Twenty years ago, the man on the street probably couldn’t care less about personal data. Sure, you had isolated cases of hacking and identity theft, and the usual allegations about government conspiracies to steal our innermost secrets. But privacy certainly wasn’t anywhere near the hot topic that it is today.
In the wake of the Edward Snowden revelations, the Rupert Murdoch scandal, and numerous other distasteful incidents involving the hacking of compromising photographs from celebrities’ mobile phones, personal data privacy is now one of the first items on any legislative and regulatory agenda. In this regard, the GDPR has been heralded as a sea change in data protection legislation. In this guide, we’ll evaluate whether this is the case.
First, an overview - there are broadly two kinds of data protection legislation. The first is straightforward – the type often referred to as “Thou shall not” legislation, whereby the statute simply makes it illegal in most circumstances to appropriate personal data against the subject’s will. The second is more reactive, taking effect only after the breach and requiring the person responsible for the breach to notify either the victim or the authorities (or both) that a breach has occurred. This type of legislation is associated more with the US, whereas the first type of legislation is normally associated with continental Europe. As we shall see, that divide is definitely narrowing. The GDPR straddles both categories of legislation, consistently with its aim of replacing the 28 different data protection regimes across the Member States with a single, comprehensive regime for securing personal data.
The GDPR, adopted on 27 April 2016 and effective from 25 May 2018, is based on the Data Protection Directive (which prompted the U.K. to pass the Data Protection Act). The core principles remain the same, albeit the GDPR is far more comprehensive. It comprises 11 chapters and 99 articles and new guidelines and practice notes are emerging all the time as the 25 May 2018 deadline looms.
The GDPR imports the same absolute obligation to keep data secure and to take appropriate technical and organizational measures to achieve that obligation.In determining liability under the GDPR, breaches will be evaluated with the benefit of hindsight, asking whether a breach could have been prevented.The GDPR aims to harmonize data protection laws between the EU Member States, especially in relation to the policing and penalization of personal data breaches. A second objective is to promote the free (but secure) flow of personal data between Member States.
What, then, are the key differences between the GDPR and the Data Protection Directive (DPD) and Data Protection Act (DPA) with which the U.K. has become so familiar?
The GDPR has introduced much tighter definitions around the scope of European data privacy regulations. There’s two new concepts you need to be aware of.
At the highest level of generality, the data protection regime introduced by the GDPR might be described as one of data protection by default. Data security obligations on corporations will no longer be limited to particular, well-defined situations. Under the GDPR, whenever you design a new application, offer a new service or hire a new vendor, you need to be constantly thinking about the privacy implications of that business decision and working on designing data protection into that new operation.
This need to integrate data protection impact assessment into your operational decisions is something that organizations can either embrace or resist. Resisting, however, is unlikely to end well – the GDPR gives regulators a very big stick in the form of crippling fines. Any forward-looking company would be well-advised to embrace the process. IT offices and chief security officers, take note – your organization is going to rely on you to maintain GDPR-compliance, so you’ll need to stay sharp.
Let’s look at some of the more specific implications the GDPR has for businesses. As you might expect, these are fairly wide-ranging and expensive. After all, Ovum has reported that 70% of businesses in the EU expect to increase spending on data protection and sovereignty once the GDPR comes into effect.
The responsible and forward-looking response to GDPR is clear. Have a plan. Think of your GDPR compliance strategy and data breach policy as a fire evacuation plan. Ideally, a breach will never happen and you’ll never need to put the strategy into action – but if and when the time comes, you and your organization had better know what to do. Here are four cornerstones of any successful GDPR strategy.
Start getting any documents and records containing personal data in order. This means client files, marketing surveys, bills, etc. Implement an intuitive and comprehensive filing system and make sure all your staff are familiar with it. This way, when a flood of personal data requests comes post-GDPR, your business won’t be overwhelmed. If your staff need added incentive, introduce regular reviews or even audits to keep them on their toes. They might curse you now, but when the data requests start pouring in, they’ll appreciate the extra training.
Make sure that new rights like data portability and the right to be forgotten are in your data collection and administrative plans going forward. You need to brief your C-level executives and probably also your board, especially if your data policies are behind the times and will require significant time and investment to bring them up to speed.
If you’re not the one responsible for data security, identify the person who is and make sure he/she understands the renewed importance of his position with the GDPR on the horizon. And if your organization doesn’t already have a designated Data Protection Officer, it’s time to find one. Review your vendor contracts. Keep in mind that if you’re going to meet the regulatory deadline of reporting a breach within 72 hours in cases requiring vendor cooperation, you’ll need them to provide the necessary data within 24-36 hours. If you have doubts about a vendor’s ability to cope (particularly where the vendor is a small-scale operation that is unlikely to have sophisticated data processing and data security systems), either look for a new vendor or seek new contracts that contain indemnities for you against GDPR breaches caused by the fault of the vendor.
A final word of advice is that your staff are going to be absolutely crucial in achieving GDPR compliance. You can implement all the safeguards you like and invest in the best data encryption and cybersecurity technology. You can hire an expensive consultant to review your filing processes and identify potential data breaches. But at the end of the day, your people are going to be responsible for running that technology, implementing that consultant’s recommendations and handling data requests, data breach reporting and data screening on a day to day basis. If that sounds like it might require a couple extra hands on deck, start hiring now, because yours won’t be the only business looking for data privacy professionals. In Europe alone, demand for data protection specialists is estimated to grow by at least 18,000. Globally, that number is going to be anywhere between 75,000 to 100,000. Time to start snapping up those data guys before their market forces take their wage demands through the roof.
