We may be standing on the threshold of 2018, but the journey to compliance with the new EU General Data Protection Regulation (GDPR) is far from over for many UK organisations. A study carried out by Apricorn recently found that 24 per cent remained unaware of the regulation and its implications, while 17 per cent were aware but had no plan in place for ensuring compliance.
GDPR legislates for uniform and comprehensive controls that protect the personal data of EU citizens across all nations that process it. However, misconceptions still remain and threaten to trip organisations up – even those that have a path to compliance and are making solid progress with it.
Busting the myths
One common assumption is that there will be a ‘grace period’ after the May 2018 deadline. This is not the case: the regulation is already in place, and 25th May 2018 marks the date when it will start to be enforced.
Steve Wood, Head of International Strategy & Intelligence at the Information Commissioner’s Office (ICO) has stated that: “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” While the ICO is happy to work with organisations to improve their compliance in the areas of GDPR that seem unclear, no-one will receive a pardon if they’re not ready in time.
Another misunderstanding is that organisations will face penalties at the point of a data breach. This is incorrect: stiff fines – up to two per cent of global turnover or €10 million, whichever is greater – can be levied for various systematic failures to comply with the legislation.
A report conducted by YouGov found that 71 per cent of organisations hadn’t realised they will be heavily fined if they fail to follow the guidelines. The GDPR directive is focused on integrating data protection ‘by design and by default’, so organisations must be able to demonstrate that good data protection is a foundation of their business policy and practices.
Organisations that believe GDPR only covers details such as name, address and birth date, and sensitive information such as ethnicity or religious beliefs, are also misinformed. GDPR broadens the definition of Personally Identifiable Information (PII) to include “genetic data” and “biometric data”, as well as the tracking of IP addresses and cookies where that data relates directly to individuals.
The final countdown
To avoid the risks and associated fines, businesses need to maximise the time remaining. They should work to understand where their liabilities lie, and take decisive steps to address these in order to protect the personal information they hold and process.
Identify all personal data. GDPR requires that organisations should be able to trace all personal information, and understand where it resides and how it’s used. This will enable them to identify any shortcomings in technologies and policies, and quickly remedy these.
Under the new rules, organisations will need to document exactly how data is processed, stored, retrieved and deleted through its lifecycle, to pinpoint where it may be unprotected and/or at risk. They must be able to demonstrate that they’re limiting the data they hold, as well as who is authorised to access it, and that there’s a valid reason why access has been granted to those who have it.
Ensure policies, systems and processes comply with citizens’ enhanced rights. Any request made to EU citizens for consent to use their data must be explicit, and the reason for collection of the data and details of how it will be used and stored must be clear. Individuals have the right to demand their data in a portable format, and the right to request that all their data is deleted. Businesses must have systems and processes in place to comply with these rights, and many will need to appoint a dedicated data protection officer.
Specific policies and processes should be created and enforced to protect data when it is outside of the organisation’s central systems, both on the move and at rest. Personal data is particularly vulnerable to attack when it’s taken or transferred beyond the network perimeter. The Apricorn survey found that 29 per cent of organisations have suffered a data breach or loss as a direct result of mobile working, and 44 per cent expect mobile workers to expose the business to data breaches. Businesses need a way to safeguard data when it’s carried out of the office by mobile workers.
Educate staff about the rules and their responsibilities. Having the right tools and policies in place is a significant part of GDPR compliance, but ultimately it’s users that pose the biggest threat. If employees don’t recognise and understand the legislation and its consequences, it is likely that failings will ensue.
Employees are often unaware of their role in protecting sensitive information, and unwittingly put confidential data at risk as a result. They need to receive adequate security awareness training to ensure they understand the GDPR regulation as part of a companywide security policy, their role in compliance, and how to apply any tools provided to them in support of this.
Encrypt data at all stages of its lifecycle. GDPR is not always explicit about the measures organisations should take to meet its requirements, but the use of encryption as a means to protect personal data is specifically mandated by the framework. Article 32 states that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data".
If data is being transferred outside the network or between systems, IT needs to research, identify and mandate a corporate-standard encrypted mobile storage device. Its use must be enforced across the organisation through policies such as locking down USB ports to only accept approved devices. PIN pad authenticated, hardware encrypted USB devices can provide onboard and automated encryption, so there’s no need for the user to install additional software.
It is a fact that the largest potential fines – up to four per cent of global turnover or €20 million, whichever is greater – will be reserved for data breaches. The risk of incurring these can be mitigated through the use of encryption, which also lowers other obligations that come into play when data is breached. GDPR Article 34 states that if a breached organisation "has implemented appropriate technical and organisational protection measures such as encryption", it can avoid the regulation's breach notification requirement to contact each individual affected and the resultant administrative costs.
Gartner predicts that by the end of 2018 more than 50 per cent of companies affected by the GDPR will still not be in full compliance with its requirements. To avoid being one of those at risk of violating the impending legislation, organisations need to identify and address the gaps in their defences and their potential Achilles heels right now.
Jon Fielding, Managing Director, EMEA Apricorn
Image source: Shutterstock/Wright Studio