The clock is ticking down towards 25 May 2018, the day when the new European Union data protection framework kicks in. The General Data Protection Regulation (GDPR) reflects a more stringent approach to safeguarding personal data and the privacy of individuals, and is an important step in creating Europe’s Single Digital Market. The GDPR demands much greater responsibility and transparency from any organisation that handles personal data. Breaches will be severely punished, with fines of up to an eye watering four per cent of global turnover and EUR20 million. What’s more, the supervising authority will publicise the details of any breach, adding reputational damage to the financial penalty for the offending organisation. Generally speaking, large organisations – especially those in regulated industries such as financial services – are well equipped to meet the challenges of GDPR compliance. But there are still plenty of others who have yet to get themselves into shape and show they are at least on track in time for May 2018. What’s more, as these enterprises embark on digital transformation programmes, the technologies they embrace (the cloud, big data, mobile working and the Internet of Things) may hinder their ability to comply with GDPR unless the risks are properly understood and managed. GDPR compliance in the cloud Once upon a time, you knew exactly where your data and your applications were: safe behind a locked door in the IT department. Now, in the era of cloud computing, corporate applications and data are in multiple locations, often replicated and backed up somewhere else. The picture is very complex. Hybrid infrastructure models mean that some data is still under the control of the IT team, but other data is on third party facilities. Companies must choose their cloud service carefully, taking care to understand where/how they store and manage customer data. Popular cloud products such as Microsoft’s Office 365 are already GDPR compliant. Every organisation should now specify GDPR compliance in any IT tender process and service contract – because even if the breach comes from one of your cloud service providers, you are still liable. Another measure is to use software tools such as cloud access security brokers (CASB), which police the perimeter between the enterprise and the cloud. CASBs let you see which cloud applications are being used, what data is transferred to and from them, and with whom that data has been shared. The beauty of a CASB is that it gives you an overview of what is happening where, and what weaknesses there might be. Armed with that intelligence, you can then begin to understand the risks associated with each cloud application, and define appropriate policies for their use. For organisations unsure where to begin, a good first step is to subscribe to CASB service for a month and monitor activity across your cloud ecosystem. At the end of that period, you’ll have a good picture of what’s going on. The cloud is behind the rapid growth of shadow IT, when individual departments or lines of business buy digital services for themselves, outside the jurisdiction of the IT department. Shadow IT opens up the possibility of hidden data flows that could unwittingly compromise security. This is where an Application Privacy Interface (API) is valuable: sitting between your data and cloud services it monitors what goes where. So if an employee attempts to store credit card details or medical records on Dropbox, for example, the API will act – notify the user, encrypt or quarantine the data, depending on the rules you set. More data, more devices, more risks The big data headache is only going to get bigger. You must be able to show you have the customers’ consent to store their data, and be able to notify them within 72 hours if a breach is likely to result in a high risk to them. Individuals will also have the ‘right to be forgotten’ and you’ll have to erase their data (which could be replicated in several databases) and let them know you have done so. Another issue around personal data is that while individual records may not identify the actual person, their identity becomes apparent when those records are brought together, which could happen internally or via an external service. Then there are several national differences around sovereignty – where your data resides geographically – to take into account. There are no easy answers to the big data question and many companies will need to review and rebuild their data management processes. Mobile working and employees using portable devices to access corporate data create new opportunities for accidental or malicious data breaches. Organisations need to secure both the device and the manner in which it connects to the network. Security starts with the choice of device (if corporate-owned), with some operating systems more secure than others. If the employee needs to work with sensitive information on a mobile device, then containerisation can safeguard the data. When it comes to access, you need to ensure that the most vulnerable traffic travels on a secure private connection. Or, if it must go across the internet (and more and more data will go across public networks as organisations seek to balance cost and bandwidth issues), then personal data must be encrypted. The Internet of Things will dramatically increase the opportunities for data leakage. From a GDPR perspective, much of the data IoT devices generate will be personal (the location of an individual, health indicators, financial history). But with as many as 50 billion IoT devices in action by 2020, producing data round the clock, there’s going to be gazillions of data transactions to police. How will we sort the wheat from the chaff? If even 10 per cent of data events require further investigation, it is still unmanageable. We will need to automate as much as possible, using machine learning and artificial intelligence and sophisticated algorithms that will identify patterns and spot anomalies with great accuracy. Cybersecurity enables the digital business Complying with GDPR is a daunting task for many organisations as they begin the task of transforming their relationships with customers and employees via digital technologies. However, never think that good cybersecurity is an obstacle to building a successful digital business. On the contrary – it is a principle enabler: through implementing the right data protection measures, you’ll not only show people they can trust you with their data, but you’ll also gain a deeper understanding of how your business works which you can use to craft an ever better digital experience for all your customers. By Martin Barnes, Head of Portfolio, BT Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses Originally published by GDPR.Report
3 Comments
There is little doubt that data is the hallmark of business today; we live in the ‘information age’ for a reason – data is ubiquitous and it drives enterprise. And while data has always featured in working life to some degree, nowadays it plays a far more prominent role, both strategically and operationally. Indeed, some argue that we now live and work in a ‘data economy’, such is the extent to which information plays a role in short and long-term business plans. But while this data offers transformative powers that few could have even dreamed of just 10 years ago, this information is also laden with risks. The UK government anticipated this with the introduction of the Data Protection Act in 1998 as businesses began to migrate over to digital practices, and now the GDPR will take precautionary measures even further – with good reason.
