Hold tight for the biggest change to Europe’s data protection laws in almost a generation. Yes, after several years in the making, the General Data Protection Regulation is almost upon us, and will apply to UK organisations even post-Brexit when the GDPR comes into force. Whether you like it or not, you’ll need to understand where the existing regime will change and what you need to do to satisfy regulators. This is not about ticking various boxes on the way to a one-off compliance standard. The GDPR is far more ambitious than that: it’s designed to fundamentally transform organisations’ data protection culture as well as practice. That means new rights for consumers and strict new obligations for firms.
The question is: with the 25 May fast approaching, is it too late to get started? Recent KPMG stats claimed that 54% of global firms don’t think they’ll be ready for the compliance D-Day. The good news is that — with accountability, transparency and pragmatism as your watchwords — there are plenty of things SMEs can do today to start their compliance journey and stay on the right side of the regulator and perhaps more importantly their customers.
It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of data protection that pervades an entire organisation.
Unlike standards such as ISO27001 which must be conformed with, business owners should understand that GDPR is a legal requirement and therefore they must embrace the principles behind the regulation, and none more so than that of accountability. UK regulator The Information Commissioner’s Office (ICO) was instrumental in drafting this law and information commissioner Elizabeth Denham has spoken at length on the subject. She says the GDPR puts a new onus on companies “to understand the risks that they create for others, and to mitigate those risks.”
“It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of data protection that pervades an entire organisation,” she adds.
The truth is that the GDPR is a journey, not a destination. And to be compliant inherently requires ongoing attention, meaning accountability sits firmly at the table of senior executives. That may sound like a lot of work, but it’s also a great opportunity for you to develop improved security and closer bonds of trust with your customers. But security is just part of it; respecting transparent consent, only using information for the purposes it has been provided, and considering the data subject risks are all improvements. Plus, if GDPR is a journey, then even if you have started relatively late, the ICO is likely to be more forgiving as long as you show you’re moving in the right direction. In fact, Denham says she won’t be making early examples of organisations for minor infringements.
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick,” she says.
Where to start
So, with that in mind, where do you start? The first thing to note is the increased scope of “personal data” covered by the law: it now means “any information relating to an identified or identifiable natural person.” This could include physical address, email address, IP addresses, age, gender, location, health information, search queries, cookies and much, much more — for both your customers and employees. This makes the notion of data minimisation another key guiding principle as you work through GDPR compliance: don’t store what you don’t need. You will also need to think more carefully about what your lawful basis for processing this data is. If it’s “consent” there are strict new rules on obtaining that consent from customers in plain English.
The principles for GDPR compliance are in essence the same for SMEs as they are for large multi-nationals. But don’t worry, the ICO knows that smaller firms have fewer resources and will apply its regulatory approach accordingly. However, if you handle particularly sensitive data or process data in what the ICO describes as “potentially intrusive ways”, it will make it particularly important to get data protection right.
The first thing to do is sit down with all relevant stakeholders across the business, agree on a driving vision and set objectives for getting there. The GDPR covers virtually all parts of your business so you’ll need representatives from legal, HR, finance, marketing, IT, and more to set the strategic tone.
Next, you need to understand where you are currently and what needs to change. That means a comprehensive data audit to detail what data you process, where it is stored, and how and with whom it is exchanged. You’ll then need to map this to your current data protection controls to judge whether they need updating. Security risk assessments are essential here to gain insight into your current process.
A pragmatic approach
Once you know where you currently stand, getting to the promised land requires a systematic, pragmatic approach, borrowing from industry best practices wherever possible.
Article 32 of the GDPR, which is focused on the “security of processing”, can seem disconcertingly vague but plays an important role because it links to the supply chain. It states only that the “controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. That means you must “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, as well as be able to restore availability and access to personal data in a timely manner if there’s an incident. It also mandates processes for regularly testing the effectiveness of your cybersecurity.
However, only two technologies are actually named: encryption and pseudonymisation. This means you must effectively follow industry best practices, with an eye for the 'state of the art'. Existing security frameworks like ISO 27001 or NIST can help you get there, for example. The GDPR requires data protection be built into all systems “by design and default”, so you’ll need to revisit existing structures and ensure any new technologies, services and processes bear these principles in mind going forward. Start by focusing on the basics but best practice examples include strong access controls with multi-factor authentication and “least privilege” access; vulnerability management; detailed security testing and reporting; security monitoring, and much more.
Supply chain risk
The GDPR also expands the liability for breaches from data controllers to also include processors. The aim once again is to drive greater accountability by forcing firms to ensure that all parts of their supply chain are GDPR compliant — meaning no one can pass the buck down the chain. That means you’ll need to revisit any contracts with suppliers and partners, including cloud service providers, understand what in-scope data they might process, and audit them for compliance.
In drawing up new contracts, you’ll need to ensure the processor has a minimum set of GDPR compliant security standards in place that you’re happy with. The ongoing responsibilities need to be agreed as part of the contract; caution should be exerted, for example, when using ISO 27001 as it is a risk-based standard and the processor’s risk appetite maybe different to that of the controller.
You’ll also need assurances that they won’t try to outsource the work to sub-contractors without prior approval. Pay particular attention to providers located outside the EU, as there are strict new rules about data transfers abroad.
Towards better incident response
According to the GDPR, organisations will now be required to notify the regulator within 72 hours of discovering a breach. That puts a new onus on firms to improve incident response — aside from the fact that the quicker you discover a breach, the less damage is likely to have been done by your attackers. With hackers on average lying hidden for six months inside networks before being discovered, there’s an urgent need for firms to improve their detection and response capabilities.
NTT Security figures reveal that just 32% of global organisations had a formal incident response plan in 2017. Although this was an increase on 2016 figures of 23%, it confirms the significant gap many still have in their compliance readiness. Effective incident response will not only appease GDPR regulators but can help to minimise the fallout from a breach, if the worst-case scenario does happen. On the flip side it’s also worth pointing out that notification is not required if an organisation is certain there is no risk to any data subjects.
While those headline-grabbing fines of 4% of global annual turnover are unlikely to materialise after Friday 25 May 2018, at least in the short term, that doesn’t mean SMEs can ignore the new regulations. For those still unsure where to start, help is at hand. The ICO has a useful toolkit here, and has been keen to point out that the GDPR is an evolution from the current data protection regime rather than a major departure. Good luck – your GDPR journey starts here.
About the Author
Mark Taylor is a Managing Consultant at NTT Security. He is responsible for a team of consultants providing advice, guidance and operational support to NTT Security’s customer base. Mark has over 40 years’ experience in the IT sector, specialising in security since 2003. Prior to joining NTT Security, Mark worked at a number of organisations including Ultma Risk Management, Oracle and PWC where he was responsible for compliance worldwide.
*The views expressed in this article are those of the author and do not necessarily represent those of Fleximize.