The 25th of May has come and gone. While many organisations were proactive in their preparations for aligning themselves with the GDPR, sadly many of your customers may still be the dark about the GDPR and what it means for them. The effects of the GDPR are coming, but should they still be worried?
The UK information Commissioner Elizabeth Denham has dismissed all the predictions and scaremongering of huge fines as ‘nonsense’ and has advised that the Information Commissioner’s Officer (ICO) will use its power “proportionately and judiciously” and fines that are to be levied will always be as a last resort.
Want a Free GDPR Whitepaper?
Download your free whitepaper now so you can read later when you have more time!
Last year the ICO investigated 17,300 cases and only 16 of them resulted in fines for the organisations concerned.
Denham goes on to say “those who self-report, engage with us to resolve issues and can demonstrate effective accountability arrangement can expect this to be taken into account when we consider any regulatory action”. The hefty fines will be reserved for organisation that persistently, deliberately or negligently flout the law.
Worthy of mention here is that the GDPR is a pan EU regulation which in now enshrined in UK law as the Data Protection Act 2018 (DPA18) replacing the former DPA98.
So, with the smaller customer in mind, we have put together a list of the top six things they should do now, to help them focus their attention and efforts on activities which, if not done, represent the most risk to their business.
1. Demonstrate Accountability (Article 5)
The GDPR sets out six key principles (often argued to be seven) and adherence to these principles needs to be at the heart of your customer’s processing of personal data. As Data Controllers, they must be able to demonstrate adherence to the individuals and the supervisory authority if asked.
They need to develop a process to ensure that the personal data held is checked against the principles and rectify any gaps found.
The six principles are:
- Lawfulness, fairness and transparency
- Purpose limitation – collected for specified, explicit and legitimate purposes
- Data minimisation – adequate, relevant and limited to the purpose for which they are processed
- Accuracy – and kept up to date and where inaccurate, rectified or erased without delay
- Storage limitation – held in a form which permits identification of the data subject for no longer than necessary
- Integrity and confidentiality (security) – adequately protected against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organisational measures
The questionmark seventh principle: Accountability – the controller shall be responsible for and be able to demonstrate compliance with the six general principles (all of the above).
2. Data Discovery
If your customers haven’t done this yet, they should complete an exercise in data discovery.
This involves creating an inventory of personal data by discussing with a number of people from all areas of the business and brainstorming what personal data is being processed, where it came from (i.e. the individuals themselves or from a third party) where it is held (i.e. electronically or in paper form), how it is protected (e.g. strong access controls and encryption, in a locked drawer etc.), why it’s processed (e.g. for the delivery of goods or services; what the legal basis for the processing is), how long it is kept for, who it is shared with and is it really necessary to keep it.
Once the inventory is created, they should review the findings and purge any data that does not need to be kept. Address any unknowns and review the safeguards to make sure that personal data is adequately protected. The inventory should be regularly reviewed and updated to make sure that it stays accurate and that the original legal basis for processing still stands.
3. Manage risks
As part of demonstrating accountability, encourage customers to consider risks to their processing activities and conduct a risk assessment:
- From the data discovery exercise, they will have Identified where and what personal data is processed. Enter this into a ‘risk register’ (spreadsheet) with details of the type, quantity and importance of processing activity
- Identify typical threats and vulnerabilities to those data
- Assess the impact that loss, disclosure or damage might cause
- Identify what the risk appetite is i.e. how much or little can they afford to lose
- Identify what the probability of threats being realised is
- Identify any current security controls and measures are and re-evaluate the risk. This helps to determine the residual risk
- Identify what can be done to further treat risk and set realistic targets for treatment
- Formally document the results of the risk assessment
Following on from the risk assessment, they should continuously review the assessment and controls and re-evaluate any changes that might affect the impact or probability and think about adding privacy enhancing controls such as pseudonymisation and encryption.
4. Subject Access Requests
The GDPR is all about giving individuals more control about how their personal data is used, shared and stored and there are certain areas under which an individual can ask about their personal data being processed.
Your customers should create a process to respond to such requests as they need to be able to do this within one month of receiving a Subject Access Request (SAR). SARs can be made verbally or in writing but should be acknowledged in writing.
Individuals can ask your customer about :
- What their data is used for
- Who their data is shared with and to stop sharing (restrict processing)
- How long their data is stored for and why
- Where their data came from
- If their data has been transferred outside of the European Union and if so what security measures were used to protect it
- Whether the data is used for profiling or automated decision making
- Challenge the accuracy of the data or ask for it to be deleted or object to its use
- Ask for a copy of their personal data which must be provided in an electronically readable format
- Ask for the data to be ported to another data controller
- Object to the processing activity and ask for their data to be deleted (erased)
The process to respond to these requests should be documented and made available to those who may be asked to handle a SAR. The process may involve designing a form which includes the contact details of the organisation, who is going to handle the request, a reference number (to keep a log of all the SARs for evidence) and a section to steer the individual to be specific about their request e.g. copies of orders made between January and June.
