[BreachExchange] The preparations you need to make ahead of GDPR

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 15 18:51:14 EST 2018


GDPR is only a few months away, and a lot of the coverage has focused on
the impact the regulation will have on the IT and finance departments in
businesses. Whilst it’s true that GDPR compliance should be driven largely
by finance and IT departments, there’s more to it than that.

One area where there’s little clarity is whether businesses are required to
hire more staff. The Data Protection Officer (DPO) role is covered in the
regulation document, but many argue it’s unclear whether this is necessary
for their business; Privacy International comments that the bill is
"unnecessarily complex".

Some businesses are required to appoint a DPO including public authorities,
businesses that process special categories of data (such as criminal
convictions and offenses) and organizations that "carry out large scale
systematic monitoring" of people, like website traffic tracking software
companies. The Article 29 Data Protection Working Party, an advisory body
designed to support compliance with the Data Protection Directive, advises
businesses to assume they do need a DPO unless they can prove otherwise.

Many businesses aren’t aware that the requirement of the DPO needn’t change
their headcount. Businesses can appoint the role of DPO to an existing
employee, providing they have the right skills and knowledge to take on its
responsibilities. It’s also possible to appoint the role of DPO to an
external consultant, and therefore ‘share’ the person with another business
-- effectively outsourcing the role. This could be particularly effective
for small-to-medium businesses that don’t have an employee who could
naturally take on the DPO role, or the budget to hire an additional person.

For some time, there has been confusion over whether small businesses --
designated as those with under 250 employees or 5000 records -- needed to
appoint a DPO at all. This originated from an early draft of the GDPR which
suggested ‘large scale’ data processing was based on the aforementioned
figures. Senior Technology Officer of the Information Commissioner’s Office
(ICO), Peter Brown, clarified this recently by stating: "I’ve heard plenty
of people talking about there being a DPO exemption for SMEs -- this is
absolutely not the case."

Whether a business chooses to appoint the DPO as a brand-new position or
assign this responsibility to an existing employee, there’s no doubt that
GDPR compliance can be costly to businesses. Revising existing policies and
processes, and indeed creating new ones, will be key to success under GDPR.
Businesses must assess how they process customer, prospect, supplier and
even employee data under the new regulation. GDPR states that businesses
must have a "lawful basis" for processing specific types of Personally
Identifiable Information (PII); this is aimed at reducing the unnecessary
collection of personal data and protects individuals first and foremost.

For many businesses, the cost will be in employee time as staff in HR,
compliance and IT must undertake the work of revising and creating
processes. Some companies may need to outsource this work, if they don’t
have the resource or the relevant teams. Colleagues in marketing won’t
necessarily play a role in this exercise -- although, as data handlers
their input would be valuable -- but may need to revisit contracts with
external suppliers including email marketing platforms, lead generators and
so on. A key requirement here will be to manage what the GDPR refers to as
‘data processors’; if your suppliers aren’t compliant, it’s possible that
you’ll need to switch your services to a compliant supplier.

HR departments will likely be the most affected following IT and finance,
as the GDPR gives both current and former employees more control over the
data a business holds on them. HR personnel are likely to see an increase
in subject access requests, where individuals can request access to the
personal data held on them; this requires the ability to get an accurate
picture of all of the data you hold on that individual. The subject can
also request that their data be deleted if there’s no longer a reason to
hold or process that personal data.

One area that will see significant investment is IT security. Businesses
must put in place measures to protect the PII they hold. This protection
can come in a number of forms including robust anti-virus products, and
even threat-specific anti-virus solutions like anti-Ransomware. One
security measure the GDPR specifically mentions is data encryption; this
method protects particularly well against accidental data disclosure, for
example an employee unknowingly emailing sensitive PII data outside of the
business, or access to data on a lost or stolen device. Data encryption
adds a vital extra layer of security beyond password protection, which can
be hacked. Data can be encrypted at the file, system, email or even user
level to ensure the appropriate levels of protection are in place.

It’s recommended that businesses adopt a multi-layered approach to IT
security for the best level of protection. This should definitely include
some level of data encryption, as it’s specifically referenced in the GDPR,
reputable anti-virus software, network security and a robust firewall. An
email provider that offers security, such as the ability to block sending
certain files or information outside of the business, add peace of mind to
businesses; whilst cyber-attacks are on the rise and hit the headlines
daily, accidental disclosure accounts for 44% of data leaks (Verizon). The
global WannaCry Ransomware attack also brought attention to the importance
of supported, patched systems; it’s an easy and cheap (free, if you have an
in-house IT team) solution that, until recently, had the tendency to be

There’s no doubt that GDPR compliance will come at a financial cost to
businesses, whether that’s appointing a new DPO, changing to compliant
suppliers, or building up the defensive walls through cyber security
additions. But businesses should see GDPR as an opportunity to improve
their processes and security; the latter in particular is often at the
bottom of the business agenda as it’s considered -- particularly by small
businesses -- as unnecessary. But with the widespread nature of
cyber-attacks on businesses of all sizes, there’s never been a better time
to improve security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/a24c91f9/attachment.html>

More information about the BreachExchange mailing list