GDPR (General Data Protection Regulation) isn’t it just another EU regulation?
Well actually no this is a seismic shift in the enforcement and penalties for anyone who has personal data belonging to someone else – and yes, I do mean anyone. I was at a seminar about this little bit of EU regulation which we have been whispering about for a few years but never really talked about out loud.
This is going to be a major shift in security and penalties for non-compliance of this regulation are going to be large. More importantly the regulations are in place now! They are just not being enforced yet. The UK is fully signed up and gearing up to implement this regulation which will take over from the current Data Protection Act once it comes fully into force on the 25th May 2018.
The regulatory body is currently recruiting a large number of staff which will be paid from fines generated and they have already said that they are not going to target just the big show piece companies, they are going to be across the board from an individual all the way to multi-national conglomerates. No one is immune.
Additionally, this isn’t just an IT problem, this is a business issue that needs to be addressed. As Amanda Okill from Furley Page solicitors reminded us, the UK is fully behind this regulation irrespective of Brexit. Businesses must have processes and procedures in place to prove that they have taken adequate precautions to cover the security of personal data and that their employees are regularly trained on their responsibilities.
She further went on to explain that appropriate technical and organisational measures must be taken to ensure that unauthorised/unlawful processing of personal data is in place and that personal data is not lost or damaged.
James Robson from Cyber Crowd, took us through a number of high profile data protection infringements pointing out that the maximum fine currently under the Data Protection Act is £500,000, he then went onto explain that under the new legislation the fines are up to €20 million or 4% of global turnover.
The really scary bit is whereas the Data Protection Action gave you time to respond to a issue. GDPR expects you to know there has been an issue and gives you 72 hours to notify the authorities that you have had a breach and 1 month to notify everyone who had personal data stored with you. This means that not only do you have to know it happened you also need to have full visibility so that you can comply within these stricter timeframes.
Companies need to ensure that they have a data controller who is responsible for controlling the means and purpose of personal data no matter where it is held. So, if you outsourced your data management, whereas in the past you could to a large extent hand over the responsibility to the outsource company this is no longer the case as you are responsible for any issues no matter what happens.
The part that really resonated with me was whilst speaking, James reiterated that the governing body was employing more people, he then went onto say that this is now everyone’s responsibility. The implication being that if you own a mobile phone and you lose it, the personal data belonging to any of your contacts, could leave you held liable under the new regulation. More importantly, you are now legally obliged to inform everyone in your contacts list of the loss of their personal data and if they are not happy they can take you to the new body who will investigate and if necessary fine you, if you are found not to have taken adequate precautions to protect the other parties’ data.
That last paragraph was a bit heavy and long winded, the bottom line is if you any lose data, expect to be heavily fined. So, what can or should we be doing about this? Well Visibility is the start, knowing where you are and what your Risk / Exposure level is will help you to see what needs to be done.
As I said during my slot at the seminar as soon as you connect to the Internet your organisation is at Risk and if someone wanted to get in badly enough they will. We hear all the time of Governments being hacked and they spend billions on security. The simple truth is that there is no such thing as secure you can only put in sufficient safeguards to mitigate your risk.
Until now risk has always been a business subjective assessment, GDPR changes this putting the onus firmly onto the shoulders of anyone holding personal data. So, what do we need to do? Well the first step is to understand your external risks and a penetration test is a good starting point. Always use an industry leading scan engine, the one we use added over 1,000-new vulnerabilities to its assessment database in the last two weeks and currently scans for 34,069 different issues (this is updated daily).
Once you know your external vulnerability – and by the way external penetration assessments should be run at least quarterly – and you have assessed the risks, and sorted out any issues you then need to start looking internally via a vulnerability assessment. I am sure you are aware but over 90% of all issues originate from within the organisation.
So as Amanda said in her session, make sure you have clear whistle blower policies and practises in place and more importantly that everyone knows and understands why security is important. The vulnerability assessment is not just an IT exercise, yes there will be some technical requirements but a large focus of the assessment will be on your business processes and procedures as these are “your get out of large fine” ticket. They may not stop you getting fined but they will help reduce the amount considerably.
If you can prove that you have policies and procedures in place and that you have trained your staff and where possible ensured that there is adequate protection for personal data, the regulator will probably still fine you for the loss – they are financed by the fines they imposed and there is going to be a lot of them to pay for – but the steps that you have taken will be taken into consideration and will be reflected in the cost.
So before you think this isn’t something I need to worry about think again, GDPR is here to stay it is being funded by fines – and they will need to recoup the recruitment, training and wages costs from somewhere – and the onus is on you.
Make sure you and everyone in your organisation is prepared as GDPR is a game changer and no one is safe.