Tag Archives: gdpr

Consequences for an IT Department of the General Data Protection Regulation (GDPR)


 

 

 

 

Ed Stout
Support Services Manager
Leeds Beckett University
 

EUNIS 2017

 

 

 

 

 

 

 

During his EUNIS 2017 keynote ‘General Data Protection Regulation – Consequences for an IT Department’, Rainer W. Gerling, CISO of the Max Planck Society & Honorary professor for IT Security in the department of Computer Science and Mathematics at the Munich University of Applied Sciences, took us on a journey to better understand the soon to be fully in force General Data Protection Regulation (GDPR) within the European Union. In 2012, the European Commission tabled an initial proposal to regulate data protection within the EU and by the end of 2015, the European Commission, European Council and European Parliament had come to an agreement to take it forward. At this point in 2017, we are currently residing within the grace period before it formally comes into full force on 25th May 2018… this leaves all of us with not a lot of time to get our houses in order!


 

 

 

 

 

 

Microsoft within the development of their Windows 10 operating system now offer more than 50 native data protection settings within the ‘Privacy Settings’ however, Rainer stressed that it is highly important that we in HE review these settings to adjust from defaults.

 

 

 

 

 

 

 

Given the serious nature of the proposed fines, which can be as much as €20 million if found in breach of the regulations, it is certainly worth taking the new legislation very, very seriously. Encryption is paramount in accordance with GDPR Article 32 and what needs to be encrypted? Well, pretty much everything!!

 

 

 

 

 

 

 

Technically, standards which are considered ‘state of the art’ only remain so for a limited lifespan as new and improved solutions are developed, as is demonstrated in the below in relation to cryptographic protocols. It is therefore, important that we continually review to ensure that we are meeting legislative requirements.

 

 

 

 

 

 

 

So what should we be doing now? We should be:

  • Contacting our relevant data protection officers to discuss the implications of the legislation in line with our own institutions technical configuration.
  • Acknowledging that it is not simply the IT departments’ responsibility to ensure that we meet the relevant legislative needs but that the University as a whole is responsible.
  • Documenting our technical measures in line with ISO27000.
  • Collaborating with other HE institutions.

And we should be…

  • Improving our technical measures and accepting that state of the art is a moving target.

Rainer suggests that the current technical recommendations are:

(Click on photo to expand)

 

 

 

 

 

 

 

This blog post first appeared on http://www.edstout.co.uk/2017/06/27/day-3-reflections/

GDPR – Understanding Penalties, Fines and Liabilities

In his second post, Craig Clark, Information Security and Compliance Manager at the University of East London, looks at the interpretation of Article 83 of the General Data Protection Regulation.

GDPR – Understanding Penalties, Fines and Liabilities

Introduction

The introduction of the General Data Protection Regulations (GDPR) has been dominated in the main by one topic – what fines organisations could face if they are found to have breached the GDPR by a supervising authority which in most cases for the UK will be the Information Commissioners Office (ICO).
Many media outlets have been quick to leap on the fact that the maximum fine for non-compliance is €20,000,000 or 4% of global annual turnover, whichever is higher. However in the haste to report this, many commentators have forgotten to clarify that this is the maximum fine. Below, I have attempted to breakdown the conditions for imposing administrative fines and show there is a bit more to it.

Understanding the Fining Structure

The GDPR has been designed to ensure that organisations take the appropriate measures to protect personal data against the risks of loss in the 21st Century. For organisations that fail to meet the requirements, the GDPR allows the supervising authority to take a range of actions including:

  • Issue warnings;
  • Issue reprimands;
  • Order compliance with Data Subjects requests;
  • Communicate the Personal Data breach directly to the Data Subject.
  • In addition to the above the supervising authority have the power to impose administrative fines that will in each case be effective, proportionate, and dissuasive.

    There are two tiers of administrative fine that can be imposed. The maximum fine for the first tier is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater. The second tier maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater. The fines within each tier relate to specific articles within the Regulation that the controller or processor has breached. As a general rule, breaches of an obligations by controllers or processors will result in a fine within tier one, while breaches of a data subjects rights and freedoms will result in a fine within tier two.

    Question: Does your organisation understand what articles of the GDPR relate to a tier 1 or tier 2 fine?

    How will Fines be Determined?

    The GDPR is clear that in order to ensure any fine is proportionate, a range of factors will be assessed by supervisory authorities when investigating organisations that breach the GDPR.

    Of key importance will be the nature, gravity, duration and the character of an infringement. It is also worth noting that actions taken by the controller or processor to mitigate any damage suffered by data subjects, along with the degree of responsibility for the technical and organisational measures implemented by Controllers and Processors to prevent the breach occurring will be considered during an investigation.

    The Regulation also allows supervising authority to take on a holistic approach to an investigation and consider factors such as infringement history including previous correction notices, level of co-operation, the categories of personal data affected, the manner in which the breach became known and was reported, the level of adherence to approved codes of conduct or certification mechanisms and any other aggravating or mitigating factors.

