In June of 2016, the UK voted to leave the EU. Even though Britain is on its way out, UK companies will still have to comply with EU data protection and cyber security laws for the foreseeable future.
One of the largest regulatory challenges for CIOs, CISO’s and management of companies that processes data of EU residents is compliance with the GDPR (General Data Protection Regulation) by May 2018.
The GDPR is one of the most substantial and ambitious regulation ever enforced. At over 200 pages, the regulation covers many areas of data privacy including rights of erasure, data breach notification, data portability, children and parental consent and accountability.
Even once the UK officially leaves the EU, this regulation will still be relevant to UK organisations (and any International organisations) if they:
- Sell, market or promote their products or services to EU residents or citizens
- Maintain offices or employees in the EU
- Process, store or receive data of EU individuals
- Partner with EU companies
The spirit of the legislation is that organisations must be accountable for all their processing activities. Organisations must be prepared to provide documented evidence of their processing procedures from system design, data collection, data storage, data security and then eventual deletion.
Compliance is mandatory and the penalties are immense.
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- A fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher
The GDPR provides scope for the UK to introduce their own requirements in certain instances and also leaves room for the Commission to make delegated acts. The recommendations to comply include:
- Key stakeholders need to be aware of the GDPR regulation. Management needs to become familiar with the regulation and prepare for compliance.
- Map personal data – Any personal data held within the organisation must be mapped. This mapping should include logged details of type of information, where it was sourced and how it is used.
- Individual rights of the personal data needs to be formalised into procedures. The GDPR outlines a number of individual rights and these include right of erasure, access rights and right to prevent marketing.
- Access of data – procedures need to be implemented to allow individuals to view what personal data is held on them. It is not possible to charge individuals to view such information and the information must be supplied within 30 days.
- Implement procedures to monitor how you are obtaining consent. According to the regulation, consent must be freely given. Parental consent is required when handling data of children under the age of 13. The organisation must be able to show an audit trail exists.
- A system must be in place to identify, handle, report and investigate data breaches. All organisation are responsible to report data breaches where the individuals’ data has been compromised.
- New systems implemented into organisations must comply with “privacy by design”. The idea is to build in privacy from the outset that comply with the GDPR regulation.
Under the GDPR, the responsibilities and duties of data controllers and processors are separated. The controller in an organisation determines the purposes and manner in how personal data is processed. The processors process the data on behalf of the data controller.
From a cybersecurity perspective, compared to the current Data Protection Directive 95/46/ec, the new regulation enforces stricter requirements on data processors and controllers with regard to their data security.
Article 30 of the regulation states “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
The section then lists four items of security “appropriate to the risk”
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The biggest overhaul to the current directives is the obligation to report data breaches. As there is currently no general requirement for data breach notification in the UK, most companies elect not to go public to avoid tarnishing their reputation.
Under the GDPR, data breaches and how they are handled must be taken into consideration. In the case of a data breach, the controller must notify the supervisory authority within 72 hours of such a data breach. The notification must include specific information about the breach, the likely consequence, the cause and the measures taken to address such a breach. If the controller identifies that the breach is “likely to result in a high risk to the rights and freedoms” of the individual, the controller must notify the individual immediately.
One of the most infamous data breaches of recent times was TalkTalk in 2015 where 157,000 customers’ details were stolen. According to reports at the time, management tried to cover up the true scale of the breach. Eventually TalkTalk were fined £400,000 by the ICO because of its “failure to implement the most basic cyber security measures that allowed hackers to penetrate TalkTalk’s systems with ease”
Under the new GDPR regulation, TalkTalk would have been obliged to immediately notify all of its affected customers and the fine would have been far more significant.
Cyber threats come from many directions. It is clear that the regulators are taking the protection of data seriously. Organisations must fall in line to ensure their systems are well protected with a serious focus on legacy systems as they are usually a weak link. From the TalkTalk example, the hackers got in through a legacy website that originated from Tiscali before TalkTalk had acquired it. The website pages had not been patched with security updates for over 3 years and the backend database was outdated and no longer supported by the supplier. The data housed in the database was not encrypted that further weakened their security.
The impact of the new GDPR regulation is widespread and must be taken seriously by UK companies. Not only must controls be tightened and processes be implemented but cybersecurity needs to take front and centre to prevent data breaches before they happen. Going forwards, cybersecurity will become a company board issue and not just a CIO responsibility.
About the Author
Evan Lever has spent the past 16 years protecting the data of the worlds’ biggest companies in Tel Aviv, the epicentre of global data security.
Tel Aviv is home to thousands of software start-ups and is one of the worlds leading locations for technology companies. Many of the world’s largest tech companies maintain serious R&D facilities in Israel including Apple, Intel, IBM, EMC, Microsoft, Google, Barclays, Facebook, Amazon and Ebay.
Evan was the CEO and co-founder of DataBank. The company provides data protection and cloud services to over 1,000 companies including many of the world’s largest banks, insurance companies and tech firms. Evan led the company to its acquisition in 2015 and took the opportunity to relocate to the UK.
Evan is now a partner in Escrow London which is one of the UK’s leading private software escrow provider protecting the source code of hundreds of companies in the UK, USA, UAE and Africa.
Outside of Escrow London, Evan is a mentor with Virgin Start-up and consults to companies on data security compliance.
Escrow London: firstname.lastname@example.org : +44 203 862 0380 www.escrowlondon.co.uk
Photo Credit: Photo source