Welcome to the European Union General Data Protection Regulation Guide
With less than one year for organisations to be compliant with the new law that comes into force on 25th May 2018, IT security should be front of mind for businesses of all sizes.
Whether it’s cybercrime or human error, high profile security breaches are seldom out of the news and of course there are many from smaller organisations that go unreported. The disruption to business, even closure in some instances, and the loss of reputation that these can cause through malware, ransomware or poor business practice and procedure requires IT security to have a renewed focus at board level.
GDPR, with its increased penalties for non-compliance, only adds to the necessity for organisations to look at how they collect, store, use and share personal data of EU citizens, and to prioritise their investment in IT security. It also presents an opportunity for resellers to help their customers, many of whom still seem to be unaware of the GDPR, become compliant by making sure they are aware of the regulations, how they apply them to their business and how the deployment of the right technology and security solutions can provide the right level of prevention and detection against security breaches.
GDPR: A ticking time-bomb for organisations
We are now half way through the transitional period for the adoption of the General Data Protection Regulation (GDPR) which comes into force in May 2018.
Since its announcement, there has been a torrent of information - advice, reports, warnings, research and forecasts on the subject from the EU, government, lawyers, IT companies, media, GDPR experts and the like. Perhaps, not surprising given the wide-ranging scope of the regulation and the possibility of huge financial repercussions for non-compliancy. The maximum penalty is 4% of annual revenue or 20 million, whichever is the higher, putting data protection on a similar scale to the level of fines imposed on companies for corruption or bribery and substantially more than the previous maximum £500,000 penalty in the UK. National Data Protection Authorities (NDPAs) will have increased powers to impose fines, carry out an audit, require a business to provide information and if necessary gain access to their premises.
For some businesses, the challenge associated with better data protection and their method of data processing, including the use of subcontractors and Cloud Service Providers (CSP) will require a fundamental change to their security operations and the technology deployed.
Whilst the central purpose of GDPR may be clear the protection of European citizens’ data held by organisations that have a reason to process, store and share it some parts remain ambiguous, open to interpretation and indeed in some cases are being clarified along the way. However, what is certain is that the rules apply to the UK, irrespective of Brexit. This has already been confirmed by government ministers and irrespective of that affirmation, it ignores the fact that a great many UK organisations operate across borders providing a service or operating a business. Indeed, what triggers the applicability of GDPR is whether the data a business handles is about EU individuals or has the potential to identify individuals that fnd themselves in the EU, not about whether the company is in the EU. GDPR therefore applies to companies that are processing the personal data of EU residents even if they are not established within the EU. This will come into force where the activity relates to offering goods or services to EU citizens (regardless if there is a cost associated) and the monitoring of behaviour take place in the EU. Companies that process EU citizens’ personal data but do not have physical presence in the EU will also have to appoint an EU representative. In short, no matter where an organisation is based or where it manages, stores or processes data relating to EU individuals, it must still abide by the rules.
GDPR also applies to controllers and processors, the definition of these are broadly the same as in the existing Data Protection Act.
Controllers - means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any personal data are, or are to be processed.
Processor - in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
However, in current legislation only the data controller is liable for any data breach. In GDPR, both the controller and any subcontracted processors are equally liable for a data breach. Moreover, there is no end to liability. If a data processor subcontracts some or all its obligations to another processor, that organisation is still liable. Contractors including CSPs will need to ascertain whether the processing of data includes personal data in order to mitigate their risks.
Unfortunately, GDPR compliancy isn’t a straightforward check list exercise or a technology issue alone. Its impact is organisation wide (business process, legal, governance, people, and training). Many aspects of GDPR concern process and operational aspects of data protection, some of which can be enabled or at least be made more cost-effective by technology. Whilst there is no magic wand solution, security vendors and resellers can play an important role in helping companies to get prepared for GDPR compliancy.
GDPR: Key points
It should be noted that the GDPR regulations are comprehensive and complex with over 200 pages of documentation. There are numerous sources of information, some are referenced at the end of this handbook. Below are just some of the key points.
- Global application
GDPR applies to all companies that process personal data of European Union citizens.
- Personal Data
GDPR widens the definition of personal data and includes information such as an online identifier e.g. an IP address. In broad terms, GDPR will apply to any information that can be used to identify an individual. Personal data itself includes obvious categories (name, identification number, etc.) but also includes location data, physical and physiological information. It includes for the first time characteristics such as genetic, mental, economic or social information and there is particular sensitivity about what it refers to as special categories racial, ethnic, political, religious, health, biometric and sexual orientation. Profiling and personal preferences, which demonstrate a person’s conduct and behaviour, are also within the scope of GDPR. For example, the fact that an individual liked a particular tweet or Facebook post would constitute personal data. In reality, hardly any personal data will not fall under GDPR. For some companies, the classification of data already in their possession maybe an initial challenge in terms of separating personal data from other information that is held.
