“We’ve made mistakes”, isn’t the type of statement a customer wants to hear from their data controller, particularly when their personal data has been breached. However, over the years the increased number of cyber threats and breaches have made these common statements. Here Christopher Scott, programme director at The Bunker, discusses why GDPR could actually make yoru business better.
As systems become more advanced and powerful, so does our ability as businesses to provide products and services online. These products and services make it easier for us to collaborate and share information in ways previously not possible. However, it does expose us to greater risks if those systems are compromised especially when that data is personal identifiable information.
As humble data subjects, which the majority of us are, we have vast amounts of personal information stored online in data centres anywhere in the world. This information can include anything from details relating to loans, mortgages, bank accounts to medical records and data, even our personal interests, hobbies or the foods we like can be accessed by a click of a button. The problem is that we don’t generally know who has access to this information, where it is stored, the security measures in place to protect it and if our information has ever been breached.
As data subjects, we generally trust the data controller with all the information we provide them and in return we ask for two things; Firstly, we can get access to the products and services they are offering. Secondly, they keep our information safe.
However, security around personal information is not guaranteed and over recent years we’ve seen large data breaches from companies that should have done more to protect the data they hold. When I give talks about the General Data Protection Regulation (GDPR) I often ask: “who has ever had their data breached?” It will not surprise you to learn that over half the room raise their hands and my hand being one of them. A breach of personal data has been likened to having your house burgled, you feel violated in some way. However, the consequences could be worse, as once a hacker has your information, they can clone your identify, steal funds from your bank account or sell your information. As data subjects, most of us have no interest in imposing our rights come 25th May 2018 and giving the data controller and processor a hard time. However, we do insist if we give you our data you should respect our wishes to keep our data safe.
Over the past 22 years each member state has operated under their own data protection laws based on the objectives outlined in the Data Protection Directive 1995. However, the way we treat data and the systems we use today is very different from all those years ago.
Modern businesses are online 24/7 with large quantities of data being backed up to tape or stored within the cloud and applications such as CRMs have mainly moved to SaaS based solutions. The General Data Protection Regulation has been designed specifically to protect the rights and freedoms of EU citizens’ personal data in the modern age whilst reducing barriers to business by facilitating the free movement of data throughout the EU. As GDPR is a regulation and not a directive, all 28 member states will all need to comply with one law. This promotes consistency in how data is protected throughout the member states which is further extended to those members in the EEA who have adequacy agreements in place meaning they also benefit from free movement of data.
Over the years we’ve seen some large data breaches making headline news. Large companies from the gaming industry, payday lenders, mobile phone companies right the way through to billion-pound social media giants have all been found to be “making mistakes” in data security. Unfortunately, these mistakes cost the data subject as it’s their data being held to ransom.
The Information Commissioners Office (ICO) analysed enforcement actions against the 8 principles of the Data Protection Act 1998.
Their findings concluded that over half of the enforcements were due to poor data security measures implemented within organisations and a third of enforcement actions were due to inadequate data retention policies. These conclusions suggest we do not have the right Technical and Organisational Measures (TOMs) in place to protect personal data in the modern age. Either businesses hold onto data for far too long or we do not test our restore procedures often enough to guarantee data availability.
The sanctions that can be imposed by each member state’s statutory authority for breaches are intended to be effective, dissuasive and proportionate. Enhancements and new rights have been added for the data subject whilst accountabilities on both processor and controller forces businesses to change their attitudes towards data security by working closely together to assess their own business processes and supply chains to ensure they can demonstrate the TOMs necessary to meet compliance. The fines are only a deterrent and are not meant to penalise businesses but if there is a breach then a forensic examination will need to find proof that you took the necessary steps to protect your data subjects.
Data controllers and processers have been conditioned by the market to see GDPR as a draconian regulation that will increase their costs, create resource overheads and take away their business if they don’t get it right. The market’s view of the data subject is that their behaviour will change overnight come the 25 May 2018. It is thought that data subjects will overwhelm companies with data subject access requests and if they are not actioned within 30 days then enforcement measures will be imposed which could result in 4% of global turnover or €20,000,000, whichever is higher.
This has been further exaggerated by the common GDPR myths such as you need consent for all personal information you hold and that you have to appoint a Data Protection Officer, all of which make it hard for the board of a company to make calculated decisions in where they should be making investments and where to focus their efforts in complying with the regulation.
As businesses we need to have a paradigm shift in our thinking. GDPR is a data protection law that has been designed to help businesses grow whilst protecting the data subject’s rights. As the Data Protection Officer and compliance lead for a Managed Service Provider who hosts data within ex-military nuclear bunkers, I have had the privilege of working with some of the strictest organisations who demand governance, risk and compliance around their data because of who they are. GDPR was published in January 2016 and these organisations are very advanced in their thinking.
I’ve assisted these businesses every step of the way and although the road has been difficult we identified opportunities that have helped those businesses not only meet compliance but have grown their customer base whilst reducing their operational costs.
At The Bunker we have identified three key opportunities every business can take advantage of just by implementing GDPR. The first is around data mapping. The first thing you need to do as a business is to identify where your data resides within your organisation. Once you do this you then perform a risk assessment against the 6 principles of GDPR. By doing this you are challenging your business in terms of the data you hold, asking why you have the data, how long you store the data for, is the data minimised and so on. What you end up doing at this stage is boiling down the data you have and addressing your business processes to make them more robust. What we have discovered is that making sure you are compliant with GDPR gives you key operational efficiencies and in a business this is a way of increasing or maintaining your margins without incurring extra operational costs.
This first step alone reduces your businesses costs and provides you with a stable compliant platform for growth. The second opportunity we unearthed was around Article 28 Paragraph 1. This states that the Data Controller must provide sufficient guarantees that the processor can process the data on their behalf. Simply put, this is about performing the correct due diligence on your supply chain. We have found that procurement companies need the right level of evidence that their processor could comply with GDPR. This means that those processors who can demonstrate compliance will win business. However, procurement departments should act with caution when selecting a supplier. GDPR covers code of conduct and certification Articles 40 and 42 but they by no way mean that a supplier is compliant. Procurement is advised to be very cautious about who they select and how they have demonstrated compliance.
The final opportunity that we identified was in a business’ product and services catalogue. Every business that handles data subjects’ personal data should already have the necessary security in place. Data protection is nothing new and in the UK we’ve been governed by the Data Protection Act since 1998. However, what most businesses don’t realise is that there is no silver bullet for GDPR. There simply is not one service that can solve all the challenges presented by GDPR. We have found that by assessing the applications, methodologies, processes and procedures of our customers and partners, they were able to provide additional data protection services to their product portfolio just by the very nature of what they do. This meant that not only was this helping them in their due diligence processes when tendering for business but it was also helping them win business within their sector because none of their competitors had this unique offering. It also helps to retain existing customers.
GDPR is a thousand mile journey. That journey begins when the first step is taken and is then an ongoing process which requires a business to take things one step at a time to make sure that they are compliant with all aspects of GDPR. I urge businesses to start taking action if they have not already done so. If you are still not sure where to start, the ICO have published a number of documents to separate fact from fiction and have a 12 step plan as well as a risk assessment which you can follow, to help you get the ball rolling. My advice is to understand your role and the important part you play in protecting your data subjects’ data. If you are unclear as to what you need to do or how you are going to do it, get some help in putting a privacy framework and GDPR roadmap in place. These tools will assist you and your organisation to focus on what it is you need to do to meet compliance come 25 May 2018 and take full advantage of the opportunities presented to your business.