Doom mongers predicting impending disaster have heralded the new data protection laws which come into force on May 25th 2018 in the UK – the General Data Protection Regulation (GDPR) is not just a UK based law, it is global and will affect any company which offers services to, or processes data belonging to, an EU resident – full and more details on https://www.4itsec.com/gdpr/
The new law will allow much greater security to the individuals and their personal data, with greater rights associated around how their data is handled, stored and processed by all business. Businesses, on the other hand, will have to change their internal processes and procedures if they wish to hold and process personal data and remain inside the law in the future.
A very quick and very basic guide for businesses to some of the main points in the GDPR –
• Establish what “personally identifiable data” you actually have, where did it come from, why you have it, where is it, who has access, who do you share it with, is it protected and still need it?
• If you have personal data stored you are the CONTROLLER and responsible for that data; if you pass the data to a third party (eg marketing) they are the PROCESSOR and you are both liable under the GDPR
• Create internal processes / procedures that will cover “subject access requests (SARs)” – a user has the right to access the data you hold, the right to have data errors corrected, the right to have their data erased (completely), to object to direct marketing, a right to stop data profiling and automated processing along with a right to move their data to another business. They may also request to know why you are processing their data, how long will you keep their data for, who else has been given their data. All need to be within 30 days, all responses and actions to be recorded so as to be “auditable and accountable”
• A major part of the GDPR is around “consent”; points to follow when collect personally identifiable information (website sign up forms etc) –
- Consent must be freely given, specific to the task, informed and unambiguous; no longer an open-ended, blanket format, pre-ticked box
- Must be concise, transparent, intelligible, and in clear and plain language
- Inform that consent may be withdrawn, inform of data subject rights and their rights to complain to the DPA (Information Commissioners’ Office)
- You must be able to demonstrate that consent was obtained lawfully (auditability and accountability)
• Where you process “high risk” privacy details (eg medical) you must conduct “data protection impact statements (DPIAs)” which will specify how this type of data needs to be stored
• Data protection by design brings specifics on data security (depending on the perceived risks) such as “data pseudonymisation”, encryption of data, fully tested backup and restore procedures and strict data access controls thus ensuring ongoing data confidentiality, integrity and availability
• The law requires that companies show data protection governance to demonstrate that they take data protection seriously; a route here would be to employ a Data Protection Officer (DPO) to advise the business of its obligations, monitor company compliance, training staff and be available for enquiries from individuals about their data. Some like schools, public authorities and large scale processors of “sensitive data” must do this by law.
• Create a process so that, if you suffer a loss of personal data, you notify the ICO within 72 hours. You also need to notify each individual whose data has been compromised/lost; effectively you publicaly shame your company
Definitions Used
Data Subject A person who can be identified directly or indirectly by means of an identifier. Example – an identifier can be a national identifier, credit card number, user name, website cookie
Personal Data (PII) Any information, including sensitive information, relating to a Data Subject Example – address, date of birth, name, nationality
Controller A natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purpose of personal data Example – a controller can be an organisation or a CIO
Processor A natural or legal person, agency or any body which processes Personal Data on behalf of the Controller. Can also be an automated entity such as a server, website, cloud service provider. Example – a developer, tester, analyst.
Data Protection Officer An individual within the Controller with extensive knowledge of the data privacy laws and standards. DPO shall advise the controller or processor of their obligations according to the GDPR and monitors its implementation. DPO acts as a liaison between the controller and the supervisory authority. Example – DPO could be CSO or an SA
Recipient A natural or legal person, agency or any body to whom the Personal Data is disclosed. Example – tax consultant, insurance agent, or agency. Unlike a Processor, the Recipient can only see or read the data
Enterprise Any natural or legal person engaged in an economic activity; essentially includes all organisations whether in public or private sector – whether in or outside the EU.
Third Party Any natural or legal person, agency or any body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorised to process the data. Example – Partners
Supervisory Authority An independent public authority established by a Member State. Example – court or auditing agency (ICO in the UK)