But as we head towards an increasingly digital workplace, the need for diligence with historical data is now more important than ever. Failure to comply with GDPR regulation will result in heavy penalties and disruption to operations as inspectors investigate an organisation’s data handling practices. Infringement can bring fines of up to 4% of annual global revenue or up to €20,000,000, and can be imposed for both breaches and administrative errors – clearly the need to get it right first time is clear. Coupling this threat with the fact that businesses generally keep far more data than is necessary brings the issue into sharper focus. With this in mind, and the deadline drawing nearer, here are some implications for leaders to consider as this regulation comes into full effect – particularly if they are planning a major office relocation when threat of data breaches is at its highest. Historical data: getting the physical documents in check The GDPR is often discussed and understood as a digital legislation – mostly concerning itself with mitigating modern database and network vulnerabilities – and while that is certainly the case, it also encompasses physical data handling practices. You could be forgiven for thinking that nowadays no business uses a paper-based filing system, but it’s still quite common. In fact, many financial and legal documents require a physical version in existence as a matter of statutory compliance. Clearly, then, the requirement to get all physical data in check is critical, not only to be GDPR compliant, but also to ensure that businesses are prepared for relocation. Failure to do so will place both relocator and client at risk of negligence, allowing plans to delay, costs to spiral, and reputations to fray. If your organisation is looking to move in the near future, ensure that filing processes are as up to date as possible and any potential obstacles are communicated with a specialist before initiating a physical move. Doing so will ensure relations remain intact in what can often be a highly stressful time for all parties. Ease of access is paramount The GDPR will require any information held on file to be accurate and able to be easily divulged with all relevant authorities. It will also demand that organisations erase information in a timely fashion to minimise the risk of security breaches. Clearly, then, firms that are looking to move will need to have measures in place to ensure that these requirements can be met, placing a considerable amount of importance on location and availability. GDPR will ask that organisations keep ‘deep storage’ data in easily accessible, but safely secured, parts of their building(s) and ensure that access to this information is managed carefully. Clients will therefore need to notify relocation specialists on the scale of their inventories so that suitable storage locations can be marked-out within a new site. Full understanding will also ensure that files are safely secured throughout transit between sites A and B, which is especially important if a relocation project is scheduled to be carried out over a number of weeks or months. Again, this is an instance that is particularly concerned with ‘physical’ information, but even digital data is often stored on a device of some kind, so there should be as much attention given to old hard drives, CDs and USB sticks as there is to paper files and other ‘analogue’ means of storage. Importantly, business leaders should always check that the chosen commercial relocation partner has specialist IT and data moving experience to ensure that they are comprehensively covered. Should it stay, or should it go? As mentioned, GDPR will ask that data be erased in a timely fashion to avoid security breaches – indeed, improved security and data integrity are the main tenets of this new Europe-wide regulation. Thus, having an understanding of what needs to be kept and what needs to be destroyed throughout relocation is critical – particularly if the operation wishes to remain lean, compliant and cost efficient as it moves into new premises. A business has little to lose if it stops gathering ‘excess’ data, and everything to lose by continuing to do so. Ultimately, when deciding on relocation business leaders need to ask themselves:
After understanding these points, and deciding what to keep on file, the organisation then needs to create a process for informing users about how they intend to use the information – while also gaining authorisation to do so. Business leaders should therefore have personnel in place to oversee this process and be careful to select a relocation specialist with the capability to confidently oversee changes to inventories and data designated for destruction. Doing so will ensure moving is carried out with minimal disruption and remains GDPR compliant before, during and after a project is completed. Knowing who is liable While a commercial relocation specialist and its client will have contractual agreements and contingency planning in place to assure compensation in the event of a mishap, it’s important to note that once a relocation is complete the burden is solely with the client to remain GDPR compliant. Relocation specialists will be able to advise and suggest ways in which to do this, but ongoing maintenance is ultimately the responsibility of the organisation in ownership of the data. This is an especially important point to keep in mind if a business is considering third-party storage solutions. While this reduces the need for real estate and storage capacity, data management still needs taking care of. Moving files off site makes modification, access and destruction of data more difficult, so businesses looking to move should be mindful of this attractive but potentially difficult option. Steve Talbot – Managing Director of IT Efficient, a division of the Harrow Green and Restore Group Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses Originally published by GDPR.Report Gilbert Hill, Privacy Technologist, Entrepreneur, Founder and Managing Director of technology and software businesses, spoke at our last conference, Compliance Briefing: Malta. Here's his advice for on GDPR, and cookie laws and the web. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses Before GDPR comes into full force next May, we’ve taken a side step and identified five of the not-so obvious, but key elements of everyday business that will be affected by this legislation.
