New EU Data Security Rules Explained

The General Data Protection Regulation (“GPDR”) came into force on 25 May 2018, the guide will serve as a helpful resource for those looking to get to gain further insight into GDPR demands.

Twenty years ago, the man on the street probably couldn’t care less about personal data. Sure, you had isolated cases of hacking and identity theft, and the usual allegations about government conspiracies to steal our innermost secrets. But privacy certainly wasn’t anywhere near the hot topic that it is today.

In the wake of the Edward Snowden revelations, the Rupert Murdoch scandal, and numerous other distasteful incidents involving the hacking of compromising photographs from celebrities’ mobile phones, personal data privacy is now one of the first items on any legislative and regulatory agenda. In this regard, the GDPR has been heralded as a sea change in data protection legislation. In this guide, we’ll evaluate whether this is the case.

First, an overview - there are broadly two kinds of data protection legislation. The first is straightforward – the type often referred to as “Thou shall not” legislation, whereby the statute simply makes it illegal in most circumstances to appropriate personal data against the subject’s will. The second is more reactive, taking effect only after the breach and requiring the person responsible for the breach to notify either the victim or the authorities (or both) that a breach has occurred. This type of legislation is associated more with the US, whereas the first type of legislation is normally associated with continental Europe. As we shall see, that divide is definitely narrowing. The GDPR straddles both categories of legislation, consistently with its aim of replacing the 28 different data protection regimes across the Member States with a single, comprehensive regime for securing personal data.

The GDPR – an overview

The GDPR, adopted on 27 April 2016 and effective since 25 May 2018, is based on the Data Protection Directive (which prompted the U.K. to pass the Data Protection Act). The core principles remain the same, albeit the GDPR is far more comprehensive. It comprises 11 chapters and 99 articles and new guidelines and practice notes are emerging all the time.

The GDPR imports the same absolute obligation to keep data secure and to take appropriate technical and organizational measures to achieve that obligation. In determining liability under the GDPR, breaches will be evaluated with the benefit of hindsight, asking whether a breach could have been prevented. The GDPR aims to harmonize data protection laws between the EU Member States, especially in relation to the policing and penalization of personal data breaches. A second objective is to promote the free (but secure) flow of personal data between Member States. 

What, then, are the key differences between the GDPR and the Data Protection Directive (DPD) and Data Protection Act (DPA) with which the U.K. has become so familiar?

Definitions :

The GDPR has introduced much tighter definitions around the scope of European data privacy regulations. There are two concepts you need to be aware of.

• “Controllers” – These are the primary subjects of GDPR obligations. Controllers are defined as the entities or subjects that collect personal data and make the decisions as to which and how personal data can be used.
• “Processors” – These are “secondary controllers”, if you will. Processors are essentially subcontractors which provide services to controllers that involve the processing and use of personal data collected by controllers. One common example would be external data storage companies (if a company is subscribing for cloud storage services, the cloud storage company would probably be caught). Processors are also subject to obligations under the GDPR, but these are fewer and less stringent than the regime for controllers.
• Direct Effect - Regulations do not require enabling legislation to be passed by national governments. They are directly effective, meaning that since the GDPR law was introduced, in 2018, it has the equal force of law as national legislation – whether or not the government in question agrees! In contrast, the DPD had little legal force in the U.K. until the DPA was passed.
• Express Consent – Whereas the DPD and DPA were fuzzy enough around the edges for companies to regularly rely on the concepts of implied, deemed and standing consent, the GDPR is absolutely clear on the topic. Data subjects must give express consent for their data to be processed. Putting together legal documentation that ensures data subjects give clear and unconditional consent to the use of their data will undoubtedly increase the legal costs and regulatory burden of GDPR-affected businesses in the short term.
• Personal Data Requests - Data subjects have an explicit right under the GDPR to request personal data held by a company and demand that such data be rectified or erased for any reason whatsoever. Under the DPA, organizations were permitted to charge a reasonable fee for data requests and a subject’s right to have his/her data erased or rectified was a matter of common law (rather than an absolute right). These fees are likely to be phased out with the GDPR, so organizationals will need to budget for responding to these personal data requests without much prospect of reimbursement.
• Reporting Breaches - The DPA required organizations to self-report data breaches only if the breach was also covered by the Privacy and Electronic Communications Regulations 2011. The scope of those regulations was limited to data security breaches at telecoms providers or ISPs. In contrast, the GDPR makes self-reporting of breaches mandatory so long as the data breach is likely to result in any risk to an individual’s rights and freedoms. This more open-ended and wide-ranging obligation gives organizations incentive to report any breach, however small.
• Penalties - Finally, breach of the GDPR carries far heavier penalties than breaches of the DPA. Breaches of the DPA carried fines of up to £500,000. Breaches of the GDPR carry fines with an upper limit of 4% of the offender’s global turnover or €20 million – whichever is higher. Bearing in mind that even large corporations often have a profit margin of 4% or less, GDPR fines can easily force a business into liquidation.

