The General Data Protection Regulation (GDPR) is the European Union’s new legislation to protect the personal data of its citizens.
Organisations have been given a two-year lead-in period to become compliant, and this ends on 25th May 2018. The directive was approved by the EU Parliament on 14 April 2016. After the enforcement date, organizations in non-compliance may face heavy fines.
The GDPR supersedes the UK Data Protection Act 1998. This legislation is significant and wide-reaching in scope; the new laws expand the rights of individuals to control how their personal information is collected and processed. It places a range of new obligations on organisations to make them more accountable for data protection.
The new regulation demands that organisations demonstrate compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability, and the provision of individuals’ rights, as well as building a workplace culture of data privacy and security.
Whether this new legislation is repealed after Brexit, or a UK document takes its place, this nevertheless must be acted upon before the compliance date of 25th May 2018. Additionally, even if the legislation is repealed for UK citizens, compliance will still be necessary when dealing with data belonging to EU citizens.
As IBM’s web site puts it: GDPR “seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data.”
TermSet (www.termset.com) have produced software, called ScanR, which can check files on a network and report on the level of compliance with the principles.
The following page provides a screen example:
This screen shows example output where the GDPR score gives the amount in percentage terms of each file that contains data that is GDPR-sensitive, and therefore must comply with the rules! The higher the score, the more alert the organisation must be to the need to check for compliance.
If this software is too pricey (costs for (1) small companies = £2,999, (2) medium companies = £7,999, (3) large companies = £14,999), then a manual search would need to be made of any possible GDPR data that would force checks on whether changes to the handling of that data are required.
Scanning Files for Compliance
All databases, proprietary customer systems, SharePoint data, standard CRMs, and so on, need to comply with the security recommendations of the GDPR.
Using TermSet’s ScanR, a comprehensive ‘dashboard’ is shown giving information that helps in isolating GDPR data:
Whatever method is used in planning for GDPR compliance, organisations need to be able to answer the following questions confidently:
- Are you aware of all the locations where your data is stored?
- Are you currently using data encryption for your files, especially when emailing or copying files to other people or to other locations?
- Do you have procedures in place when employees print, copy, or move GDPR data?
- Are you currently protected against Ransomware?
- Has your business trained employees on cyber-attacks and cyber-threats?
- Do you currently have mobile device management (e.g. how is data managed when employees with laptops are using them outside of the office)?
- Do you have solutions in place for Data Loss Prevention?
- Do you currently have a Disaster Recovery solution in place?
- Do you have intelligent reporting tools in place (see notes later on ‘Qlik’)?
- Does your business currently have any workflow automation solutions in place?
- Is your data categorised and appropriately secured based on content?
- Do you use cloud-based file sharing applications, e.g. OneDrive or Dropbox?
- Do you have solutions in place to allow email encryption as appropriate?
The GDPR covers the scope of the former Data Protection Act; however, note these additional areas that are covered:
- Economic information.
- Cultural details.
- Mental health information.
- ‘Pseudonymised’ data (for example, social media usernames or other online personas) – providing it can be easily identified.
Generally, if a person can be identified from the information about them stored in retrieval systems (name, telephone number, address, IP address, etc), then it can be classed as GDPR-sensitive data.
“The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.” (GDPR Principles, Information Commissioner’s Office)
Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR; however, if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9, or personal data relating to criminal convictions and offences referred to in Article 10, then companies could still be liable to prosecution.
Article 9 states that “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” There follows a long list of exceptions to this rule, including the explicit consent of the person, “reasons of substantial public interest,” and “professional secrecy under Union or Member State law.”
Article 10 states: “Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
Also, note the following general points in particular:
- Fines of £17.5m or 4% of global turnover, whichever is higher can be imposed.
- Organisations are required to notify a data breach within 72 hours.
- Organisations must understand key principles such as a person’s right to be forgotten/removed and the handling of any information requests.
- Access Request response time has decreased from 40 days to 30 days. Therefore, action needs to be taken promptly on receipt of such requests.
- Organisations need to establish a clear legal basis for holding and processing personal data.
Methodology for Compliance Assurance
A P Systems provides full services in connection with GDPR to support their customers in their compliance endeavours.
Here is a summary of the services provided:
- File encryption can be imposed for any data that is GDPR flagged, and reduces the risk of a Data Breach.
- Anti-virus must be in place.
- A Firewall (software or hardware) can be installed to reduce the risk of a Data Breach.
- Any device that is using this data, such as a workstation or laptop, must also use full encryption and have an active anti-virus system.
- Procedures for the handling of data off-site, for example with laptops, needs to be checked and enforced.
- A reporting tool such as Qlik (which can be tested for free: https://www.qlik.com) can be installed on request for data access monitoring. This tool is described as a “data visualisation and discovery tool.”