- Obtaining valid consent
New rules have been introduced relating to the collection of data. In particular, consent must be explicit for certain categories unless, for example, it is required by law. It will require the use of simple language, clarity on how the information is going to be used and organisations will need to be able to prove that affirmative consent has been given. Silence or inactivity no longer constitutes consent and it must be as easy to withdraw consent as it is to give it. In addition, businesses can no longer require consent in exchange for their services. Consumers have often complained that opting out or unsubscribing has been difficult to obtain and hard to validate. This changes with GDPR. In addition, existing consents may no longer be valid. There is no question that the new rules provide greater protection for personal data and how it is used. Previously, companies could rely on an implied consent for use of data. Now it has to be explicitly given, even if it has been already collected. Identity Methods, a provider of Identity Management and Data Security solutions in the UK, reported that 67% of people were concerned about not having complete control over the information they provide on-line. Hardly surprising therefore that 93% of their public survey were in favour of heavy fines for companies not adhering to regulations on personal data. There is also a requirement for the data to be accurate and up-to-date. This means that companies must have good records relating to personal data and be able to review its history and accuracy. Whilst this requirement may only apply to companies employing over 250 people unless the processing is deemed to be of high risk to individuals, sensitive or performed on a regular basis, it would seem to be best practice to keep records.
- The Right to be Forgotten
GDPR requires organisations not to hold onto data for longer than is absolutely necessary, nor to change the use of the data from which it was originally collected and most importantly to be able to delete any data at the request of the data subject. As a result, organisations will need to ensure they have the process and technology in place to handle such requests. This includes ensuring that data is not only erased on their system but also on any third-party systems that have access to the information.
- Extended liability:
Previously, only data controllers were held responsible for data processing activities but this has been extended to all organisations that touch personal data.
- Privacy by design, Privacy by default:
GDPR requires that privacy is included in systems and processes by design. According to the EU, privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into account from the inception of any new technology. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored. In practice this means that an IT department must take privacy into account during the whole life cycle of the system or process development. Privacy by default means that strict privacy settings automatically apply once a customer acquires a new product or service with no manual change to the privacy settings required on the part of the user. Personal information must by default only be kept for the amount of time necessary to provide the product or service. In addition, only information on an individual should be disclosed that is necessary to provide that service. The regulation also stipulates that personal information should not by default be accessible to an indefinite number of individuals.
- Appointment of a DPO:
GDPR requires the mandatory appointment of a Data Protection Officer (DPO) in all public authorities and any company that processes lots of personal information of individuals or sensitive information on a regular or systematic basis. The GDPR does away with the criterion of number of employees in a company and focuses instead on what an organisation does with the data.
The GDPR also allows the data protection officer functions to be performed by either an employee of the controller or processor or by a third party service provider, creating opportunities for consulting and legal forms to offer outside DPO services. There are numerous articles on the exact role of a DPO.
- Privacy Impact Assessments (PIAs):
GDPR requires data controllers to conduct PIAs to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, data controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimized. The impact assessment should happen before organisations start processing personal data. When risks are identified, the GDPR expects that an organisation formulates measures to address these risks. Those measures may take the form of technical controls such as encryption or anonymisation of data. Companies processing personal data are obliged to keep detailed records of the data they hold, as well as the details of the processing conducted on that data.
The requirements may vary by size of company but it is certainly best practice to do so, particularly as it may help reduce any breach fines imposed. For example, maintaining a record of a data transfer to a third country would be a sensible action.
- Data Breach Notification
GDPR harmonises the various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data. Businesses will need to ensure they have the technologies and processes in place to detect and respond to a data breach.
GDPR requires all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. This covers personal breaches; a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Breaches are assessed on a case-by-case basis, and a notifiable breach has to be reported to the relevant supervisory authority (NDPA) within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period so it allows companies to provide information in phases. Failing to notify a breach when required to do so can result in a significant fine up to 10 million or 2% of your global turnover. Either fine could be crippling to an organisation, in particular to SMEs.
So, what sort of information must a breach notification contain?
The nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned; and
- The categories and approximate number of personal data records concerned
The name and contact details of the data protection officer (if an organisation has one) or other contact point where more information can be obtained
A description of the likely consequences of the personal data breach; and
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measurements taken to mitigate any possible adverse effects
For many organisations, this may require training of personnel to ensure data breaches are properly understood and recognised, and making changes to internal data security policies. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation, internal reporting procedures in place and a data breach plan with specific roles and responsibilities for individuals within the company.