What GDPR means for businesses

At the highest level of generality, the data protection regime introduced by the GDPR might be described as one of data protection by default.  Data security obligations on corporations will no longer be limited to particular, well-defined situations. Under the GDPR, whenever you design a new application, offer a new service or hire a new vendor, you need to be constantly thinking about the privacy implications of that business decision and working on designing data protection into that new operation.

This need to integrate data protection impact assessment into your operational decisions is something that organizations can either embrace or resist.  Resisting, however, is unlikely to end well – the GDPR gives regulators a very big stick in the form of crippling fines. Any forward-looking company would be well-advised to embrace the process.  IT offices and chief security officers, take note – your organization is going to rely on you to maintain GDPR-compliance, so you’ll need to stay sharp.

Let’s look at some of the more specific implications the GDPR has for businesses. As you might expect, these are fairly wide-ranging and expensive. After all, Ovum has reported that 70% of businesses in the EU expect to increase spending on data protection and sovereignty once the GDPR comes into effect.

• GDPR applies to all vendors servicing EU organizations. Even if one of your suppliers is outside the EU, they have to comply with the GDPR so long as they are servicing organizations within the EU. Most significantly, if you outsource operations to U.S. organizations like Peoplesoft, you need to be very wary of how these organizations are handling Privacy Shield Safe Harbour Changes vis-à-vis their EU customers. Many are trying to contractually shift the burden of those changes onto their customers. You don’t want to be juggling GDPR obligations with these responsibilities, so resist such contractual changes as vigorously as possible.

• Breaches need to be self-reported within 72 hours. For large businesses, this means designating key personnel to take charge of data breach reporting. This might not seem too sensible to most – resources are arguably far better spent on trying to remedy the breach than putting together paperwork on it – but the European Commission, in its infinite wisdom, has decided otherwise. And 72 hours is an incredibly short amount of time, considering that the average malicious data breach can take anywhere between 200 and 300 days to detect, much less resolve. Large organizations should start looking into automated security screening intelligence, including network forensics software and security event reporting programs. This significantly reduces the burden on your (probably already overworked) IT team and cuts down reporting time.

• Improving accessibility of personal data becomes a huge priority. The GDPR introduces a new range of personal data rights, ranging from the right to data portability to the “right to be forgotten” (i.e. the right to have your personal data erased from business sytems). Prompt compliance with individual requests for erasure, rectification or data access means having personal data on hand 24/7. This means significant investment in data backup, migration and recovery, and perhaps new IT solutions like cloud-based storage as well.

• Businesses may need to divert manpower to dealing with information requests. The ICO estimates that under the DPA, more than ten million subject access requests have been made in the U.K as of mid-2016.  That works out to about one in six of the population having at some point made a subject access request, and that’s with the access fee that the DPD and DPA permit organizations to charge. With access requests becoming free-of-charge under the GPDR, the volume and frequency of access requests is definitely going to go up. Corporates currently spend between 140 and 250 hours dealing with information requests and executives would be well-advised to start thinking about streamlining the process for dealing with requests, so that unnecessary wastage of precious manpower hours can be avoided.

• Privacy policies will need to be substantially revised. As recently as five years ago, nobody read privacy policies. Privacy policies were the annoying walls of text you scrolled through at lightning speed when installing new software or signing up for a credit card. The GDPR has definitely boosted customer awareness about privacy obligations, so you can expect your privacy policy to be scrutinized. Furthermore, the GDPR has some very specific guidelines on the privacy provisions that need to be incorporated into contracts. This means shelling out some extra money on legal fees.

