02 January 2018
After being ratified by the EU in 2016, the General Data Protection Regulation (GDPR) will go live on 25 May 2018. Among the new rules, organisations will need to implement “privacy by design” and actively demonstrate that the way they collect, use, transfer and store EU customer and client data complies with the new regulation. Any transgressors risk hefty fines. For instance, the Information Commissioner’s Office (ICO) says failing to notify a breach when required to do so could cost companies up to €10 million or two per cent of their global turnover.
By the way, if you were hoping that Brexit would scupper the UK’s GDPR implementation, sorry: speaking to a select committee in October 2016, DCMS secretary Karen Bradley said: “We will be members of the EU in 2018, and therefore it would be expected and quite normal for us to opt into the GDPR, and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
So what do organisations need to do in order to comply? And what should they have done by now?
The ICO offers plenty of advice here, including a 12 steps to GDPR checklist. It says many of the new regulation’s main concepts and principles are much the same as those in the UK’s current Data Protection Act (DPA). If organisations are adhering to this, then most of their approach to GDPR compliance will remain valid and can be the starting point to build from.
But the commissioner’s office goes on to point out that the GDPR introduces some new elements and significant enhancements, so organisations will have to do some things for the first time and some things differently. It states: “The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.”
The GDPR is a subject that has had the industry experts queuing up to share their knowledge (we were inundated with comments and unfortunately lack the space here to include everybody’s contributions).
For instance, Linus Chang, CEO and founder of cloud security specialist Scram Software, says: “Companies should have already taken an inventory of what data they collect, and identified and classified this data. They should have tracked the lifecycle of each piece of data, from the time it’s collected to the time it gets destroyed, forgotten or anonymised.
“It’s important to also make note of not only primary copies of data but also secondary copies (backups and archives) and all the obscure places it can end up (such as logs, photocopier memory and cloud-to-cloud replication).”
Luke Brown, EMEA VP of data encryption specialist WinMagic, agrees that by now companies should have already assessed what, where and how EU resident personal data is stored, processed and transferred, both inside and outside of the organisation. “This should cover every department, and they should understand that personal data includes ‘any information relating to an identified or identifiable natural person’.”
Brown says in reality this means names, passwords, ID numbers, location data, online identifiers and any data relating to physical, physiological, genetic, mental, economic, cultural or social identity. He continues by saying that by now businesses should also have evaluated all consent forms and processes to ensure that it is both ‘voluntary’ and ‘explicit’ with regard to the scope and consequences of data processing. “They must obtain or empower ‘a statement or a clear affirmative action’, and ensure that consent can be withdrawn as easily as it is given. Withdrawal of consent is an area where many companies can fail.”
Citing a survey of 500 IT decision-makers in the UK, France, Germany and the US that WinMagic conducted earlier this year, Brown says UK firms are struggling to get ready for the new rules in key areas such as the management of personally identifiable information and data breaches. “For example, only 40 per cent of companies check on every occasion whether a customer has given permission for records to move between data processors, and only 21 per cent claim to have processes that allow them to remove data without delay from live systems and backups as required under articles 16 and 17 of GDPR.”
Another area where many could struggle is if they suffer a data breach and then have to collect the relevant intelligence by a deadline set by the regulation. “One significant change that the GDPR introduces is that of notification,” says Ian Goslin, MD, Airbus CyberSecurity UK. “It dictates that as soon as an organisation becomes aware that an incident has occurred and that personal information has been affected, the data controller must notify the relevant supervisory authority (which in the UK is the ICO) without ‘undue delay’ and within 72 hours. The challenge for many in complying with this requirement is the amount of information that must be supplied, and being able to collate this within the specified timeframe.”
WinMagic’s survey corroborates this. It revealed that only 27 per cent of UK firms are “completely confident” that they could precisely identify the data that had been exposed in a breach. Furthermore, only 37 per cent said they were completely confident of being able to report breaches within 72 hours of discovery to the authorities.
