[BreachExchange] How to prepare for the new privacy laws 'with teeth' - and avoid huge fines for breaking them

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 20 20:21:38 EDT 2017


https://fora.ie/readme/gdpr-for-smes-3503897-Jul2017/

Next year will see the biggest overhaul in privacy law in two decades, and
it’s going to be a game changer for many organisations.

For those who don’t know, the General Data Protection Regulation, or GDPR,
is a new piece of legislation that becomes applicable on 25 May 2018.

What’s interesting about the new law is the fact that it not only applies
to large companies like Facebook or LinkedIn, but the same principles will
apply to SMEs, non-for-profit organisations, schools and even community
groups like sports clubs. It will also apply to public sector organisations.

You would be hard pressed to find a law that applies as extensively as this
one because it’s next to impossible to do business today without collecting
some form of personal data.

Does the law apply to me?

Essentially, the only criteria that decides whether or not the GDPR applies
to your business or organisation is whether you collect personal data.

Personal data is defined very widely – it means any information that can
identify a living person.

In other words, if you, as an organisation, have employees or customers
whose personal contact details you store, then you will be collecting
personal data and this law will apply to you.

There are one or two derogations in the legislation. For example, the
requirement to keep records of processing activities applies only if you
have 250 employees or more, although some small organisations will still
need to do so due to other requirements.

Other than that, there are few differences in the application o

What’s different about GDPR?

Current data protection laws in Ireland date back to 1988, so it’s not as
if GDPR introduces an entire set of legal principles that never existed
before.

One of main differences with the GDPR and existing law is that it places
more onerous obligations on organisations to prove that they are compliant.

This concept of accountability runs throughout the new legislation, and the
burden of proof is on each organisation to demonstrate upon request how
they are compliant with the law.

The principle of transparency is at also the core of the GDPR, and
organisations will be required to be much more up-front in terms of
providing information to the individuals whose personal data they collect.

Organisations must disclose what personal data they collect, why they’re
collecting it, what they’re going to do with it and who’s going to access
it.

In addition, individuals will be given more rights and enhanced protection,
which means that they can go back to companies and makes certain requests.

For example, a person could ask your organisation to respond to a subject
access request whereby you will be required to disclose what personal data
you hold on that individual.

Or they could object to receiving direct marketing from your firm or ask to
‘be forgotten’. Companies have to be ready and primed to deal with these
requests when they receive them because they create an administrative
burden.

You’ll have 30 days to respond to them under the new law – or else risk
being fined by the Office of the Data Protection Commissioner.

Beware the ‘sleeping giant’

I think it’s fair to say that, up to now, breaches of data protection law
have not carried the sort of fines that, by themselves, would dissuade an
organisation from failing to comply. The GDPR has teeth and brings with it
severe penalties.

There are two tiers of fines under the new legislation. The top tier can be
more than
€20 million or 4% of an organisation’s global annual turnover, whichever is
greater.

It’s worth noting that if there is a breach of data protection law today,
the regulator has to prosecute through the courts, and the courts will
decide whether to levy a fine.

That all changes under the GDPR. The regulator will be able to decide
whether to fine as well as the level of fines.

If your company is being sued by an individual because of the impact your
infringement of data protection law has had on them, they will now have the
right to seek compensation for non-material damage.

That means they do not have to show a financial loss as a result of the
infringement – they can seek compensation for distress, hurt feelings,
reputational damage, and so on.

A group of the individuals could also come together under the umbrella of a
not-for-profit consumer group and take a quasi-class action against your
company.

So it’s not just fines you have to worry about – claims for compensation
from individuals could prove to be the ‘sleeping giant’ of the GDPR.

What should you do?

A lot of people think GDPR is merely to do with securing personal data in a
computer system.

While IT and data security is an important component of compliance, it is
not sufficient on its own to demonstrate compliance. The GDPR applies to
the entire life cycle of personal data from the moment you collect it until
your safe disposal of it.

Right now, becoming GDPR-ready should be a board- and senior
management-level issue. If this hasn’t yet been on your board’s agenda, it
should be on the very next one.

You can’t be compliant with this law if you don’t know the basics. You will
need to assess what personal data your organisation collects, where it
resides in the organisation and who is accessing it.

You need to review the type of data processing that you carry out – in
other words, what do you do with that information and what purposes are you
using it for?

You must have a legal bases for holding it. The various legal bases for
collecting and processing data are listed in the GDPR, and you must be able
to identify and document which lawful bases your processing falls under.

External privacy policies – such as your website’s privacy policy – must
provide sufficient information to individuals about data collection and use
so as to satisfy the transparency requirements of the GDPR. Chances are,
you’re going to have to refresh your policy.

With the likes of consent forms, you’re likely going to have to give more
information to individuals than you did before, so that they can be
considered to have given an informed consent.

Silence and pre-ticked boxes won’t work any more. There will have to be an
affirmative action by an individual.

You must also look at your internal privacy policies. What did you tell
staff when you collected their personal data? Have you been fully
transparent with your staff about what you do with that information?

It’s important for SMEs in particular to look at personal data shared
through outsourcing and supply chains.

Let’s say you outsource payroll to a third-party payroll provider. As part
of that arrangement, you will allow this third-party company to access your
employee personal data.

You’re required under GDPR to have a robust written contract in place
between you and the service provider which must include certain contractual
terms on data protection, which are prescribed by the GDPR.

You’ll need to audit your outsource contracts. This could be a big task for
a company if they happen to outsource many functions such as IT management
or use cloud-based services.

Once a third-party has access to any personal data, those contracts need to
be revisited and brought into line with the GDPR or else you could be fined.

Training

It’s critical that you invest in training your staff. Do they actually
understand what is meant by personal data and what a data breach is?

This could occur as simply as sending an email or a letter with personal
details to the wrong person. Do staff know about that and would they know
who to report that to internally?

You’ve got to build a culture of understanding and a culture of compliance
within an organisation and that starts with your workers, so invest in
their education on an ongoing basis – and keep a record of it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170720/60c48d2f/attachment.html>


More information about the BreachExchange mailing list