• Businesses need to do all of the above fast, because penalties for breach of the GDPR are heavier than they ever were under the DPA and DPD. There has always been a strong pecuniary incentive to comply with data protection legislation, especially after the Court of Appeal decision in Vidal Hall which made it substantially easier to sue for damages in data breach cases. But that incentive is substantially bolstered by the GDPR. In severe cases, fines can be as high as 4% of global annual turnover, which is going to hit large multinationals hard where it hurts most. While this figure is still lower than in certain European countries like the Netherlands, where the upper threshold for data breach fines is a stunning 10% of global annual turnover, the new penalties will take some getting used to for U.K.-based companies as well as non-European corporations.

• Data protection and privacy safeguards are going to be more important than ever for corporate reputation. European regulators have done a fantastic job of publicizing the more stringent requirements under the GDPR. Customers are going to be more aware than ever of their rights to personal data, and you can bet that companies whose procedures aren’t up to scratch will be caught out. Take Talk Talk for example. After the Talk Talk data breach scandal, in which the company's confident announcements that they had done everything necessary to protect its customers were proven wrong in court, the company announced a halving of its profits – and the GDPR isn't even in effect yet!

• The above may sound frightening, especially for companies who know for sure they haven’t got the proper controls and procedures in place. Companies may be crossing their fingers and hoping that Brexit will sweep away their obligations under the GDPR. That, unfortunately, would be wishful thinking.

• Since its status as a regulation means the GDPR needs no enabling or implementing national legislation to enter into force in the U.K., its status post-Brexit is as yet unknown. In contrast, the national legislation put in place to implement EU Directives – the Data Protection Act included – will likely be rolled back following the inevitable repeal of the European Communities Act.

• GDPR is applied in the UK despite brexit. So Brexiteers, don’t start rejoicing just yet. GDPR has extraterritorial effect, so long as an U.K. organization in question markets or sells its products and services to at least 5000 EU citizens, that organization will be expected to play by the EU's data privacy rules. To avoid U.K. companies getting slapped with huge fines.

Putting in place a GDPR compliance strategy

The responsible and forward-looking response to GDPR is clear. Having a GDPR strategy is key. Think of your GDPR compliance strategy and data breach policy as a fire evacuation plan. Ideally, a breach will never happen and you’ll never need to put the strategy into action – but if and when the time comes, you and your organization had better know what to do. Here are four cornerstones of any successful GDPR strategy.

Start getting any documents and records containing personal data in order. This means client files, marketing surveys, bills, etc. Implement an intuitive and comprehensive filing system and make sure all your staff are familiar with it. This way, when a flood of personal data requests comes post-GDPR, your business won’t be overwhelmed. If your staff need added incentive, introduce regular reviews or even audits to keep them on their toes. They might curse you now, but when the data requests start pouring in, they’ll appreciate the extra training.

Make sure that new rights like data portability and the right to be forgotten are in your data collection and administrative plans going forward. You need to brief your C-level executives and probably also your board, especially if your data policies are behind the times and will require significant time and investment to bring them up to speed.

Introduce a Data Protection Impact Assessment (DPIA) process.

If you’re not the one responsible for data security, identify the person who is and make sure he/she understands the renewed importance of his position with the GDPR on the horizon. And if your organization doesn’t already have a designated Data Protection Officer, it’s time to find one. Review your vendor contracts. Keep in mind that if you’re going to meet the regulatory deadline of reporting a breach within 72 hours in cases requiring vendor cooperation, you’ll need them to provide the necessary data within 24-36 hours. If you have doubts about a vendor’s ability to cope (particularly where the vendor is a small-scale operation that is unlikely to have sophisticated data processing and data security systems), either look for a new vendor or seek new contracts that contain indemnities for you against GDPR breaches caused by the fault of the vendor.

A final word of advice; your staff is absolutely crucial in achieving GDPR compliance. You can implement all the safeguards you like and invest in the best data encryption and cybersecurity technology. You can hire an expensive consultant to review your filing processes and identify potential data breaches. But at the end of the day, your people are going to be responsible for running that technology, implementing that consultant’s recommendations and handling data requests, data breach reporting and data screening on a day-to-day basis. If that sounds like it might require a couple of extra hands on deck, start hiring now, data privacy professionals are highly sought after. In Europe alone, demand for data protection specialists was estimated to grow by at least 18,000 in 2018. Globally, that number is going to be anywhere between 75,000 to 100,000 per year. Time to start snapping up those data guys before their market forces take their wage demands through the roof.