There have so far been several references to the “data controller”. Adam Brown, manager of security solutions at software firm Synopsys, explains that companies should acknowledge their role as either a ‘data controller’ or a ‘data processor’ (or more usually both). “Controllers own the GDPR responsibilities while processors must maintain technical controls to secure data. Processors must maintain technical and organisational measures to ensure that data processing is GDPR compliant.”
When it comes to implementing those measures, organisations need to take into account the risk presented to individuals if the security of that data was breached. Here, the GDPR says you should consider implementing the “pseudonymisation” and encryption of personal data as appropriate. Jes Breslaw, EMEA director of strategy at data platform provider Delphix, says: “While the law stops short of telling businesses they must implement pseudonymisation, the express reference to it in the security provisions of the GDPR is highly significant, as regulators will take its implementation into consideration when considering compliance.”
Breslaw explains that pseudonymisation uses data masking tools to replace fields with dummy alternatives. “The data itself is not changed but its pseudonymised format ensures that if information is lost or stolen, it won’t leave a business exposed to GDPR sanctions as masked data contains no identifiable personal information.”
He continues by saying it’s important to note that encryption alone does not satisfy GDPR requirements. “Encryption is certainly valuable for data that is in transit. However, in order to make encrypted data useful, it must be decrypted. This exposes the sensitive data once again so that anyone can access it. Businesses should therefore seriously consider pseudonymisation in their GDPR compliance preparations.”
Synopsys’ Brown is likely to agree here. He says while the GDPR requires the implementation of processes, policy and activities where technology solutions can help, there is no “magic fairy crypto dust” here. In fact, he believes encryption will only solve a very small part of high risk data requirements, and that a privacy dashboard would more likely be the way to go.
More time needed?
Since 2016, organisations have had two years to ensure that all their compliance procedures are in place by May 2018. Given all the apparent complexity surrounding the new rules, has this been enough time to prepare?
“A lot of organisations are only starting to think about this now,” says Damian Kinney, head of security, BT Security. “If they had started two years ago, they would have been in a much better place regarding their journey towards compliance. Some are literally waiting to see what happens. In the case of major corporations with complex data, achieving compliance within the space of two years is a massive challenge.”
WinMagic’s Brown says in theory two years should have been sufficient, but in reality firms may have focused on what they believe are more pressing projects and IT deadlines. Plus, he points out that the regulation is not just about IT: “Preparation requires a review of how personal data is used and managed across the organisation, not just how it is stored and protected.
Josh Mayfield, product marketing director at firewall management software provider FireMon, supports this view when he says management should embrace GDPR compliance as a strategic initiative and enlist the support and participation of all key stakeholders in the organisation, not just IT. He adds that education is “essential” for all departments to understand what the GDPR is and how it will impact the way the company conducts business.
For cloud security specialist Netskope, there are four key stages to help achieve compliance. In line with pretty much everyone we spoke to, Andy Aplin, the company’s sales engineering manager, says organisations should begin by first conducting a full audit in order to understand the types of data present, where it resides, where and how it travels, and how it’s protected. This will present a clearer picture of data and enable organisations to then move to the second stage of rationalisation. This provides the opportunity to put data protection agreements in place with all cloud services in use. Aplin says the organisation can then proceed to the next phase.
“The third stage of is the enforcement of agreements and decisions made by organisations over their data. This connects the planning elements of data protection regulations and the IT departments who have a duty to ensure compliance is taken seriously in their organisations.
“The final stage is the monitoring and reporting of policy enforced by organisations in order to maintain consistent compliance over time.”
But even with suitable preparation and planning in place, Aplin believes two years could still be considered a short time for most organisations when you consider the deluge of data they must discover, understand, categorise and secure.
Others are not so sure. “The GDPR builds on existing standards adding aspects of privacy relating to the rights of EU subjects,” says Synopsys’ Brown. “For example, companies that already ran Privacy Impact Assessments or those that have already created data inventories should already be in pretty good shape. So two years should be plenty for all but the most disorganised.”