Loyalty cards It’s estimated that Tesco’s clubcard has 17million users alone, now think about all the other loyalty cards that exist. Loyalty cards are part of everyday life, for years they have been tracking purchases, linked and re-linked to different addresses and stores - and used as a very powerful tool in a retailer’s marketing strategy. Ahead of May 2018, the owners of these loyalty schemes will have to assess a number of key areas that include what information stored within those loyalty schemes is classified as “identifiers” under the new GDPR guidelines. Permissions will have to be examined – even if a customer opted into the scheme, the way they were asked matters. If they weren’t asked in a GDPR compliant way, customers will have to be asked again, so gone are the days of that 15% discount as a sign-up bargaining chip. Communication is another area that’ll be scrutinised - such as how organisations are going to use the data and communicate with the user, and this can’t be hidden in sneaky size 8 font on the back of a leaflet anymore. Finally, withdrawal process must be looked at – as customers can withdraw at any time, and if they chose this option, it must be completed in 28 days. Therefore, organisations will have to move quickly to withdraw a user and suspend all communications - across potentially millions of others. Facial recognition Over the last decade there has been a rapid increase in the availability, reliability and accuracy of facial recognition technology. This way of identifying people has been integrated into so many of the online and mobile services used for the authentication/verification and security of devices, accounts and premises. Under GDPR, facial recognition falls under the “biometric data” bracket, meaning that it is treated as sensitive and personal – so the information captured requires enhanced protections. Therefore, organisations will have to review the software and technology they possess that captures facial characteristics, and identifies, categorises and differentiates individuals. This task will also involve assessing where these recognition algorithms are stored and how long facial profiles are retained. Charity fundraising For those that have signed up for a charity or relief fund, how they opt in and out of contact will change drastically. Even if the opt out process is compliant, what next? The question of the follow-up and ownership and sale of that data now comes into question. The above issue could apply to fundraising for example. The question of how fundraisers can lawfully contact donors and supporters, or identify and approach potential new supporters, has been a cornerstone of the debate within the charity sector when it comes to GDPR. Volunteers are often the ones that collect this information, under GDPR, these volunteers are no different to employees - so they must be trained and equipped to protect data. Customer monitoring and profiling Under GDPR, personal data now extends to behavioural-derived, self-identified data. According to the legislation under GDPR - when “individuals are tracked on the Internet, including potential subsequent use of data processing techniques - which consist of profiling an individual, particularly in order to take decisions concerning her or him, or for analysing or predicting her or his personal preferences, behaviours and attitudes.” This particular piece of legislation will almost certainly hit e-retailers particularly hard – especially when types of profiling, ‘intend to lead’ to a conversion – which will be non-compliant. When retailers are specifically tracking and profiling of abandoned baskets, the information held by them to build up a profile and track the online customer behaviour, could potentially be personally identifiable - thus becoming GDPR non-compliant. Fitness apps Think about all the personal information that goes into a fitness app, whether it’s Fitbit, My Fitness pal, Strava etc. Users often enter comprehensive amounts of personal details – including; name, DOB, weight, height, race and use devices to track biometrics that sync back into these apps, tracking stride, heart rate, activity levels and GPS. As this is highly identifiable information, the makers of these apps and devices will need to re-think their privacy policies and how they secure this data. They will also need to reconsider how long data is held and how they may or may not be able to use the data to re-marketing purposes. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses By Sean Hanford, information governance consultant at bluesource Recent research has shown that UK companies are struggling to get ready for the new General Data Protection Regulation (GDPR) in key areas such as the management of personally identifiable information and data breaches. For example, only 40% of companies check on every occasion whether a customer has given permission for records to move between data processors, and only 21% claim to have processes that allow them to remove data without delay from live systems and backups as required under articles 16 and 17 of GDPR.