Technology and privacy

One aspect of GDPR compliance that deserves more detailed analysis is the relationship between technology and privacy. IT has made it easier than ever to collect, analyse and store personal data. But ironically, IT also makes it harder then ever to comply with privacy regulations like the GDPR. IT pros therefore have to juggle core business concerns like functionality and profitability with the demands of the new privacy regulations.

First, because IT allows us to process huge amounts of data at any one time, it makes it significantly more difficult for organizations to track data storage and uses.
Second, as IT has become increasingly complex – particularly with the advent of new technology like cloud storage – the knowledge gap between IT-trained professionals and non-IT trained professionals has never been wider. And if, like virtually any company outside of the Silicon Valley, your business has far more IT laymen than IT-trained staff, this is a problem when your obligations to monitor and access virtual data get more stringent than ever.
Third, companies have increasingly segregated the tech side of the business from the management division. Think back to your last board meeting. When was the last time your Chief Information Officer gave you a laundry list of the latest efforts his department has made to secure client data? That’s right, never. He knows you aren’t interested. But when the GDPR comes along and your executives and managers need to review your business processes to evaluate GDPR risk, that places them in the dangerous position of being woefully uninformed.

So how are we to evaluate our GDPR performance?

Well, start by consulting your IT team. They’ll help you drill down to the IT processes that are responsible for the heavy lifting where client and employee data is concerned. In particular, look out for the following.

• Residual data. When you delete digital information, it isn’t necessarily obliterated. Most, if not all of the time,  it leaves some trace behind, like a stain that never washes out. Take a Web server for instance. You’ve got the front-end of the Web server, that stores all of the data you read and access on a regular basis. Then you’ve got a cache player and a local cache, which is responsible for temporary files (think Internet cookies and Microsoft Office documents that haven’t been properly saved or backed up).
• Database logs are another huge culprit where residual data is concerned. You have your MySQL logs.  You have your binary logs on all servers.  When they transmit and replicate data between each other, the logs end up storing all the traffic that’s going to the database to all the servers, including the backup. Even if you’ve cleaned out the entire server (caches included) and the database, your logs are likely to contain pretty comprehensive copies of the deleted information. You can see, therefore, how a “right to be forgotten” request from a client to have her data deleted from your systems can take hours to respond to.
• Data aggregation. Most data storage systems index information on multiple bases – chronologically, alphabetically or substantively.  They naturally spread out data to optimize the functionality of the system, making it easier for you to find the exact data you’re looking for with a couple of click-through searches. Simply put, business IT systems rarely aggregate your data by default.  So when you get a data portability query or a data erasure request, it may be a real challenge for your IT team to locate the relevant data if you haven’t got some aggregation procedure in place.
• Electronic format. The organizations that are likely going to be hardest hit by the GDPR are those with hybrid physical/electronic methods of data storage. But even if your company has migrated to fully electronic storage, it might not be out of the woods yet. If data within a single category is stored in multiple formats, with varying levels of encryption and residual data, you may have trouble achieving GDPR compliance, particularly where data security is concerned.
• Encryption policy. IT pros know that encryption is a double-edged sword. On the one hand, if you want to keep personal data secure, encryption is a must. On the other hand, most enterprise security software is unable to comprehensively scan encrypted data for potential security threats such as malware or data exfiltration. So while encryption might help to keep hackers away from your front door, it might also act as a backdoor through which hackers can access your systems. Data protection consultants have therefore recommended investment in encrypted traffic management (ETM) technology which enables organizations to selectively decrypt encrypted traffic for security screening purposes, before re-encrypting the data for transport to its intended destination.

Putting together an IT system for maximum profitability is one thing. Putting together an IT system that achieves maximum profitability, while also maintaining high levels of security and accessibility, is another. So give your technical people a heads-up about your GDPR strategy. They’ll need the time to get things in place. 

A case study – GDPR and the design of user experiences.

Now that you understand the basics of the GDPR, it is worth considering a brief example of how the GDPR should influence corporate thinking and planning. How, for instance, should the GDPR affect the way we think about the user experience?

It helps to start from the perspective of data subjects. When we use any service, be it a flight booking, credit card subscription or even a simple smartphone app purchase, we know (at least subconsciously) that data about us is being collected and reviewed. But as data subjects, we rarely know our rights, and we can rarely be bothered to find out.

