By design and by default – six principles for GDPR compliance

The introduction of the General Data Protection Regulation in May 2018 is the biggest change in privacy law for 20 years. It will require organisations to build data protection ‘by design and by default’ into every level of their business and throughout their processes. The GDPR has real teeth, with the right to impose punitive fines for organisations, public and private sector, that fail to comply.

Security used to be an afterthought for many organisations, but a steady stream of high profile incidents, from hacking to ransomware to personal data breaches means cybersecurity is now high on the boardroom agenda. However, the state of business readiness for the GDPR is variable. Big companies – especially those from highly regulated sectors such as financial services – are in pretty good shape. On the other hand, there is research to suggest that more than half of organisations have yet to start work on meeting minimum GDPR standards. Time is running out.

Wherever you are on your journey to ensure full compliance with GDPR, there are some core principles that will help you make the right decisions. While checklists are always useful, good security is as much a state of mind, a way of behaving, as it is tools and processes. With a purely formulaic approach to data protection, we might miss the bigger picture. Consequently, the GDPR does not specify measures or tools to use, but calls for organisations to adopt best practice.

1. Look for possible privacy infringements to remedy before an incident occurs. Good data protection is much more than being able to respond to an incident. Good security means anticipating and eliminating the opportunity for something to go wrong. Lots of security incidents happen inadvertently – someone missed the training session, or forgot what they learned. Using technologies such as behavioural biometrics that can spot human anomalous actions, plus tools that monitor data traffic, are important prevention techniques.

However, the key factor for success is at the beginning. Given human nature and the tendency of things to go wrong, what might happen? It takes creative, lateral thinking by real people to identify risks. The 9/11 Commission concluded that it was ‘above all, a failure of imagination’ which let the Twin Towers hijackers through. It’s good to bring together people from across the business and give them free reign to speculate, to second guess, to hypothesise about how and where data breaches might occur.

2. Protection and privacy compliance should be default for business IT systems and processes.

In an ideal world, we wouldn’t need to compel businesses to get serious about data protection. After all, when we buckle ourselves into a plane seat, it never crosses our mind that the plane might be unsafe. It should be unthinkable to bring to market an IoT device – a baby monitor, say – that is insecure. But we are a long way from that utopia. IoT products as varied as a children’s doll and adult sex toys have been found to be in breach of existing data protection legislation. The potential for consumer IoT devices is massive – self driving cars will be on the road in a few years – which is why security must be built in at the drawing board, whether it is a household appliance or global payment system.

3. Privacy should be embedded at every level of an organisations’ functionality.

Different parts of the organisation may securely hold separate data (location, ethnicity, political opinion, credit ratings and so on) about the same individual but when they’re put together, that person could be identified. In other words, combining personal data from various sources could turn it into rich information that the individuals would not want shared or divulged. And giving consent for data to be used for one thing is not a blanket permission. The UK Information Commissioner recently found that London’s Royal Free hospital failed to comply with the Data Protection Act when it handed over personal data of 1.6 million patients to Google’s company DeepMind, even though it was for a good purpose. The Commissioner said: “Patients would not have reasonably expected their information to have been used in this way”. We need to design holistic privacy policies and practice that take this into account.

4. All compliance practices should stand up to independent verification processes.

The GDPR aims encourage an informed, intelligent approach built on built on best practice principles, and which can stand up to independent scrutiny. A key role in making this happen is the Data Protection Officer, a required appointment for many organisations. The DPO’s role is set out in Article 39 but what is telling is the requirement for the DPO to report to the highest management level of the organisation (the board, in most cases). The DPO is to work independently and cannot dismissed or penalised for performing their task. Clearly, the GDPR intends for DPOs to have real authority (not just a ‘tick the box’ job).

The DPO will be able to help the organisation understand how to implement meaningful systems and processes, and how to measure and audit data protection performance. DPOs must have expert knowledge of data protection law and practices; he or she can be an employee or external contractor. According to the International Association of Privacy Practitioners, Europe alone will require at least 28,000 DPOs. Given the scarcity of skills in this area, it would be prudent to start the recruitment process as soon as possible, if you have not already done so.

5. The implemented privacy protection should offer end-to-end security.

There is obviously no point in double locking the front door if back door is open. Organisations need to take a holistic approach to data security – you can’t just secure individual elements, because there might be gaps in between them. Attackers look for weakest link so you must find it before they do.

Assailants will also jump from one system to another, moving sideways, up and down and exploiting small weaknesses to reach the assets they really want. While a certain system may not seem to be vulnerable from the point of view of data protection, it may have a role to play in the bigger picture. The same applies to the supply chain. Criminals will target a third party in order to open up access to their real mark. Data protection credentials will increasingly form part of the due diligence that goes into appointing a supplier or business partner.

6. There must be full functionality of data protection, with no compromise to either business or security. It’s fair to say that in the past, there has been some tension between business operations and the security team, with the former thinking the latter just says, ‘no, you can’t do that’. As digital transformation gets under way in every sector, we must secure operational systems and processes so that they can function naturally. How you do that depends on your business but will certainly start with the first principles of cybersecurity: identify your valuable assets – what are they? Where are they? What level of protection do they need? What it comes down to is that data protection and other cybersecurity measures must be embedded into the business. Practical steps are no substitute for a mindset and culture that protects personal data as a given.

The laissez faire days are over

Building a business where data protection is second nature takes leadership from the top. Everyone in the senior team must take it seriously, must model the behaviours and attitudes they wish to see, take the right decisions and make sure the business adopts the right frameworks. For too long, cyber security issues have not been incorporated into corporate strategy but as we move deeper into the digital economy, this must change. The days of a laissez faire approach to data protection are over. The GDPR will deploy both carrot and stick to encourage compliance, but it will not hesitate to use the stick if the carrot is ignored.

By Martin Barnes, Head of Portfolio, BT

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.