[BreachExchange] Keeping on the right side of new data rules

Thu Nov 16 19:07:38 EST 2017

https://www.voltimum.co.uk/articles/keeping-right-side-new-data-rules

The issue of personal data protection will become increasingly important
with the introduction of new rules on 25 May 2018. Known as the General
Data Protection Regulation (GDPR), the rules are set to have a major impact
on businesses in our industry, in two differing ways.

What all businesses need to know

Firstly, almost all businesses need to take note of the broader issue of
protecting the data of individuals when developing their company systems
and managing customer records.

At present, the Data Protection Act 1998 (DPA) places certain requirements
on businesses, but the GDPR will go significantly further than the DPA. The
GDPR will apply to the processing of any personal data within a company,
and significantly, it will give individuals more influence over the
information organisations hold on them, and how it is used.

Businesses will need to ensure that individuals can withdraw their data
sharing consent easily, and significantly, also have the right to have
their records deleted promptly. Individuals will also be entitled to ask
for a copy of all data being held in relation to them, and an explanation
of what it is used for.

Those businesses that hold the original data will also be accountable for
how any third parties use personal data and could face penalties due to
non-compliance by these other organisations.

Data protection within the built environment

Another key element for engineering services businesses is how data
protection will interplay with the built environment, such as integrated
technology and security systems installed within buildings.

As noted above, ‘personal data’ is covered by the DPA and the incoming
GDPR. Crucially, the ability to identify an individual depends partly on
data held about the individual, and partly on other information gathered by
the building infrastructure and sensors. This information held could well
qualify as ‘personal data’.

To give an example, physical access control if installed in a building will
transmit, receive, store, and even remotely monitor information. The data
produced from this alone may not identify the occupants.  However, if
access fobs are assigned or tagged to employees, or even if video
surveillance, biometrics or facial recognition is used, then that stored
information will become personal data, as individuals and their movements
would be identifiable.

Ensuring that intelligent installations can be protected against hacking
could, therefore, be very significant to contractors and installers. If a
system becomes compromised, then IT systems could be hacked and data
stolen, destroyed or manipulated, thereby putting constructors and
contractors at risk of being non-compliant with existing data protection
laws and regulations.

Many engineering services businesses are already well placed to help
clients with cybersecurity issues, ranging from device selection and
maintenance to systems integration. However, taking full advantage of this
opportunity will mean extending existing skillsets.

Non compliance

If an organisation experiences a data breach, the GDPR requires this to be
reported to stakeholders and the regulatory authorities within 72 hours of
the breach being discovered. Furthermore, the Information Commissioners
Office (ICO) can audit a business at any time from 25 May 2018, regardless
of whether a breach has occurred. Non-compliance with the regulations could
lead to significant fines of up to four per cent of total business revenue.

While there is some commercially-driven hype about what’s needed for even
small business to comply with GDPR, the new regulation will apply to the
bulk of small and large businesses in our sector, and there is no room for
complacency. The clock is ticking down to May 2018 and new, practically
useful personal data protection systems will need to be identified and set
up.

With this in mind, now is the time for all businesses to consider what GDPR
means for them, and to start creating what they need to ensure compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171116/b3a88d47/attachment.html>