That used to be a good thing for companies. Customers didn’t know their rights, which means that as businesses, we didn’t need to be prepared for requests by customers to exercise those rights. But the DPD, and now the GDPR, has changed all of that. Data subjects have been given new rights and the onus has been placed on data controllers to educate subjects about these changes as well as facilitate their exercise of those rights.

So as an organization targeting GDPR compliance, you’re going to want to have maximum transparency with customers. You’ll need an up-to-date privacy policy, that contains GDPR-approved provisions informing customers of their rights to erasure, rectification and requests for information.  This may sound like a hassle, but it’s also a valuable opportunity to manage customer expectations and help ease the regulatory burden on your company.

For example, you gain goodwill from your clients by being completely open about their rights in relation to personal data. It may make sense to then cash in on that goodwill by reminding them that it will take a reasonable time for your organization to respond to any request for the exercise of those rights. By issuing this reminder, you dramatically reduce the risk of GDPR-related complaints from customers (and the associated penalties), promote your company’s reputation as a responsible data controller and buy yourself time to institute the comprehensive organizational changes that will undoubtedly be required to adapt to Europe’s new regulatory landscape for data privacy.

As you can see, while GDPR may increase costs for companies in the short-term, it may represent an opportunity in the long-term. From a marketing perspective, it provides companies with a ready platform to present themselves as customer-centric, service-oriented and socially responsible organizations. From a profits perspective, it gives the companies a strong incentive to avoid loss-inducing security breaches and reputation-damaging privacy scandals. GDPR is here and it's here to stay!

 

GDPR and Technology

Many organizations have already taken measures to get ready for GDPR by implementing tools to prevent data breaches. Examples of such tools are our industry-leading web content filter “WebTitan”, our anti-spam email solution “SpamTitan”, and our secure email archiving solution “ArcTitan”.

Web Content Filtering

One of the major threats to the integrity of personal data comes from malware. Malware threats are not necessarily targeted - as are the email phishing threats described below - but can be opportunist and downloaded inadvertently when a user visits a compromised website. In the worst case scenarios, malware downloads can install spyware that monitors the keystrokes used to access databases, or install ransomware that encrypts an organization´s computer network until a ransom is paid.

WebTitan is a robust web content filtering solution that prevents users from inadvertently visiting compromised websites through a three-tied filtering process. Easy to implement and maintain, WebTitan is available with a choice of deployment options. WebTitan protects both fixed and wireless networks with minimal latency and universal scalability, and is sufficiently versatile that Data Protection Officers can implement and enforce different web access policies for different environments.

 
Anti-Spam Email Solution

As Internet users have become more aware of the risks of compromised websites, spam email has become the number one delivery vehicle for malware. Phishing emails in particular pose a major threat, as these are often targeted at an individual by a scammer posing as a person of authority. Phishing emails can deliver a malicious payload by instructing their recipient to open an attachment or click on a link; or can carry an instruction to carry out an action that jeopardizes the integrity of personal data.

Again available with a choice of deployment options, SpamTitan mitigates the threat from phishing emails sent from compromised email accounts by blocking dangerous attachments and links to malicious websites. Additional protection against data breaches is provided by dual anti-virus engines to safeguard personal data stored on network systems.

Secure Email Archiving Solution

Potentially a bigger threat to the integrity of personal data is insider disclosure. According to recent research, internal actors were responsible for 43% of data breaches in 2015. Although half the recorded data breaches attributable to the actions of internal actors were accidental, protecting personal data against threats of this nature can be difficult. Data Protection Officers have to be aware of accidental and malicious insider disclosure when compiling risk assessments and implement appropriate measures.

One of the most effective ways of preventing insider disclosure is with an ArcTitan secure email archiving solution. ArcTitan copies each email as it enters or leaves the mail server, and stores it in encrypted format in a secure data center - providing an immutable copy of the original document that is protected against both insider and outsider theft. Fast search and retrieval engines accommodate the GDPR requirements that individual personal data can be isolated and extracted when required, and deleted when its lawful purpose has been completed.

An important tenet of GDPR is the ‘Right to be Forgotten’. A key feature of ArcTitan is the privileged and delete user feature which helps customers to comply with this.  The Audited delete process regulates the destruction of emails in a controlled manner. Talk to us about implementing ArcTitan email archiving today.

If you'd like to discuss the security implications of GDPR regulations or how they apply in your individual situation our team of Engineers will be happy to assist. Please email us at info@titanhq.com or visit www.titanhq.com