Alliance - Fotolia
Ahead of the compliance deadline for the EU General Data Protection Regulation (GDPR) and the new Data Protection Act, which implements the regulation in UK law, security experts have shared their top tips on what organisations should be focusing on at the start of a new data protection era.
For organisations that feel they are “behind” in their GDPR implementations, Martin Jartelius, chief security officer at security firm Outpost24, said they should ensure that they have:
- Enumerated all sub-processors.
- Performed data privacy impact assessments.
- Equipped websites and any other means of communications where data processing occurs to gather consent in a compliant way and to log this process.
- Informed users clearly about how to execute their right of erasure.
- Informed staff about not emailing or instant messaging personal data, or using new platforms without legal approval, as there will be sub-processing without consent.
Next, Jartelius said organisations should plan how they will deal with any communication that might come in from individuals or inspectors.
“Understand that if something happens, transparency and clear communications to affected users is key to avoiding fines as well as staying on the right side of the law – transparency will be key to avoiding disaster. Once those are in place, you can work to catch up and get back on track with the rest of your implementation,” he said.
Tomáš Mičo, senior data protection and licensing lawyer at Eset, said the GDPR was about to change the way organisations think about personal data processing, as well as the protection of data subjects’ rights, and that organisations should perform checks in five key areas:
- Principles: Comprehensive analysis and following validation are required when it comes to principles stipulated by GDPR which are the most important part of GDPR compliance. “Lawfulness, together with fairness and transparency, purpose and storage limitation, data minimisation, accuracy and integrity with confidentiality must be present in every stage of data processing,” said Mičo.
- Accountability: After embedding principles into data processing activities, it is important to check the organisation’s ability to demonstrate that they are working as intended. “Data controllers have to be able to provide solid evidence to support the claim of compliance in an investigation by data protection authorities,” said Mičo.
- Data processor arrangements: All former contracts with data processors need to be revised and amended to ensure compliance with requirements of GDPR.
- Data subjects’ rights: The controller should prepare and test the worst case scenario of data subjects’ requests, just to be sure that appropriate answers can be given within the period required by GDPR.
- Data protection officer: In the case of data controllers with a legal obligation to appoint a DPO, the selection process should have been already finished, or at least started.
Gavin Millard, technical director at Tenable, said it is important to remember good security is not measured by the number of zeros on a purchase order, but by how well technology is operationalised in the environment. “A well-configured £10,000 security technology can be far more effective than a poorly deployed £100,000 one,” he said.
Adrian Bisaz, European vice-president at CyberProof, said one of the top items on organisations’ checklists should be the “right to be forgotten” as it is one of the more difficult requirements for companies to implement in time. “Alternatives such as change of code or change of application are tactical solutions which don’t scale. An innovative approach is needed to help companies accelerate their ability to adhere to this requirement effectively,” he said.
Terry Ray, chief technology officer at Imperva, said there were two common mistakes companies continued to make with regards to data regulation. The first is failure to ensure they know where all of the regulation-relevant data is stored in their environment and that they know when that data is viewed or modified.
“This seems easy until a customer realises that most auditors will not accept a simple list of locations where private data is supposed to be. Instead, knowledgeable auditors expect a company to demonstrate that relevant data only exists in the locations where it’s supposed to be, and not where it isn’t.
“More importantly, the company needs to demonstrate that private data does ‘not’ exist elsewhere within the organisation and that it is not shared without knowledge outside the organisation. This changes the process for many organisations from making a simple inventory of known locations where private data is supposed to reside, to a fully proactive review of all data storage systems looking for private data that doesn’t belong, or fell outside of private reporting procedures which may have left such locations off of a data privacy list.
“Post-breach, answering a data governance body with ‘I didn’t know that department had copied private data to another server’ is not an appropriate defence,” he said.
Second, organisations tend to fail to audit access to private data, which is often related to the first failure of not knowing where personal data is stored. “Assuming, however, that an organisation does have an effective data classification process and knows where all of its data is, it needs to ensure it is auditing access to it,” said Ray.
“Most auditors are looking for proof that a company knows the basics: Who viewed the data? How did they access it? When did it happen? Where did they come from and where was the data located? Most importantly, and yet often missed, is what was accessed, how much was accessed and should it have been accessed? These last three questions have been asked by post-breach investigators for years, and have now made their way to regulatory audits, because of the failure of companies to effectively answer them during a data loss situation,” he said.
Companies should fully expect to have secondary, deeper questions asked around the location of private data and whether private data is being accessed appropriately, warned Ray. “These both require a level of diligence that many companies, even today with such a short time to go, still cannot answer. Time will tell whether GDPR softens [auditors’] language to pass more failing companies or whether they make examples of some companies to get others into compliance,” he said.
Consumers still lack awareness of GDPR
While organisations are scrambling to ensure they are in a good position when the compliance deadline is reached, almost half (44%) of UK consumers still have not heard of GDPR, a survey has revealed.
Despite high-profile campaigns by the European Union, a third (31%) of people said they did not know what the changes would mean for them, and only one in five (18%) felt they completely understood the implications of the changes, according to the survey by virtual private network comparison service Top10VPN.com
When asked about specifics, only 10% of the 2,000 respondents could accurately identify a handful of details about GDPR, such as whether consent requires an active action or whether they could change their mind.
Three in 10 Brits (28%) are under the impression that companies have to delete all personal information they hold before the rules are implemented.
However, more than two-thirds (67%) do understand that giving consent under the rulings has to be an “active action” by the data subject, but one in 10 believe that giving consent to a company once means that you cannot change your mind at a later date.
Less than half (47%) know that those controlling the data have a month to consent to data access requests from EU citizens.
“Commentary and advice surrounding the incoming data protection laws has risen to a cacophony in recent weeks, so it’s hardly surprising that not everyone has a full idea of what these changes mean for them,” said Simon Migliano, head of research at Top10VPN.com.
“While memorising every detail of the new GDPR rules is somewhat impractical, there are a few key elements that might be useful for Brits to know.
“For example, giving consent to a company once to have your data processed by them doesn’t mean that you can’t change your mind about this later and then withdraw consent. EU citizens also have the right to request to ask for their data at ‘reasonable intervals’, and those controlling the data have a month to comply.
“While this has been hailed as an EU law, it’s worth noting that even companies outside the EU that hold data on European Union citizens have to comply.
“GDPR should see companies keeping a tighter rein on the personal information they hold, so this should, theoretically, improve security awareness and protection levels for EU citizens. In a year that has seen the UK shaken by allegations of seemingly unsolicited use of private information, GDPR marks a step towards greater personal control of their data – that can only be a good thing,” he said.
Read more about GDPR
- Use GDPR to propel business forward, says ICO.
- One month to GDPR compliance deadline.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- GDPR focus shifts from the sanctions to the benefits.
- How to be prepared for GDPR by 25 May.