Further processes may also be needed following a SAR. Such as if the individual asks to be ‘forgotten’ and there is no valid reason not to delete the data held about them or if the individual objects to processing and processing has to be restricted.
5. Breach Process and Notification
Planning ahead for a data breach means that in the event of real data breach, responses may be quicker and the resulting impact on the affected individuals and on your customer’s business may be minimised.
The risk assessment will have identified the security controls and measures both physical and technical protecting the personal data held.
The next steps are:
- Check access permissions are following a principle of least privilege (need-to-know/need-to-use) and restrict access to only those people
- Check that if remote access to business systems is allowed and if so, limited by business need. Check that remote access use strong cryptography and relies on multi-factor authentication
- Check with the IT department or IT provider that systems are up to date with the latest software patches and anti-virus, including firewalls and other security systems
- Larger organisations should check that the detection systems are logging and alerting and that somebody is reviewing the alerts and taking any action needed
- Check backups are working and are being securely stored
- Check that physical controls such as locking mechanisms, CCTV and alarm systems are working
Where security measures are found to be weak, determine where improvement is possible and implement reasonable changes to better protect the personal data.
Develop and document a procedure for dealing with an incident/breach. Make sure that it contains how and to whom data breaches should be reported within the organisation.
Staff should be trained on how to recognise and report a data breach. Be clear that data breaches are not just about unauthorised access or disclosure but also include accidental or unlawful destruction, loss or alteration of personal data.
The data discovery inventory will also help to identify the categories of personal data and processing activities where a data breach may require notification. Your customers need to be aware of the likely risk to individuals if personal data they store and process was breached.
Make sure that the procedure clearly identifies the types of personal data processed that, if compromised or lost/stolen, could result in a risk to the rights and freedoms of the data subject.
In breaches that could result in a high risk, not only would the supervisory authority need to be notified but also the data subject. They need to ensure that the procedure clearly states the notification requirements giving the contact of the supervisory authority and advising on methods to notify the data subjects, highlighting the time critical nature of the notification obligations.
Once created, the breach response process should be tested by carrying out a ‘dummy’ data breach such as an item being stolen which contains personal data.
Your customers should try to make the exercise as real as possible and include not only breach reporting and breach response but also breach notification, in order to confirm capabilities to notify the supervisory authority within 72 hours and the data subject without undue delay.
The should document the results of the exercises so that it can be discussed internally to see if any lessons can be learned and procedures updated if necessary.
6. Data Protection Impact Assessment
Your customers need to think about Data Protection Impact Assessments (DPIAs). These only actually need to be done for high risk processing. The definition of high risk being:
- SYSTEMATIC and EXTENSIVE automated processing, including profiling that results in decisions
- Processing on a LARGE SCALE of special categories (race, religion, discrimination), or criminal convictions
- Systematic Monitoring of Publicly accessible areas (Public CCTV for example)
In most cases, a DPIA will not be required but in cases where it is not clear whether a DPIA is needed or not, the Information Commissioner’s Office (ICO) recommends that a DPIA is carried out nonetheless. Carrying out a DPIA is good practice where there may be any element of risk and helps toward demonstrating accountability.
In thinking about DPIAs, they should think about what projects are coming in that might need them and create a process which specifies the factors to look for such as type and volume of data, special categories of data or those relating to children.
Then address the findings of DPIAs and action any follow up items and for those where the risk cannot satisfactorily be mitigated, detail the actions taken including referral to the supervisory authority and their decision.
So what’s next….
There are many other aspects and requirements to the GDPR which need to be considered but which have not been covered in this top five. It is worth setting some time aside to fully cover the other requirements to make sure that alignment with the six principles of the GDPR can be evidenced (accountability).
Some of the other aspects include:
- Data transfers outside of the EU and the safeguards to protect them
- Contracts with Data Processors
- The need for a Data Protection Officer (DPO)
- Data Protection by Design and by Default
- Data Privacy notices, Data Protection Policies and documented Retention Schedules
- Awareness, education and training
Sysnet Global Solutions is dedicated to preventing security breaches at small businesses and can help with a variety of tasks such as the Data Discovery exercise, risk assessments, policies and procedures. Simply ask your customers to get in touch with us and a friendly member of our dedicated support team will contact them as soon as possible.
If you are a merchant that requires technical or PCI DSS help, please click here