Reference to the General Data Protection Regulation (GDPR) seems to be everywhere at the moment, to the extent that in some circles it is already being regarded as a buzzword. However, buzzwords – like clichés – usually exist for a reason, and the reason GDPR is such a large topic of conversation, marketing campaigns, and blog posts is that this new piece of legislation is going to bring about some pretty dramatic changes when it comes to data security and privacy.
What is GDPR?
Enforceable from 25 May 2018, GDPR is a new EU regulation which has been designed to update the existing Data Protection Directive. Enacted in 1995, the existing directive was established before the days of widespread internet use, which has fundamentally changed the way we create, use, share, and store information. Alongside the aim of updating data protection, GDPR is also levelled at unifying approaches to data privacy and security. Being a directive, the existing framework had, by its nature, the flexibility to be implemented by EU member states as they saw fit, resulting in quite different approaches to data protection across Europe. GDPR is a regulation and as such must be followed much more rigidly – and, indeed, not just by companies based in Europe. At the core of GDPR is the aim to simplify, unify and update the protection of personal data.
How Does GDPR Differ from Other Data Protection Laws?
Changes under GDPR are aimed at moving companies away from a tick-box compliance attitude to the security and privacy of personal information, and towards a company-wide approach to managing the lifecycle of personal data.
The top ten key points are:
- GDPR has a wider geographic scope. You do not have to be based in Europe for it to apply. Any company that does business with EU residents will be subject to GDPR. Even if you are offering a free service, such as a website that people in the EU access, you may be subject to GDPR if you collect IP addresses or track cookies.
- Data Protection Authorities (DPAs) will have the power to enforce much more severe penalties for breaches of personal data. There is a tiered approach to fines under GDPR. The maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data, is 4% of annual global turnover or €20 million (whichever is greater). For less serious infringements, such as failure to notify about a breach, a fine of up to 2% of global annual turnover would apply. This is a much greater scope for fines than we currently have in place; for example, in the UK, the maximum penalty for breaching the Data Protection Act is £500,000, and the largest fine so far imposed was £400,000, which was issued to TalkTalk in 2016 for security failings that allowed a cyber attacker to access customer data “with ease.”
- The definition of ‘personal data’ has widened and now explicitly includes online identifiers such as IP addresses and mobile device identity.
- Organisations will need to attain explicit consent from individuals regarding the processing of their data, and companies will no longer be able to use long, illegible terms and conditions. Individuals will also have more rights regarding the processing of their data, for example relating to data erasure (often referred to as the ‘right to be forgotten’) and data portability, which is the right to transmit their data to another controller.
- Technical and organisational measures regarding the protection of personal data are to become mandatory, with the GDPR outlining examples of the measures expected. These relate to the hashing and encryption of personal data, the ability to ensure confidentiality, integrity, and availability, and processes to test the effectiveness of security measures.
- Data processing registries will become mandatory. This means that organisations will need to keep a written (electronic) record of personal data processing activities, capturing the lifecycle of the data and the name and contact details of the data controller.
- Data protection impact assessments will be required for technology or processes that are likely to be high risk to the individuals, for example data profiling.
- The reporting of personal data breaches will become mandatory. Under Article 33 of the GDPR, organisations must report breaches of personal data to the DPA within 72 hours of becoming aware of them. If a breach poses a high risk to individuals, for example relating to personal data that has not been encrypted, those individuals must be informed “without delay.”
- If your organisation monitors individuals on a large scale or processes special categories of data (particularly sensitive personal data), you will be required to have a Data Protection Officer (DPO). The DPO monitors organisational compliance with the regulation and must report directly to the highest management level of the organisation, must perform their tasks in an independent manner, and cannot be dismissed or penalised for performing their tasks.
- The legislation is focused on attaining data protection by design and by default. Privacy by design is a concept that has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
The legal and technical changes required to comply with GDPR are big and will require changes at an organisational level. Becoming compliant with GDPR is not something the legal and information security teams of organisations can achieve alone. According to (ISC)2’s GDPR Task Force, getting the business on board is proving a struggle. The task force has found that GDPR projects are falling at the first hurdle with a lack of budget and business-level support for GDPR implementation teams. It appears that it’s not the expertise that is lacking but the financing, resources, and senior-level support.
With this challenge in mind, my next blog post will address what you can do to better communicate with senior leaders in your organisation and how to get the business on board. The advice will be specifically aimed at how to engage senior leadership in supporting the implementation of GDPR but, with a look at some communication principles and how to combat the negative side effects of fear and fatigue, there will be wider lessons on how to communicate more effectively when it comes to cyber security.