    Minimising Fines

    It is logical to suggest that an organisation which demonstrates they have a positive approach to ensuring security, with a range of technical, management and operational controls will receive a lower fine then an organisation that takes no measures, or blatantly disregards its obligations under GDPR. It is also worth noting that the Information Commissioner has made it clear that in terms of incident reporting, organisations that proactively report breaches will be given more credit than organisations who do not report a breach that is then discovered by a 3rd party.

    Question: Does your organisation currently document breaches? If they do, how are these reported?

    In summary, organisations can significantly reduce the likelihood of receiving a maximum fine by establishing a culture that promotes information security best practices and an ethos centred on protecting personal information. As we have seen with the results of the TalkTalk breach, the ICO is now entering a new phase of exploring the upper limits of the monetary fines available to them. It is highly likely that this current trend will continue into 2018 meaning that GDPR compliance should be high on the list of 2017 objectives for organisations that fall within its scope.

    EU-GDPR: Using the fear stick is missing an opportunity

    The General Data Protection Regulation is scheduled to come into force in May 2018. As it will be EU Law before the process to leave the EU is completed, it will be one of the pieces of legislation that will roll over into UK law. In this article that was first published on LinkedIn, Craig Clark, Information Security and Compliance Manager at the University of East London, highlights the opportunities GDPR presents.

    For those that have worked in privacy for a long time, the path towards the final draft of the General Data Protection Regulation has been incredibly long (2011) and at times frustrating. Now that the count down is well underway, CIO’s, Information Security types and those in IT or legal functions seemingly can’t escape the barrage of GDPR related content on their news feeds and meeting agendas.

    I have kept a close eye on how the GDPR compliance issue is being pitched by vendors, lawyers and GRC consultants and in an overwhelming number of cases the key point they want to drive home is the increased penalties for non compliance – usually with a headline similar to : IF YOUR ORGANISATION DOES NOT COMPLY WITH THE GDPR THEY COULD BE FINED €20 MILLION!

    While this is technically correct it is entirely misleading, not least because the next line should read (or 4% of annual global turnover, whichever is higher). The GDPR is about much more then penalties, fines and liabilities. While one of the core aims is to enhance the protection of Data Subjects with an significant increase in their rights, there are many potential benefits for organisations. The problem is that by leading with a large negative, there is a serious risk that the advantages the Regulation offers are going to be overlooked.

    Lets take a look at some key advantages:

    Improved Records Management

    Perhaps the most obvious benefit is that the GDPR presents an opportunity to explore and refresh how you gather, store, and use and delete data. This is a chance to unleash real business value out of all that personal information you currently curate, often, at the moment, for no other reason than because it is there. This leads to huge costs of storing unnecessary data and the complex challenge of now trying to unravel what they need to store for business purposes. By employing data minimisation, and ensuring that data subjects data can be kept up to date as a matter of design, organisations could benefit from:

  • improved efficiency in customer interactions
  • reduced data storage costs (electronically and physically)
  • less wasteful marketing campaigns that use out of date information
  • lower security risk due to less personal data on file
  • lower likelihood of regulatory intervention
  • Development of Trust

    For many organisations trust is the hardest virtue to instil in its customers and the first thing to be lost when things go wrong. If we take the TalkTalk data breach as a classic example, their customer base significantly reduced in the immediate aftermath of the data breach and despite major changes to their Information Security practices, this has had a significant impact on their customer numbers and subsequently the forecasts they can make about future performance. Quite simply people no longer trust them.

    By mandating the need for improved security and reporting organisations have the opportunity to show that they take the security of customers data seriously. After all without that data, what would the business be? By actively demonstrating a willingness to comply with and embrace GDPR organisations will demonstrate a strong commitment to their customers and keep them coming back, protecting and growing the organisational brand.

    Improved Operational Effectiveness

    One of the most positive aspects that can be taken from GDPR is that it allows business to fully champion a risk-based approach to Information management. This means that whilst the rules are the same for everyone, how these rules are applied will largely be up to the organisation to decide depending on the level of risk that a given data activity presents for people’s privacy. Many of the obligations in the GDPR can be implemented in varying degrees depending on the risk appetite. This means that organisations can choose to implement procedures and practices based on their business and the level of privacy they need to provide, rather then implementing procedures for the sake of it. This could be regarded as a source of uncertainty for the C-Suite but in practice, the risk-based approach is what will make the GDPR not only effective but fair.

    Pulling it Together

    Once an organisation has looked past the headlines and begins to scope out how they are going to achieve compliance, the obvious question is “Where do I start?” Make no mistake, GDPR compliance will be complex for medium to large enterprises but there is a path through it. One of the first things organisations should look at is the ICO document 12 steps to take now. This guide will allow organisations to being planning and feeding in their specific requirements. Once the initial plan is outlined it is my view that the smoothest path to compliance is to integrate a Personal Information Management System (PIMS) into the current business model. For organisations that utilise an Information Management System (ISMS) such as ISO27001 this will be familiar territory. For those that do not, the current PIMS standard in the UK is BS10012:2009 however BS10012:2016 is being rewritten to include the requirements of the GDPR. Implementing this standard will allow an organisation to benchmark personal information management practices with recognised best practice. Crucially, it will also allow organisations to produce auditable evidence on their data privacy practices and go a long way to satisfying the Information Commissioners Office that organisations take on board that data privacy is no longer ‘best efforts’.