Whether you were aware or not, the UK Data Protection Act has been protecting your digital identity and personal data since 1998. However, as of April 2016, this piece of legislation has been given a two-year expiration date due to the emergence of its larger and scarier European cousin: the GDPR (General Data Protection Regulation).
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Brexit will not effect the GDPR coming into force in the UK!
GDPR will apply to all business' in the UK & Europe from 25 May 2018 who work with individuals personal identifiable information (PII)... This can be anything from a name and email address to credit card details and employee information. As with the Data Protection Act the core aim is to protect individuals identity and ensure measures are in place with regards to data protection and dealing with individuals rights.
Click on the sections to expand.
New individuals rights under GDPR will affect the way you manage your data.
Their rights are as follows:
But how exactly may this affect you, let's take one right to start with:
"The Right to Erasure" or the right to be forgotten.
If, for example, a customer asks for all their personal information to be removed from your systems you will need to be able to remove that data from your entire network including all databases, e-mails, computers and backup sources. Many business' have old databases out of their production environment that could contain this data so a full audit of all your data is vital. Due to the size and complexity of organisations it is not an easy feat... eDiscovery software allows ingestion and indexing of data to allow your data to be searched, collated and classified so that you can put in process's to manage your data.
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations.
To be compliant customers should look at Privileged access management, patch management, network edge security as well as endpoint protection and
data loss prevention.
What is a personal data breach?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.
What breaches do I need to notify the relevant supervisory authority about?
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
When do individuals have to be notified?
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.
A ‘high risk’ means the threshold for notifying individuals is higher than for notifying of the relevant supervisory authority.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
What should I do to prepare for breach reporting?
You should make sure that your staff understands what constitutes a data breach and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.
In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.
Business' should look at a multi-layer defence, audit and compliance strategy to cover all aspects of GDPR. Some of the key elements are listed below and companies can also follow security guidelines such as the CyberEssentials scheme or ISO 27001 compliance to aid their GDPR provisions
Click on the sections to expand.
Many Data Breaches are caused by internal staff (accidental or deliberate). This may be emailing confidential information, devices being lost or stolen or social engineering of employees to give perpetrators access to otherwise private information.
DLP should play a key factor for any IT department in controlling the data. If suitable methods are not in place to reduce this risk then the ICO could penalise your company.
IT-B advise on and supply a variety of products which help control the flow of data. MDM products help protect BYOD and mobile devices from data loss.
Securing your Perimeter is vital to any business, Firewalls should protect against outside attacks and NextGen Firewalls can also protect your employees and business against threats.
Web application firewalls help prevent attacks against public facing applications. SQL injection of databases is the number #1 cause of data breaches to company assets.
Web and e-mail gateways can monitor and block data's exit from your infrastructure or enforce encryption to ensure it is kept in the correct hands.
Part of the GDPR regulations references how you store important information and also where and when data is transmitted to external users and companies. Backup strategies should be granular to enable the auditing and indexing of backed up data allowing you to quickly find any information.
Archiving of e-mails is important so that deleted data can be recovered and placed in legal hold so that exit routes for data can be discovered.
eDiscovery is the process of indexing, identifying and categorising your data so that you can identify where the data resides.
Powerful indexing software scans and builds a search engine for your data so that you can locate important information and its location.
A key area of growth for IT departments is the auditing of change and the compliance of strategies to mitigate loss.
Solutions such as File Integrity Monitoring can show what has changed and who made the changes. Auditing of web traffic and emails is crucial to show what your users are doing.
Internal Staff can be one of the biggest causes of breached information.
Social Engineering is the process of obtaining privileged information from your staff without them realising. This could be in the form of phishing emails to get users to reveal their user credencials enabling the perpetrator to gain access to your files. Awareness training is one method of informing your staff how to spot malicious emails and websites and what they can do to protect themselves.
We work with some of the worlds leading vendors of GDPR Technology compliance solutions and have built a portfolio of products to assist our customers at every stage of their GDPR journey.
How we help:
Through our in-house, trained staff, our customers have access to advice and consultancy to guide them through the complex passage of the GDPR.
Source: Information Commissioners Office 2017