Preparing for GDPR
The General Data Protection Regulations (GDPR, May 2018) comes in to force on 25th May 2018. This will replace the 20 year old Data Protection Act as a lot has happened since the original regulations were introduced. These regulations bring together 28 different pieces of legislation across the EU.
At the time of writing this article (November 2017) there was very little guidance and support as to how a small and medium sized company (less than 250 employees) could effectively meet the new regulations. I suspect many of the people who really understand GDPR are employed by larger organisations who can afford the cost of employing an expert.
For many years, I have worked as a strategic and IT facilitator helping companies to understand how technology can facilitate business growth and in some cases going on to help them implement it.
As there is so little time and so little guidance out there, I have put this article together to highlight the actions that I believe from what guidance there is what you need to be put in place in order to achieve compliance.
- Cyber Crime is growing rapidly and is currently estimated at $450 billion and is the second most reported crime.
- Digital Marketing is changing – Customers (of all types) want to be in control.
- Larger organisations require you to be more secure and assess you for compliance.
- A cultural shift is needed to be more aware of the risks (financial, reputational, operational and regulatory) and their mitigation.
What are the Risks?
The headline risks are that for non-compliance you potentially could receive a maximum fine of up to €20 million or 4% or annual global turnover – whichever is higher. This means a material data breach could lead to insolvency. In addition there is considerable damage to your reputation if your customers get to find out that you have lost their personal data.
Who is the Regulator and What Guidance is Available?
The Information Commissioners Office (ICO) is the regulator and has produced a document summarising what you need to do to prepare:
In summary the things the Information Commissioner advises you need to do are:
- Raise Awareness within the senior management and assign a champion to implement GDPR
- Carry out an Information Audit
- Review Company Policies
- Create an Action Plan
- Have procedures for managing an individual’s right to privacy and access to their data
- Check that you are processing personal data lawfully
- Review how you obtain consent for collecting and storing personal data
- Verify whether you are holding information on children and any required controls
- You will need to report data breaches – make sure you have procedures in place
- Data Protection by Design – Review what you need to be doing to keep data secure
- Assign responsibility for data protection compliance in your organisation
- International businesses will need to determine who their lead data protection supervisory authority is.
What does this mean in Practice?
This next section looks at the practical actions that a small or medium sized business might do in order to comply with the new regulations. Some of it should already be in place if you are complying with the existing Data Protection Act.
Board Level Responsibility and Risk Management
- Identify a senior person responsible for ensuring GDPR is implemented appropriately.
- Assign responsibility for the Data Protection Officer or recruit if required by law.
- Ensure a privacy & security management plan is in place.
- Performance manage the security plan.
- Business Continuity Plans are in place & tested.
- Registration with the Information Commissioners Office.
People Based Security
- Conduct a basic personnel security check.
- All passwords are forced to change regularly (quarterly) and are sufficiently complex.
- Guidance is in place to help users select non-guessable passwords.
- If a password has been compromised is there a policy in place to force users to change the password.
- When somebody leaves the business, is access to the systems removed and key passwords changed if they used them?
- Old user accounts are removed.
- Ensure users have the correct level of access for what they need to do. Removal of Administrator access where not appropriate.
- Accounts with Administrator access should not be used for browsing the Web or Email.
- Record who has Administrator access and the list is regularly reviewed.
- Review whether two-factor authentication is viable for Administrator & vulnerable accounts.
- Awareness/Training on General Data Protection and Security
Systems & Premises Based Security
- Ensure you have the right technology in place
- Ensure all systems are installed correctly, are working correctly and are up to date.
- Ensure all systems are correctly licensed.
- When a system or piece of equipment is installed that the default user name and password is changed.
- Ensure systems lockout a user after a certain number of login attempts.
- Any ports that are opened (access into the system from outside) are documented and then closed when no longer needed.
- All internal services are blocked from accessing the internet unless they need to do so in order to function.
- On new equipment, all unnecessary applications are removed.
- On new equipment only the required users are setup on it and these are documented.
- Disable Auto-Run or Auto-Play on all new machines.
- Central hosted system for managing malware protection compliance.
- Approved list of applications that can be installed.
- Administrators only login with increased rights when they need to.
- Appropriate premises security is in place and tested.
- Review all processes to ensure GDPR is being complied with.
- Off Shoring – Policies and Procedures are in place to remain compliant.
- Marketing – GDPR Compliant Database (Consumers are correctly identified and Opt-In recorded)
- Data minimisation principles are applied to collecting personal data so that only the minimal amount of information is collected.
- Review how personal data is processed and stored.
- Supplier Management – are your suppliers of sub-contractors are aware of their responsibilities should they handle any of your data
- Reporting mechanisms in the event of a breach
- Ability to handle access requests by data owners including right to be forgotten.
- Regular Audits to ensure compliance.
Action Plan & Practical Steps
What is clear is that you need to prepare for the new regulations whatever your view is on their enforceability as it’s down to protecting your business from financial and reputation risk from cyber-crime and inappropriate marketing. If you work with larger organisations then you will have no choice but to comply with the regulations as your customers will be demanding it.
So doing nothing is not an option. So here are my thoughts on how you could put in place appropriate measures if you are running a small or medium sized business.
- Nominate a board member to be responsible for GDPR implementation
- Put together an Action Plan including timeline and responsibilities.
- Information Audit – Find out what personal data you currently hold and how it is processed, stored, archived, protected and who has access. The audit needs to take into account in which country the data is held.
- Review with HR the company’s policies and procedures relating to personal data and its management.
- Review what personal data is held in your HR systems. It is secure? What can be minimised?
- Carry out a full security review of your IT Infrastructure, policies and procedures. Use software tools to carry out penetration tests of your external security and web sites. Consider getting accreditation to the Government’s Cyber Essentials standard which should bring you up to a good standard. Review user access, most companies allow too much access. What can be restricted?
- Review how you collect personal information including email addresses in your marketing systems. Has consent been correctly obtained and recorded? The regulations place a requirement to advise how their data will be used for profiling and online tracking. (This is where an advert follows you round Google and Facebook.)
- Ensure personal data is kept to a minimum. For example, if you are processing credit card payments can you use a third party payment platform? What can be deleted? What technology can you use to stop the transmission of personal data?
- If you are using cloud based services, where is your data hosted? Is this compliant?
- Prepare a template GDPR ICO report in the event of a data breach. Contents need to be:
- How was the data lost?
- What data was taken?
- Which accounts were involved?
- Description of the potential consequences.
- Mitigations are in place/planned?
- Create a process for identifying a person’s personal data for when they request it to be supplied or deleted and how that may be done.
- If you pass personal data to suppliers or if they process personal data on your behalf you share liability with them and so carry out due diligence on affected suppliers.
- Communication is important in all of this. Depending on how many people are involved consider a monthly project meeting and an internal email to all staff to keep everybody informed.
The Next Steps
You have a number of options open to you. If your organisation is large enough then it should be cost effective to hire a Data Protection Officer who can report to the board and so that they can be seen to be impartial and independent.
For smaller organisations, you can hire a cyber security companies to work on the technical aspects and a HR company for the policies and procedures. If you neither understand and don’t want to understand the detail then you can work with Peter Dickinson, KUB who works as a fractional IT director/interim IT project manager to establish and coordinate the project and work with your internal team and where appropriate bring in the appropriate external resources to implement the required changes.
Since this article was written a Manchester based company has launched an online system that tells you what you need to do, helps you keep track of what you have done and provides you templates for all aspects of the documentation .
To get GDPR tracker at a discounted rate of £99 per year (should be £299/year), please go to: https://app.gdprtracker.co.uk/register/18ZMTG