Tick, tock motherf... erm, we mean, don't panic over GDPR
Eight months sound like enough? No?
Welcome back from the summer. Feeling refreshed? Good, now let’s talk General Data Protection Regulation from the European Union, due to swing into effect on May 25, 2018. You now have eight months to get your data infrastructure, tech policies and related procedures ship-shape. Not feeing so refreshed now, are you?
Plenty of people are, according to surveys from different tech firms and consultants, still not ready for next year’s deadline – despite the might of a €20m fine hanging over their organisation in the event of a data fail. Time to get moving, right?
Please, take all the sharp objects from my desk drawer.
A meal is being made of GDPR, and it’s absolutely no surprise. It’s new, having been adopted as recently as April 2017. As far as UK adoption of the law is concerned, it has the deadline that I just mentioned, and an immovable deadline always makes people sit up and take note. And it has this whopping big fine that people seem incapable of shutting up about.
Oh, and now – just to complicate matters further – the UK government is banging on about what it’s going to do in its new data protection bill.
Although we have yet to see the first draft of this bill, it’s unlikely to say anything particularly surprising – simply because the UK’s data protection laws are already pretty good. Yes, GDPR brings a few new points but one could argue that all it really does is cater for the fact that the world has moved on in the 20 or so years since the last set of laws were defined.
Did anyone listen to the Queen’s Speech in June 2017? “A new law will,” said Her Majesty, “ensure that the United Kingdom retains its world-class regime protecting personal data.” Doesn’t scream “radical shake-up”, does it? A promised Statement of Intent was published on August 7, and largely speaking it just said exactly what the GDPR document says – no pre-ticked opt-in boxes, the right to be forgotten, notifying the Information Commissioner within 72 hours, ￡17m fines (oh, hang on – that’s €20m).
To be fair it also included a few interesting things – a specific offence of re-identifying people from seemingly anonymised data, for instance, plus protection for whistleblowers and an offence relating to defacing data to thwart legitimate access requests.
The first draft of the new Bill, out today, will be an interesting read, as there’s the occasional inconsistency between the government’s statement of intent and the GDPR text. For instance, the government says they’ll demand that: “Businesses must notify the ICO within 72 hours of a data breach taking place” (my italics); GDPR says notification must happen: “not later than 72 hours after having become aware of it”. Let’s hope the drafting of the bill is tighter.
All this said, though, what we’re going to end up with is some new data protection law – partly EU-designed, and partly UK add-ons – with which we have to conform by the end of May 2018. What does this actually mean to the individuals in our organisations, though, and what does the organisation need to do in order not to be bitten?
Since May will be with us before we know it, people are starting to say: where do we start? Well, let’s look at the three places to look first.
Know what PII we hold
Before we can do anything, we need to examine ourselves and see what Personally Identifiable Information (PII) we hold. That’s important – GDPR only cares about PII, not any other sensitive data, so the scope of your vulnerability to prosecution under the new regulations maps precisely to the range of PII you hold and what you do with it. For many companies – pretty well any organisation that’s more than a tiny outfit – the act of figuring out precisely what PII we hold is quite a feat. It’s common to get a third party in to help with this, because a fresh pair of eyes working to a well-designed methodology may well spot something that a self-examination would overlook.
Consider its legitimacy
Once we’ve found all the PII we hold, we need to decide whether it’s legitimate for us to do so. There are two sides to this story: most pertinent to this story is whether or not it’ll be legitimate for us to hold that date after next May, but you should actually be asking yourself whether it’s valid to have the data under the current data protection regime too. I bet there are plenty of companies out there that have wads of PII that’s found its way into the organisation unlawfully, or which was once being processed perfectly validly but whose presence the passage of time has made unlawful.
Don’t get hung up just on the point of “consent”: lawful processing of data may well require the consent of the person whose data it is, but similarly we’re allowed to process without explicit consent under some pretty sensible circumstances. For example, we don’t need specific consent where using the data is necessary “for the performance of a contract to which the data subject is party” – so if you’re selling people stuff and billing them for it, for example, it’s fine for you to have their data.
The processing is important
The essential point here is that you need to list all the ways in which we’re processing the data – or to put it another way, how we’re using it. And this is the hard bit because we’ll forget some obvious ones unless we’re extremely careful.
Top of my list here is software testing and development. Companies all over the world are using real data on development and test platforms, and in our brave new GDPR world that’s hard – probably impossible – to justify. Pseudonymisation and anonymization are the buzzwords of the moment, and they’re buzzwords we need to work with if we’re to comply.
So, we’ll list every single thing we’re using PII for, and we have until May 2018 to either stop doing that task or fiddle with the data so the people in it are unidentifiable. Most critically, though, the stuff we find where we think: “Y’know, we’re probably going to need specific consent for this” we need to come up with a regime now so we can work on getting that consent prior to the law requiring it.
Control it and record it
Now we know what data we have and what we’re using it for, the last of the three critical tasks facing us is to be able to defend ourselves in the event of a data breach. Boring though the €20m figure might be, it’s still a tangibly immense amount of money … and anyway, even if we’re slapped with a fine much smaller it’s still likely to hurt: after all, the legislation talks of penalties being “effective” and “proportionate” but also “dissuasive”.
The fact is, though, that if we suffer a data breach through our own stupidity by failing to have proper defences in place we deserve to get walloped with a big fine. If on the other hand, an attacker creeps in using some wacky, esoteric, previously unknown attack that somehow gets past what would reasonably be regarded as a well-maintained and regularly reviewed protection regime, the penalty will be much lower.
What we need, then, is an effective set of controls that make a good effort to keep intruders out: small businesses should start by looking at the key points of Cyber Essentials, while larger ones might look for something more rigorous such as ISO 27001 for implementing such controls.
And when we have the controls in place, we need to evidence – log – their use. We need to review them regularly, act on any oddities we find, and record those actions while we’re at it. During normal operation, such a simple approach will let you spot areas for improvement, and if you find evidence of a breach … well, it’s better for you to see it first than for it to appear in the Press or on Facebook. And when you report it you can be up-front with the authorities and the data subjects, you can show them that you took reasonable care, and the information gives you a head start with analysing the root cause.
There’s your starting point
You can take GDPR as far as you like; there’s always more you can do to implement information security, after all. But if you’re starting to feel nervy about the impending deadline (which as I write this is 264 days away, and counting – though this works out as fewer than 190 working days … no pressure, then) your first ports of call are these three. Find your data. Deal with its legitimacy. And put the controls and monitoring in place. ?