Written by Rafael Bloom, Arkivum Director Business Development
Compliance Requirements, Technical Solutions
If your email inbox or social media feed is anything like mine, you have been receiving several GDPR-related links a day for a number of months. Considering how research shows how underprepared UK businesses are for GDPR, this is unsurprising. Time is running out, so rather than re-iterate the principles of GDPR, I would like to give you three steps to translate GDPR requirements into practical actions.
Some Good News
GDPR makes it explicit that there is an obligation for organisations to put appropriate technical measures in place. The good news is that there is no need to reinvent the wheel. Rather, it is a case of recognising which technologies and technical measures are already out there, adapting and applying them to GDPR. There is a good chance that you are using some of them already.
The requirements of GDPR are similar, albeit much more demanding and prescriptive, to those that already exist in the DPA. Many regulated sectors, e.g. B2Cs, healthcare or financial services, have already developed tools, systems and processes that can be applied under GDPR.
One difference is that under GDPR an organisation should be able to demonstrate to the national competent authority (NCA) exactly how the technical measures mitigate against particular risks, i.e. that there is governance in place for personal data. These measures have to be part of an organisation’s day-to-day processing of personal data.
Some Not-so-good News
The UK’s ICO and other NCAs have not published their precise formula for fine levels, and may not do so before May 2018, if ever. But in all likelihood, fines for leaking the personal details of customers or staff into the public domain because of an external attack will be greater than not meeting some of the other requirements such as the right to data portability.
The monetary and reputational consequences of non-compliance will be proportional to the scale and seriousness of a data breach, balanced against some mitigating factors. The fine amounts will be reduced if you have appropriate governance systems and whether you actively monitor data privacy and can react quickly and effectively to breaches or cyber attacks.
Three Practical Steps
Firstly, ‘know what you have and what you’re doing with it’, especially systems holding live data: building inventories and personal data registers, documenting data flows, and capturing the specific consents given for the particular purposes for which the data is held or processed. Unlike DPA which focused on the data controller, responsibilities under GDPR also apply to data processors. Data controllers must know how data processors will handle personal data, and pass through to them any contractual obligations, consents and deletion requests.
We can design technical GDPR measures by modelling specific GDPR scenarios. For example, immediately after GDPR comes into effect on 25th May 2018, subject access requests may no longer be charged for, so many organisations will receive a slew of requests for subject data access and deletion of personal data.
How would your organisation currently process a massive spike in subject access requests? This needs to be evaluated in much the same way as any other typical customer journey in terms of personnel, systems, audit trail and procedure management. Is there a need for more training? How long does it really take for a subject access request to be processed? Are the necessary tools in place for defensible deletion?
Secondly, minimise GDPR risks that come from those live systems, e.g. minimise the personal data that is stored there and address any security vulnerabilities. Get a copy of the personal data under proper management, encrypt data at rest, introduce two-factor authentication, pseudonymise the data.
Another major risk area is the way businesses use cloud applications – many simply are not GDPR ready, thereby placing unknown risks on your organisation. Further, if these cloud applications are run by third parties, then there are new responsibilities under GDPR to ensure both proper usage of the data by the third parties, and to secure specific, informed and active consent from the data subject to do so.
If you don’t know what data you have, its locations, which Apps leverage it and how, then what chance do you stand of protecting this data, or supporting subject rights? A proliferation of Apps running on various servers or in the cloud means the number of external attack vectors will have multiplied.
Thirdly, put in place proper governance and privacy by design. Do this as far as possible using technical measures and systems that are already well-developed and proven in other sectors with similar requirements. This allows you to reduce the likelihood or impact of breaches, reduce the chances of data loss, and address requirements for data sovereignty.
Privacy by Design
Using document or record management systems means it is possible to achieve “Privacy by Design”, to have full audit trails, to detect and fix problems early, and be confident that everything is in place to demonstrate accountability. If you can move sensitive data into a compliance archive or ‘compliance repository’, then at least you have a consolidated version of record in a safe place.
The benefits are numerous:
- Data is protected, helping to provide Disaster Recovery / Business Continuity
- You can analyse the data to check that you have all necessary consents or are not retaining data for longer than you should, or using it for reasons not consented to
- A definitive reference copy of the data exists, making it easier to spot unauthorised changes in the live systems
- Retention management can be applied in one place, and if you know you need to delete something then you will know which live systems to update
- It is easier to meet subject access requests because you have data in one place
- You can demonstrate that you have systems that explicitly support GDPR processes
- You can use analytics to profile risks and check whether people are following company policies
GDPR should not boil down to a shopping list
Just like information security, GDPR compliance is not something you can achieve by bolting on some software. Rather, there needs to be a holistic, scenario-based risk assessment, an enterprise-wide approach to minimising data privacy risks, and the introduction of privacy by design wherever possible.