EU GDPR: An action guide for IT

Organisations have until 25th May 2018 to ensure compliance with the new EU General Data Protection Regulation (EU GDPR). As outlined in the first of this two part series, there is a lot of information for businesses to digest, but now is also time to take action.
Data protection is not a responsibility for the IT department alone, as it needs to be taken seriously at the highest level and should be a coordinated task for several departments including legal, compliance, finance, marketing, and HR together with IT.

However, it’s no surprise that IT needs to be a major contributor to a successful outcome, with many responsibilities needing to be implemented by the IT team. For instance, encrypting personalised data and, as outlined in article 30, ensuring ‘the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.’

Collecting, processing and deleting data

When the law comes into force, it will cover all data gathered from then onwards, but also any data that is currently held. The first step, therefore, is to look at all data that is currently on individuals: where it is stored; the procedures for data transfers; the outsourcing of data handling; the use of cloud services; the security policies; training of employees handling the data; and the technologies deployed to secure the data, track its movement and report on the data held.

Organisations should be able to identify all places where personal data is stored, which may require asking every employee that touches personal data, as well as looking for all CRM, support and marketing systems – including cloud services. In large distributed organisations, it is not a surprise to find multiple systems in use by different departments, some sync together and others may stand alone. The organisation should know and be able to track all systems.

Before collecting any new information, organisations must inform the user about the purpose of the data collection, and collect it only for that purpose. This is a cultural challenge as much as a technical one, and it is especially important that marketing departments, which are likely to be gathering data to identify new prospects, understand the new rules. Processes need to be reviewed urgently as users must receive clear information and make a clear affirmative action to opt-in – no automatic opt-in or pre-ticked boxes, no burying consent within long terms and conditions or other documents. Data subjects also have the right to withdraw their consent at any time in the future, meaning data controllers must also provide an option to allow data subjects to withdraw their consent.

The regulation states that data should only be kept for the period it is needed and should be deleted afterwards – with users able to demand that their data is deleted at any time. The data controller needs to have a procedure for data removal that ensures that data is completely removed from all systems. This may sound easy in theory, however, data can easily be shared between systems and the data controller needs to be sure that the data is removed from all systems simultaneously and that automatic syncing doesn’t bring the data back.

Action on data loss

No matter what technology and procedures the data controller has in place, some data may get lost. Organisations need to have a comprehensive plan of action when a data loss incident occurs, a major part of which is communication to the outside world, including when and how to inform authorities, data subjects and (possibly) the wider public. IT needs to be able to stop any data beach in progress and communicate effectively to the rest of the organisation the details about the incident and likely impact – including details on when the data breach occurred, the amount of data potentially lost and the mechanism used to exfiltrate the data. IT therefore needs technology that can identify data breaches via whatever means: hackers, infected machines, lost credentials, sharing of information on unsafe cloud services, etc.

Once a breach has been identified, the data controller usually has 72 hours to notify the supervisory authority, unless 'the data breach is unlikely to result in risk'. Obviously, this is a short timescale, so a process needs to be in place that can investigate the breadth of the data loss quickly to satisfy the regulation.

Encryption – get out of jail free?

IT urgently needs to investigate how encryption/tokenisation can be utilised to reduce the risk of data loss as it will be one of the most effective ways of achieving and demonstrating EU GDPR compliance. Technologies that encrypt the data before it is transferred to a data processor or cloud service (especially if the encryption keys are kept separately from the data), can reduce the risk of data loss at a stroke, as decrypting data can take hundreds of years for the most secure encryption techniques. The regulation recognises this, stating that if lost data is 'unintelligible to anyone not authorised to access it' then the data controller does not have to inform the data subjects. Very much a get out of jail free card.

Using data processors

A data processor is a separate legal organisation or person (non-employee) that processes data on behalf of the data controller. Examples of data processors include outsourcing companies, off-site storage vendors or cloud providers. The data processor does not need to have a contractual relationship with the data controller, so if any employee saves EU personal data on a cloud service, that service automatically becomes a data processor with regard to that data.

Data controllers are still ultimately responsible for data security, but must ensure that they only use data processors which understand that they also have similar data protection responsibilities and will meet the regulation’s requirements. The regulation cascades down to each data processor in the chain, meaning the data controller needs to know all the data processors that the organisation or its employees may be using, and be able to measure their policies and technology to ensure that they conform to the regulation – with it being up to IT to provide that data and keep it up to date as new data processors are used. Given that the average enterprise now uses more than 1,000 different cloud services alone, all of which could be considered data processors: this is a mammoth task that needs focus.

Transferring data outside the EU

Transfers happen as soon as data leaves the 28 countries of the European Union, no matter how it occurs. This includes transferring within a company; outsourcing to a non-EU data processor; saving data onto a shared file service hosted outside the EU. If a data controller plans to transfer data outside the EU, it needs to inform the user of this fact. This means reviewing web site privacy policies and making sure they inform viewers and allow them to opt-out. However, the EU defines some countries as having 'adequate' data protection laws and that therefore transferring data from the EU into these countries is acceptable without need for other legal contracts – at present this list is Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. For data transfers to any country not on the list above, there must be a legal contract that states that the non-EU recipient agrees to the data protection safeguards required.

Preparing for the GDPR

The impact of the EU GDPR should not be taken lightly and every organisation should review its data handling techniques and plan to conform to the regulation as soon as possible. Compliance may seem onerous, especially for IT teams. But think for a moment about when you are the data subject. When we buy products or transact with organisations, we expect our data to be handled securely. The regulation is putting in place a lot of best practices to ensure this is the case.

Simplifying the regulation to its most basic level: think of data as borrowing an expensive item from a friend. It is never actually yours, it is on loan from the data subjects. They can ask for it back, they can check that you are using it correctly, they can demand that you do not further loan it to someone else without their approval, and they have rights over what you do with it.

Nigel Hawthorn, Skyhigh Networks' European spokesperson