One aspect of GDPR compliance that deserves more detailed analysis is the relationship between technology and privacy. IT has made it easier than ever to collect, analyse and store personal data. But ironically, IT also makes it harder then ever to comply with privacy regulations like the GDPR. IT pros therefore have to juggle core business concerns like functionality and profitability with the demands of the new privacy regulations.
First, because IT allows us to process huge amounts of data at any one time, it makes it significantly more difficult for organizations to track data storage and uses.
Second, as IT has become increasingly complex – particularly with the advent of new technology like cloud storage – the knowledge gap between IT-trained professionals and non-IT trained professionals has never been wider. And if, like virtually any company outside of the Silicon Valley, your business has far more IT laymen than IT-trained staff, this is a problem when your obligations to monitor and access virtual data get more stringent than ever.
Third, companies have increasingly segregated the tech side of the business from the management division. Think back to your last board meeting. When was the last time your Chief Information Officer gave you a laundry list of the latest efforts his department has made to secure client data? That’s right, never. He knows you aren’t interested. But when the GDPR comes along and your executives and managers need to review your business processes to evaluate GDPR risk, that places them in the dangerous position of being woefully uninformed.
Well, start by consulting your IT team. They’ll help you drill down to the IT processes that are responsible for the heavy lifting where client and employee data is concerned. In particular, look out for the following.
Putting together an IT system for maximum profitability is one thing. Putting together an IT system that achieves maximum profitability, while also maintaining high levels of security and accessibility, is another. So give your technical people a heads-up about your GDPR strategy. They’ll need the time to get things in place.
Now that you understand the basics of the GDPR, it is worth considering a brief example of how the GDPR should influence corporate thinking and planning. How, for instance, should the GDPR affect the way we think about the user experience?
It helps to start from the perspective of data subjects. When we use any service, be it a flight booking, credit card subscription or even a simple smartphone app purchase, we know (at least subconsciously) that data about us is being collected and reviewed. But as data subjects, we rarely know our rights, and we can rarely be bothered to find out.
That used to be a good thing for companies. Customers didn’t know their rights, which means that as businesses, we didn’t need to be prepared for requests by customers to exercise those rights. But the DPD, and now the GDPR, has changed all of that. Data subjects have been given new rights and the onus has been placed on data controllers to educate subjects about these changes as well as facilitate their exercise of those rights.
For example, you gain goodwill from your clients by being completely open about their rights in relation to personal data. It may make sense to then cash in on that goodwill by reminding them that it will take a reasonable time for your organization to respond to any request for the exercise of those rights. By issuing this reminder, you dramatically reduce the risk of GDPR-related complaints from customers (and the associated penalties), promote your company’s reputation as a responsible data controller and buy yourself time to institute the comprehensive organizational changes that will undoubtedly be required to adapt to Europe’s new regulatory landscape for data privacy.
As you can see, while GDPR may increase costs for companies in the short-term, it may represent an opportunity in the long-term. From a marketing perspective, it provides companies with a ready platform to present themselves as customer-centric, service-oriented and socially responsible organizations. From a profits perspective, it gives the companies a strong incentive to avoid loss-inducing security breaches and reputation-damaging privacy scandals. So don't wait till May 2018, the GDPR is here and it's here to stay!
Many organizations have already taken measures to get ready for GDPR by implementing tools to prevent data breaches. Examples of such tools are our industry-leading web content filter “WebTitan”, our anti-spam email solution “SpamTitan”, and our secure email archiving solution “ArcTitan”.
One of the major threats to the integrity of personal data comes from malware. Malware threats are not necessarily targeted - as are the email phishing threats described below - but can be opportunist and downloaded inadvertently when a user visits a compromised website. In the worst case scenarios, malware downloads can install spyware that monitors the keystrokes used to access databases, or install ransomware that encrypts an organization´s computer network until a ransom is paid.
WebTitan is a robust web content filtering solution that prevents users from inadvertently visiting compromised websites through a three-tied filtering process. Easy to implement and maintain, WebTitan is available with a choice of deployment options. WebTitan protects both fixed and wireless networks with minimal latency and universal scalability, and is sufficiently versatile that Data Protection Officers can implement and enforce different web access policies for different environments.
As Internet users have become more aware of the risks of compromised websites, spam email has become the number one delivery vehicle for malware. Phishing emails in particular pose a major threat, as these are often targeted at an individual by a scammer posing as a person of authority. Phishing emails can deliver a malicious payload by instructing their recipient to open an attachment or click on a link; or can carry an instruction to carry out an action that jeopardizes the integrity of personal data.
Again available with a choice of deployment options, SpamTitan mitigates the threat from phishing emails sent from compromised email accounts by blocking dangerous attachments and links to malicious websites. Additional protection against data breaches is provided by dual anti-virus engines to safeguard personal data stored on network systems.
Potentially a bigger threat to the integrity of personal data is insider disclosure. According to recent research, internal actors were responsible for 43% of data breaches in 2015. Although half the recorded data breaches attributable to the actions of internal actors were accidental, protecting personal data against threats of this nature can be difficult. Data Protection Officers have to be aware of accidental and malicious insider disclosure when compiling risk assessments and implement appropriate measures.
One of the most effective ways of preventing insider disclosure is with an ArcTitan secure email archiving solution. ArcTitan copies each email as it enters or leaves the mail server, and stores it in encrypted format in a secure data center - providing an immutable copy of the original document that is protected against both insider and outsider theft. Fast search and retrieval engines accommodate the GDPR requirements that individual personal data can be isolated and extracted when required, and deleted when its lawful purpose has been completed.
If you'd like to discuss the security implications of GDPR regulations or how they apply in your individual situation our team of Engineers will be happy to assist. Please email us at email@example.com or visit www.titanhq.com
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us