[BreachExchange] Getting your business ready for the GDPR

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 31 19:46:10 EDT 2017


https://www.itproportal.com/features/getting-your-
business-ready-for-the-gdpr/

>From 25 May 2018, the General Data Protection Regulation comes into effect.
Yes, it’s an EU-led regulation, but even with the UK leaving, the GDPR will
still have a substantial impact on the way British organisations manage
personal data.

The GDPR represents the biggest shakeup to data protection in over 20
years. But looking back at how radically the internet has transformed our
lives in that time, it’s no surprise that data privacy regulations are due
for an overhaul. But how exactly will the GDPR affect your business, and
how can you ensure your data protection makes the grade?

Why Brexit (probably) isn’t an issue

Brexit is happening, but it’s unlikely to make a difference to the
application of the GDPR in the UK. The UK will still be an EU member when
the GDPR comes in, and it will continue to apply in UK law unless the
government takes specific action to repeal it.

But the GDPR is very likely to stay on the books. The UK’s Information
Commissioner’s Office (ICO) has consistently promoted it as a positive
development, and repeated statements from UK officials support it as a
welcome enhancement of British data protection legislation.

Even if Brexit means a complete clean break with existing EU data
protection rules, any organisation collecting data from individuals within
the EU will have to abide by the GDPR. So, for the many UK firms that do
business across the EU, the GDPR is a vital concern irrespective of Brexit.

What does the GDPR actually mean?

The GDPR is intended to offer more protection to consumers when it comes to
their personal data. It does this by building on existing data protection
concepts and introducing new ones to create a more comprehensive set of
rules with regard to the collection, processing and storage of personal
data.

The definition of personal data will also be updated to include a broader
range of information, from genetic and biological details to a person’s
economic, social and cultural background.

Data controllers and data processors

The GDPR makes two important definitions regarding organisations that
collect, store and manage personal data: data controllers and data
processors. A data controller is a party that determines the way personal
data is processed, while a data processor does the actual processing.

For example, a company that wants to collect data (the data controller)
could outsource the processing of that data to an IT provider (the data
processor). Alternatively, an organisation could be both a controller and a
processor, but each role has different obligations under the GDPR.

Data protection by design? The right to be forgotten? Data portability?

‘Data protection by design’ means building-in data protection at every
level of a product or service. The amount of data captured and the length
of time that data is stored should always be kept to a bare minimum. For
example, do you really need to collect someone’s full name and address when
just their company details will do?

The ‘right to be forgotten’ has been extended, allowing an individual to
ask an organisation to completely delete all the data they have on that
person. The data controller is responsible for ensuring all data is
deleted, even if this requires liaising with third parties. This could
involve requesting the removal of personal data from Google search results,
for example.

The concept of ‘data portability’ is intended to simplify data transfer
processes, for example when an individual requests their data from a
company, or when they want to swap energy providers. A key element of data
portability is that individuals should have access to their data in a
useable form, such as a specified format.

Tougher penalties for shoddy data protection

Nobody likes fines, and under the GDPR they’ll be even higher. Jumping from
the ICO’s theoretical maximum fine of £500,000, penalties will reach an
upper limit of €20 million or 4% or annual global turnover – whichever is
higher.

On top of fines, the increased pressure on businesses to maintain data
protection standards means that the PR fallout and reputational damage of a
data breach will be significantly magnified.

Stricter deadlines will also apply when reporting data breaches. Outside of
special circumstances, organisations must notify their national data
protection authority (ICO in the UK) of any breaches within 72 hours.

GDPR compliance: what to do now

While some organisations won’t be affected by the GDPR at all, if you
collect, store or process any form of personal data, it’s safe to assume
that the GDPR matters. You need to look at your specific obligations in
terms of how much data and what kind of data you collect, what you do with
this data, whether you’re a data controller or a data processor, and what
data protection policies you already have in place.

In the best-case scenario, your existing policies will already be up to
GDPR standards. Even when you do need to make changes, if you comply with
existing rules, the implementation of new processes is likely to be fairly
straightforward.

Organisations should take steps to review existing data protection measures
and put new processes in place wherever necessary to comply with the GDPR.
Part of this may involve staff training to raise awareness of data
protection responsibilities throughout the organisation.

Asking the right questions

How will you react to requests from individuals for their data to be
deleted or provided in a particular format? What will your procedures be in
the event of a data breach? Any organisation that processes personal data
also needs to appoint a data protection officer.

If you’re developing a new product or service that involves personal data,
you’ll need to consider data protection by design from the outset. Privacy
notices, such as the information available to users on a company website,
should also be reviewed to ensure they meet new GDPR standards.

Finally, an important point about consent: even if consent has already been
granted from an individual for their data to be processed, this may no
longer be enough after 25 May 2018. The GDPR raises the standard of what
constitutes consent, so if consent was obtained pre-GDPR, do you need to
ask for it again?

Be prepared!

The penalties for a data breach under the GDPR are a significant increase
from those faced by UK businesses today. Increased fines make the threat of
insolvency as a result of a GDPR penalty very real indeed. But by being
aware of your responsibilities, implementing stringent security measures,
and being crystal clear on the role of the data controllers and data
processors in your organisation, you will be in a strong position to calmly
navigate the GDPR waters without sinking.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171031/b357477a/attachment.html>


More information about the BreachExchange mailing list