The survey which was conducted by Vanson Bourne across 500 IT Decision Makers for WinMagic, also found when looking specifically at data breaches that only 37% of UK companies are completely confident that they can report data breaches within 72 hours of discovery to the authorities. Companies also admitted they cannot easily identify the data obtained in a breach. As few as a quarter (27%) are completely confident that they could precisely identify the data that had been exposed in a breach. With this in mind and only a little time left for you to prepare for GDPR, here are our tips to help ensure you consider some key areas of compliance with GDPR. Rethink data consent The era of assumption is over when it comes to citizens’ consent for data use and disclosure. Evaluate all your current consent forms and processes to ensure that consent is both voluntary and explicit with regard to the scope and consequences of data processing. You need to obtain or empower “a statement or a clear affirmative action” and essentially ensure that consent can be withdrawn as easily as it is given – something many companies fall down on. Be thorough in your investigations Assess what, where and how EU resident personal data is stored, processed and transferred within and outside your organisation’s structure. Check every department from marketing to HR, legal and IT. Personal data includes “any information relating to an identified or identifiable natural person”. That means names, passwords, ID numbers, location data, online identifiers or any data relating to physical, physiological, genetic, mental, economic, cultural or social identity. It is essential to examine everything as ‘personal data’ covers a very wide area of what might be stored and processed on your systems. Go minimal In the age of Big Data, it is important to adopt the “less is more” principle when it comes to personal information. The GDPR states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.” Adopting an ongoing data minimisation approach is not only best practice, it’s GDPR-mandated. That also includes techniques such as pseudonymisation and anonymisation, as well as implementing foundational security measures like encryption which together, can dramatically reduce risk. Understand citizen rights as well as your responsibilities EU residents will have a greatly expanded set of rights, post EU GDPR. You need to honestly assess your ability to respond to requests within one month, with a maximum extension of two months. These reinforced rights include: the right to access data, to rectify or erase data, to restrict data processing, to data portability and to object to data processing. This will require a rethink across processes, staff training, technology and an intelligent approach to backup and disaster recovery, ensuring that personal data wherever it is stored can be identified and accessed relatively quickly. Avoid awkward breach notifications 72 hours is the upper time limit for notifying your Supervisory Authority of a personal data breach. If the breach presents a risk to the rights and freedoms of EU residents, you also need to notify all affected individuals. However, if your data in encrypted and rendered “unintelligible to any person who is not authorised to access it,” then your organisation is not required to inform all affected individuals. Often organisations use encryption to protect data such as credit card details, or passwords, but stop there. All organisations should take the attitude that if they hold data that is either commercially sensitive or falls under the category of personally identifiable information (as defined by EU GDPR), and they don’t want it getting into the public domain, then it should be encrypted when ‘at rest’. It is the last line of defence against a data breach. The proof is in the compliance pudding Just being compliant isn’t enough; you need to prove it. That means establishing a clear framework for accountability and compliance. Do your core activities include large scale data processing? If so, you’ll need to have a designated Data Protection Officer on board too, both monitoring compliance and being a single point of contact for the Supervisory Authority in your country, for example the Information Commissioners Office in the UK. As part of the this process it would be prudent to periodically conduct a Data Protection Impact Assessment, determining the impact of data processing operations on data privacy. Be proactive about process design You’re required to put in place “appropriate technical and organisational measures” to safeguard personal data and minimise data collection, processing, and storage. Whilst the wording may be intentionally imprecise, it does come with very definite risk, given the fines for non-compliance. You must place yourself in the mind of the regulator and question whether they could deem your security measures as falling short of their interpretation of “appropriate”? Do this proactively, hunting out the gaps, or weaker process areas, so that they can be improved. You may find that you are better prepared to deal with GDPR than you think, but don’t delay the assessment of your processes and systems. Regardless of your company’s size, if you hold data on EU citizens or intend to trade with them then you will be affected. Don’t be fooled into thinking Brexit makes a difference either, you will need to be compliant and can be hit by the full force of the regulation’s fines regardless. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses By Mark Hickman, Chief Operating Officer at WinMagic Originally published by GDPR.Report |
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017 COUNTY HALL, LONDON |