Brian Chappell, senior director for enterprise and solution architecture at identity and risk management firm BeyondTrust, points out that the GDPR was no secret before it was accepted into EU law and firms have therefore had longer than two years to work towards compliance.
He adds: “GDPR is all about protecting that personal information that organisations collect from individuals. Does anyone think that shouldn’t be something that’s done anyway (outside the criminal fraternity, of course)? Best security practice should be how we treat that personal data; it’s how most of us expect other organisations to treat our data and yes, we should be doing that anyway. In an ideal world, GDPR would be a formality.”
Rajesh Patel, B2B sales manager UK and Ireland for storage hardware maker Buffalo EU, adds his voice to the argument when he says any organisation that is already adhering to the DPA should be able to comply with the GDPR. And while compliance may seem complicated, Patel says there are IT solutions that can help, such as storage technology that can save and backup data in a secure way.
In a recent white paper, Buffalo says if companies plan to store data in-house, they will be regarded as both the data controller and data processor. To ensure compliance, the vendor says the following features should be incorporated into in-house storage devices: all files and/or folders that contain personal data should be password protected; data at rest or on the move should always be encrypted; devices that store personal data should have physical protection such as locks or keys; all devices should have anti-virus software and firewall protection; backups should be automated and carried out on a daily basis.
The vendor also highlights several other additional measures that it considers to be equally important. These include an in-house storage device that provides RAID redundancy, protects against hard drive failures, and avoids system downtime and data loss. Furthermore, Buffalo says centralised storage should be preferred over local storage on PCs, laptops or external/portable hard drives. As well as being more prone to theft and unauthorised access, it says local devices are “extremely difficult” to control in terms of who has access to them and the data they contain.
Here, Scram Software’s Chang says client-side encryption will provide protection against many forms of data breach when unauthorised people gain access to storage devices or accounts (such as cloud storage). He adds backup and disaster recovery solutions protect against hardware failures, theft and natural disasters, while data loss prevention (DLP) systems can protect against data exfiltration.
However, Oliver Pinson-Roxburgh, EMEA director with security, cloud and compliance company Alert Logic, may not agree with this latter point. Firstly, he says organisations will need to sift through and deal with the data sprawl by initially removing what they don’t need. For what’s left, they need to identify the legal right to collect. “Then ensure you know where your data is. It is not a trivial problem, and many that I have spoken to are still looking for, or investing in, tools to help find this out.”
Here, Pinson-Roxburgh says carrying out the initial detection of where the data sources are has, for many years, been driven by DLP solutions. But he believes these are not easy to get working well without being presented by false positives. “Getting the right tools is one challenge, the next is making them work correctly without adding to workloads and swamping teams. For notifications, it’s about getting the right data to ensure you can detect a breach. However, it’s more important to get the right people with the skills to detect the threat and reduce the wasted investigation of events that are not real threats.”
Like Alert Logic, IT solutions distributor DataSolutions talks about data sprawl. Francis O’Haire, the company’s director of technology and strategy, says the amount of data that organisations store is growing exponentially and can exist in many locations: data centres, branch offices, mobile devices, across multiple cloud providers, etc. Furthermore, in any of these locations, personal data could be spread across files, databases, emails and backups, and is also likely to be duplicated. He recommends systems such as Commvault’s data protection and information management solution which can help simplify compliance by initially discovering personal information within the sprawl, and then allowing controls to be put in place to maintain and prove compliance.
Delphix reckons DataOps is another approach that could help here. Breslaw says this focuses on aligning people, process and technology to enable the rapid, automated and secure management of data. Its goal is to eliminate ‘data friction’ – the functional gap between the huge volumes and copies of information that we generate and our ability to use it securely and effectively.
“DataOps can create a comprehensive library of data sources that enables users to pinpoint the exact location of sensitive data across the entire IT estate, whether on-premise or in the cloud,” says Breslaw. “What’s more, with the right tools, organisations can identify which data values are subject to GDPR, and adapt these to the business’ unique definitions of what is considered personal, confidential information.”