- Transfer of data:
GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries (countries outside the EU) in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Data transfers have increased rapidly due to the rise in social media and the adoption of cloud services. The current EU Data Protection Directive allows transfers only to third countries that demonstrate equivalent data protection laws: importantly the US is not one of those countries.
The transfer of personal data comes where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
GDPR also allows subjects to request that their data is provided to them or a third party in a structured, commonly used and machine readable format. Requests must be acknowledged in a timely manner (within one month of the request). In most cases, this should be relatively straightforward if the data is held in a structured form. Increasingly, however, data is held in unstructured formats. Where there are multiple standards such as video, this may be more challenging.
Are companies ready for GDPR?
Although companies have been given around 2 years in which to comply, it appears that many organisations are struggling to meet the requirements. A number of surveys seem to indicate that companies are behind with their preparations. SonicWall polled 821 IT professionals across the globe last year and 80% revealed that they knew little about GDPR and within that group 97% didn’t even have a plan in place. This was supported by a 2016 survey from Symantec conducted with 900 businesses in UK, France and Germany which reported that 96% didn’t fully understand GDPR. Indeed 23% said their organisation would not be fully compliant and of this group 20% felt that it would be impossible for their business to be fully compliant. According to SonicWall, companies felt more able to comply with impending rules on e-mail security but much less so when it came to document access: under GDPR, companies will have to create procedures that limit who can access shared fles hosted on platforms like Dropbox or Sharepoint. The UK picture doesnt look particularly rosy based on a new survey from Identity Methods. They reported that less than 15% of UK organisations are ready for GDPR, with 38% still not aware of the new rules and fewer still (14%) have planned their compliance. A 2016 Baker McKenzie report suggested, 45% of businesses either do not have the tools to ensure their organisation complies with the main requirements under the GDPR; or could only obtain such tools at significant cost.
Companies need to understand that GDPR isn’t a set of guidelines for best practice, it’s a new set of laws. Certainly the laws shouldn’t be a surprise for marketers who will appreciate use of customer data has been a hot topic for years compounded by the advent of social media, cloud computing and IoT. It’s surprising therefore that according to the Chartered Institute of Marketing (CIM), only 5% of marketers fully understand what the GDPR means for their business and 50% say they don’t really understand it at all, or [literally] don’t know. Taking ownership, whether it’s marketing, IT or finance, needs to happen at board level if businesses want to meet the challenge. be deployed to help organisations meet GDPR compliance, a number of which are set out in this handbook.
The channel and GDPR?
Re-sellers will undoubtedly have customers that are at risk of non-compliancy of the new regulations. Clearly, the channel can play a huge role in advising and guiding them through the key points of GDPR and where investment is needed. Re-sellers can be the trusted advisers to help organisations adhere to security disciplines needed for GDPR regulations, so they can protect customer personal information, and avoid the data breaches, heavy fines and loss of reputation that may result from non-compliance. Most data breaches occur from a poor understanding of the data landscape and the lack of appropriate data security controls. Understanding the risk is key and having a plan to mitigate the consequences of a breach is even more critical. Put simply, organisations need to know what type of data they possess, where it resides, what’s protecting it and what do they need to do in the event of a breach.
GDPR isn’t prescriptive in terms of what technology to deploy although it advocates the deployment of security practices. It only suggests: The pseudonymisation and encryption of data; ability to ensure confidentiality, integrity, availability and resilience of processing; the ability to restore data after an incident; and a process for testing, assessing and evaluating effectiveness of security. Naturally there are a number of security vendors that offer solutions that can be deployed to help organisations meet GDPR compliance, a number of which are set out in this handbook.
How can SonicWall help?
To be GDPR-compliant and maintain it, you will need to carry out regular audits and deploy network security solutions that will enable you to:
- Protect the perimeter & deploy next-generation firewalls
to reduce the network’s exposure to cyber threat, mitigate
the risk of data leaks that could lead to a data breach
resulting in stiff penalties assessed under GDPR, and
deliver the forensic insight required to prove compliance
and execute appropriate remediation following a breach.
The SonicWall next-generation firewalls protect against
emerging threats and feature deep packet inspection;
real-time decryption and inspection of SSL sessions;
adaptive, multi-engine sandboxing; and full control and
visualisation of applications
- Facilitate secure mobile access & foster the secure flow
of covered data while enabling employees to access the
corporate applications and data they need in the way
they prefer, and with the devices they choose. Enhance
data security (while removing access obstructions) by
combining identity components, device variables and
temporal factors (time, location etc) to deliver an adaptive,
risk-based approach that ensures the right access all
the time, every time while concurrently improving data
protection and GDPR compliance
- Ensure email security & to fulfill GDPR requirements, achieve full control and visibility over email activity to mitigate the threat of phishing and other email-based attacks on protected information, while enabling the secure and compliant exchange of sensitive and confidential data