The industry is buzzing with excitement over the fact that next year GDPR becomes a reality. What are the implications of it for the average business and how will it impact on them? The reality today is that we’ve all read bits and pieces and seen numbers bandied around suggesting that if we get it wrong, we could face large fines and penalties.
To really understand it, we should look at where it’s come from and why it’s being implemented, particularly with Brexit in mind.
When the UK joined the (as was) EEC our privacy laws were pretty poor and were in need of strengthening. It took some time but in October 1995 there was an EU Directive on Data Protection and in 1998 the Data Protection Act (1998) became law in the UK. This did a pretty good job of ensuring our data was handled in a safe and secure manner. However, the Information Commissioner’s Office was pretty much a paper tiger, all roar, no teeth and there were holes located within resulting from some pretty woolly definitions.
GDPR is a much better defined series of regulations which aim to give the individual much better protection in terms of personal and sensitive data. The major change here being that the subject now retains ownership of the data held and not the organisation holding it. GDRP now comes with the much publicised stronger teeth; in the form of heavy fines and potentially, imprisonment.
Many think that Brexit will make GDPR irrelevant within the UK
This couldn’t be further from the truth. Regardless of whether Brexit happens or not, GDPR will be implemented and made law before Britain exits the EU. Not only that, but as businesses are so closely aligned and integrated into the EU, there are implications for businesses processing data belonging to EU citizens regardless of their location. For example, under GDPR, organisations now have to perform a Privacy Impact Assessment (PIA) which is a decision tool used to identify and mitigate privacy risks that notifies the public of what Personally Identifiable Information (PII) the organisation is collecting, why it is being collected and how that PII will be collected, used, accessed, shared, safeguarded and stored. Any organisation not taking relevant precautions well in advance to ensure compliance could face heavy penalties.
So, what are the penalties and are they really that much stronger than DPA? The answer is very simple and the word ‘draconian’ is not too strong. Non-compliant organisations that are breached face fines of up to €20,000,000 or 4% of global revenue for the organisation, whichever is higher. An example of this is the recent Talk Talk breach, which resulted in them being fined £400,000 by the ICO. Had GDPR been in place then the cost to Talk Talk could have been as high as £60,000,000.
So what do businesses need to do?
Firstly, they need to ensure they understand just what constitutes sensitive data. This has expanded within GDPR to include genetic and biometric data, as well as online identifiers such as cookies, RFID tags and IP addresses. Whenever an organisation processes such information, it must first conduct a thorough audit of protective measures around that data, including safeguards, security and mechanisms to lower the risk of exposure and ensure compliance with the GDPR.
The only way to ensure that electronic data is not breached is to store it on a system not connected to any network. Of course, this would mean that no one could access that data, making it completely useless and redundant and the usual practice is to use air-gapping and network segregation. Any system can be breached (including air-gapped and segregated networks) and generally, the conventional wisdom is not if an organisation is breached but when it is. This doesn’t mean businesses should take a fatalistic approach but that they should take a realistic approach, which is that if they are to be breached, how can they minimise the data loss and impact upon that business?
Therefore, organisations need to store sensitive data on protected (preferably segregated) networks, encrypt that data strongly, ensure only restricted staff and staff with a business need can access it both electronically and physically. Ensure that standard network precautions are in place, air-gaps, firewalls, loggers, FIM and so on.
Finally, I would strongly recommend that all businesses seek help in assessing their level of risk and compliance. My experience tells me that the vast majority of businesses that self-assess tend to exaggerate their level of compliance and only truly discover their real level when they are breached or if they engage an external organisation to perform a gap analysis giving them a true picture of their compliance level.
Can ProCheckUp help?
Of course we can!
We can perform a GAP analysis to locate the weak and non-compliant areas; we can assist with the PIA (i.e. Risk Assessment); we can help prevent a breach by performing vulnerability assessment and penetration tests (including red-teaming) and, if the worst should happen, we can also help when a breach does occur, with incident response and forensics.