O’Haire says while traditional security products such as anti-virus and firewalls can help protect personal data from loss or theft, ensuring that all sensitive data never leaves the data centre in the first place makes the job much easier. He adds that using virtualisation can also help when keeping the data safely in the data centre where all access can be audited and controlled. “Should data need to be held or processed offline on mobile devices, [virtualisation] can also ensure it is protected in an encrypted and secure container.”
WinMagic’s Brown points out that it is important to realise adherence is as much about process as technology: “Take encryption as an example. Critically, personally identifiable information must be encrypted in all locations and only sent where permitted, as defined by the legislation and rights of the individual. Solutions can manage encryption across on-premise servers, devices and cloud service providers, but they will only encrypt what they are told to.”
Several commentators cite the need for automation here. For example, Airbus’ Goslin says: “Regardless of numbers or level of efficiency, security teams simply can’t have eyes on everything all of the time. Whether it’s monitoring the perimeter or a lack of cyber security resources that impedes performance, automation is necessary.”
He goes on to say technology should be utilised to monitor networks for signs of anomalous behaviour and sound an alert, and then echoes Pinson-Roxburgh’s earlier point when he says: “However, this will need to be combined with humans who then investigate false positives or if there is an attack in progress. To be truly effective, this activity needs involvement from of all business lines, including top management.”
That then introduces the crucial human factor into the equation. “Technology can support GDPR compliance but it will not guarantee it,” says BT’s Kinney. “This is about changing behaviours; it’s about understanding the data you have, why you have it, who it’s shared with, and how it’s protected. Certainly there are products out there to support GDPR. But they need to be introduced with care and with a clear objective regarding the outcome
and benefit of their use.”
Beyond May 2018
Of course, no one is going to wake up on 26 May next year and breathe a sigh of relief after two years of compliance work and think ‘job done’. Corporate teams will continue to have plenty to do in order to ensure their organisations remain compliant going forward. For example, everyone agrees that the world’s data mountains can only get bigger which means documenting it all will be a never-ending task.
WinMagic’s Brown says: “Data sprawl and complex IT environments are one of the biggest challenges when it comes to staying GDPR compliant. It’s a growing problem and the risks are greater than ever. Every time a device is added to the network, a cloud service used, a new virtual machine created, or data extracted for analysis, data creeps and spreads to new locations. Within that data could be personally identifiable information which, over time, you can easily lose visibility and control of.”
At the end of the day though, none of this should send organisations scrambling to the panic room. As the ICO states, some of the misinformation and “outright scaremongering” out there seems to be commercially driven. It fails to take into account that the GDPR is an “evolution” in data protection, not a “revolution”, and is building on foundations that have already been in place for the last 20 years.
Of course, the ICO acknowledges that any regulation has some sort of impact on an organisation’s resources and says that is unavoidable with any new legislation. But it warns that thinking about compliance in terms of a “burden” indicates the wrong mindset to preparing for the GDPR.
Few are likely to disagree here as many commentators believe the new rules are a step in the right direction. “Implementing GDPR compliance will force IT to examine the lifecycle of data and the security risks, and implement tighter measures,” says Scram Software’s Chang. “This is better for citizens, customers and for the companies themselves. As the old adage goes, prevention is better than cure.”
Delphix’s Breslaw adds to this by saying data protection is no longer a ‘nice to have’ but a question of principles. Indeed, he goes further and says the protection of data should be seen as a human right: “Companies are custodians of a customer’s data – they don’t own it, the customer does, and it needs to be cared for appropriately. It is therefore in the interest of all businesses to be seen as taking data protection and data security seriously.”
And finally, as BeyondTrust’s Chappell concludes, you should make sure that you don’t concentrate on the technical solution and lose sight of the process changes that are required: “GDPR, like any good security practice, has people, process and technology inseparably intertwined. Lack of focus on any of them will leave you exposed.”
12 steps to GDPR
The Information Commissioner’s Office (ICO) has issued detailed guidance about the regulation and how to prepare for it, including the following 12 steps that organisations need to take now.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Lawfully processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data protection by design and impact assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data protection officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a data protection officer.
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.