design and by default has a concept of minimisation at its core. This is that only the minimum amount of data is held to complete the task at hand. So, the first activity should be to identify all the undertakings an organisation has that involve the processing of personal data regarding EU citizens, and assess whether that data really needs collecting, storing and processing in the first place.
Where the processing of personal data is deemed unnecessary, it can be stopped altogether – and historic data deleted. For example, market research data may include the names of individuals where their company name will suffice, or home IP addresses may be collected unnecessarily by an internet of things (IoT) application. Stop the collection of personal data and the applications and processes become out of scope for GDPR compliance.
If it is concluded that the data processing must continue, the risk may be such that a data protection impact assessment (DPIA) needs to be conducted.
There are consultancies that specialise in data security, protection and compliance. For example, the NCC Group and Coalfire both help with DPIAs and provide virtual chief information security officers that can act as data protection officers if your organisation requires one but lacks the in-house skills. Storage suppliers have also geared up. Veritas, for example, offers a GDPR Readiness Assessment.
Read more about GDPR
The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. GDPR will introduce new accountability obligations and stronger rights and restrictions on international data flows.
The GDPR and global enforcement work will place an extra work burden on the ICO, but government has collaborated on a new funding plan that is awaiting parliamentary approval.
Outsource data processing
Relevant data functions can be outsourced to data processors that will ensure GDPR administrative and data security compliance. For many organisations that have cobbled together in-house systems, now may be the time to bite the bullet and move processing to a third party.
The terms and conditions of agreements should be scrutinised to ensure that, should a data leak or administrative shortfall occur due to the processor’s negligence, then the processor will be liable for the penalties imposed. However, there is a caveat, where access to the processor’s system is required, if there is unauthorised access the fault will probably lie with your organisation.
Many undertakings are all about maintaining a relationship with consumers via email, social media and smartphones. There are plenty of third-party processors that will take on the task of collecting, storing and processing your data.
Some third-party service providers that don’t sound like IT companies provide relevant services. For example, Just Eat brokers the relationships between restaurants and consumers primarily to collect payments. It can also handle ongoing communication with existing customers, providing information about new dishes, for example. The restaurants do not even need to access the personal data stored by Just Eat’s system, and are therefore out of scope for GDPR compliance – unless they have some other process that collects relevant data.
Online retail involves processing personal data. Again, the whole process can be outsourced. For example, Actinic, one of the suppliers covered in a previous buyer’s guide on e-retail, says its on-demand platform is now fully GDPR compliant for both data security and administration. It also provides a continuous audit trail, including who has access to the system, so in the event of unauthorised access, information is available to support an investigation. In the UK, Sage’s e-commerce platform is based on Actinic.
Direct marketing can also be outsourced to compliant data processors. For example, Marketo’s on-demand platform ensures the safe storage of personal data and enables the compliant administration of campaigns. Customers can use the platform directly or work with Marketo partners, such as UK-based Verticurl, Clevertouch and Bluprint, to run campaigns for them. Marketo provides a full audit trail of who has been accessing the system.
Controlling and auditing who has access to the applications that process personal data is essential. Administrators must be accountable for their actions, and one way cyber criminals gain illicit access to systems is via compromised access credentials. If all processing is outsourced to a single third party then its monitoring of access may be sufficient. However, if you use multiple systems, or run your own, it may be time to use a single sign-on system that enables one-stop provisioning and de-provisioning to multiple applications and maintains audit trails. Identity and access management systems were covered in a previous buyer’s guide.
If you have a single undertaking outsourced to a data processor, it should inform you about any data breaches it is responsible for. However, breaches that are due to vulnerabilities of an on-demand service supplier’s platform are rare compared with those of in-house systems. If you have monitored access management, unusual activity should be audited and detectable. If you choose to process data in-house, you will need to think about data loss prevention (DLP) systems, to detect and prevent potential breaches.
However, it must be accepted that however systems are run, a breach is always possible. So, for those that consider their undertakings to be high risk, it may be worth considering post-breach detection services from companies such as Recorded Future, Digital Shadows and the emerging UK-based supplier RepKnight.
Keeping it all in-house
Some organisations may conclude that the processing of personal data is so core to their business that they want to run the systems themselves. They are then tending to the first extreme described at the start of this article: plans for GDPR should be well underway and an architecture that ensures compliance should be in place.
This will involve technologies such as encryption, tokenisation and DLP. The broad-scope security providers such as Symantec, Trend Micro, McAfee and Forcepoint all provide guidance as to how their product portfolios can support many of the requirements that in-house GDPR compliance requires.
Enforcement of GDPR is little over a year away. However your organisation intends to address the requirements in the interests of your business and its customers, the time to act is now.
Bob Tarzey is an analyst and director at Quocirca.