The General Data Protection Regulation (GDPR) comes into full force on May 25th 2018, only a few months from now. It will have a transformative effect on the way that organisations treat their data and use their information systems. The fundamental principle of GDPR is to improve the protection of personal data that is stored and processed, whether it relates to employees, customers, partners or others. GDPR is a risk regime, not a compliance regime, so there’s no list of actions that, if you implement, you’ll be safe. Instead, organisations need to make a judgement whether the way that they secure sensitive data is appropriate to the threats to the business, the vulnerabilities in systems and impact that a data breach could have.
One of the first steps towards understanding an organisation’s position on GDPR is to undertake a data discovery exercise – finding out what personal sensitive data the organisation holds and processes. Often, organisations find themselves facing a ‘data iceberg’ as scale and complexity of data holdings emerges, generally exceeding initial expectations. The first thing that surprises people is the proliferation of types of data, from documents to spreadsheets – it’s not just about databases. Then you need to find where this data resides.
In most organisations, data can be held locally on PCs and laptops, on centralised file sharing systems, and on an ever-increasing number of cloud services. Getting ready for GDPR means knowing where all the data is: business leaders must find out who is in possession of each piece of data, typically revealing that individuals routinely create copies, amend them, email them to colleagues, suppliers, customers, and so forth. Data held on cloud services may be sanctioned by the organisation or they may form part of an organisation’s ‘shadow IT’ (i.e. the IT that the organisation doesn’t know it uses). Cloud services often store and process information in countries outside of the UK, often outside of the EU. The latter is of particular concern under GDPR. What starts as a simple exercise can rapidly become a major undertaking.
Any of these thousands of documents, spreadsheets, database records, web pages and other forms of digital data that contain sensitive personal information needs to be secure and accurate. It also needs to have consent from the person to whom the data refers, for the use it is being put to. The person to whom the data relates may demand that the records are deleted or made available to transfer to another organisation – your systems need to support this. The systems that store and process such data needs to be compliant with EU law on privacy and, if processed outside the EU, there needs to be equivalent law in place that guarantees the privacy of EU citizen’s data to the same degree they receive in the EU.
Post-GDPR deadline, organisations will grow accustomed to doing a number of things differently. Apart from being much more mindful of the rights of the people to whom data relates, they are likely to have implemented an ICMH (Information Classification Marking and Handling) scheme, such as that described in the standard BS10010, to ensure that all staff think about the sensitivity of the information they create, use and dispose of on a daily basis.
Organisations will have set up fast-moving incident response teams that support the obligation to report data breaches within 72 hours. They will have security monitoring in place that detects potential attacks on the organisation’s networks, that can proactively identify when attacks are likely and can identify when individuals are making the organisation vulnerable somehow (e.g. through inappropriate use of social media). They will be raising awareness across the organisation by providing training to staff and by ensuring that leadership is vocal on the importance of these topics. They will be undertaking routine testing to ensure vulnerabilities are identified and mitigated.
Over the long-term, organisations will begin to bring data protection and cyber security into all their thinking about the use of information systems. As the economies turn digital, this kind of thinking will have to become part of everything we do.
By Andrew Rogoyski, Vice President Cyber Security Services, CGI UK
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/