The General Data Protection Regulation (GDPR) and your Business: Part 1 - What do you need to know?
Information. We live in a world saturated by it. We all use it every single day in some way, whether it’s for business or for personal reasons, there is no escaping the information driven world.
The key reason for information need? Decision making, plain and simple.
Businesses need it so they can understand themselves and the customers they serve better. Equally, you need it on a personal level so that you can serve yourself better.
The easiest way to illustrate this point is below:
“I could buy “product x” from here but I checked “site y” and it’s actually cheaper elsewhere”.
Information = power.
But to quote a famous 18th century philosopher (or Uncle Ben from Spiderman, whichever you prefer!)
“With great power comes great responsibility”.
So as a business, what is your responsibility where information is concerned? Welcome to Information Governance or IG
IG isn’t something new in business, yet it is a labyrinth of policies, procedures, processes, controls etc. that are used to manage information and to support an organisation's regulatory, legal, risk, environmental and operational requirements. So GDPR is yet another IG hoop most business are going to have to comply with.
So what exactly is it? Essentially, it’s a privacy law which applies automatically to all member states of the EU and applies to “personal data” – so any information relating to an identified or identifiable individual (known as a 'data subject‘), identifiable directly or indirectly.
(I know, I had to re-read the last part a couple of times too before it sank in).
It is also a harmonisation of the data protection regulations throughout the member states, (currently we have 28 local laws, underpinned by a Directive) and is likely to come into full force in first half of 2018.
Ah Brexit, I hear you cry! We won’t be an EU member state! Let’s examine that for a moment.
The likelihood of the UK not complying with this is slim to none. It may not be applied to us automatically like other member states. This being said, after the invocation of Article 50 within the Lisbon Treaty and that process being completed; we’d be considered a country trading from outside the EU in and still have to comply.
(This is my own personal opinion, not of Arrow ECS).
Irrespective of that, if you are a business that operates within Europe and beyond, or from outside of the EU in, this is still going to affect you.
So why is it happening? Well, the idea is that individuals can control how information about them is used. It’s also so that those controlling it protect it from disclosure.
This is because we live in a world where your fingerprint can open your phone, potential employers can check your Facebook, Twitter posts etc.
Current law and GDPR divide the responsibilities up:
- Controllers determine the purpose and means of data processing: the data owners.
- Processors do the processing on behalf of a Controller, in accordance with the Controller’s instructions – most service providers in most industries are in this category.
For example, a cloud storage service provided by a vendor where customers place their data into the service.
As it stands now, Controllers are bound by law to put contracts in place, but Processors have no obligations. GDPR changes this and essentially makes Processors liable.
Liable for what then? Yep you guessed it, fines! And some hefty ones at that!
You’ll get slapped with either 2% of your annual worldwide turnover in the previous financial year (or €10m whichever is higher) for minor breaches and up to 4% (or €20m whichever is higher) for major breaches.
So non-compliance with GDPR presents serious business risk. The burden of proof is also on the businesses to be able to demonstrate compliance, just complying isn’t enough.
As with any regulation, there is a set of requirements that are outlined. Some of this (if you’re in the UK) you should be familiar with. They encompass:
Lawfulness, fairness and transparency:
- This means more information for the data subject.
- The right to complain.
- Information on how the personal data is being protected when held outside of the EU.
- Notification and registration requirements instead of keeping detailed records of processing (including breaches) which can be inspected by the authorities.
- A mandatory breach notification – no more than a 72 hour delay from breach awareness.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- You hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual.
- You do not hold more information than you need for that purpose.
Accuracy & Storage Limitation:
- For data subjects:
- Right to see all personal data held on them.
- Right to demand erasure (AKA “Right to be Forgotten”).
- Right to correct inaccurate information.
- Right to have information in a portable format.
- One month to provide the information, possible to have extension of up to two further months.
- Breaches of data subjects’ rights are deemed a “major breach”.
Confidentiality and Integrity
- Confidentiality: the ability to hide information from those people unauthorised to view it.
- Integrity: the ability to ensure that data is an accurate and unchanged representation of the original secure information.
- The obligation of an individual or organisation to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner.
Another area you have to seriously think about is Personal Data Transfers. If you don’t put the right measures in place, it’s a major breach. Transfers outside the European Economic Area (EU + Norway, Iceland, Lichtenstein) are legal provided that protection continues outside the European Economic Area. There are several ways to ensure protection:
- Country is approved as safe by the EU Commission
- Data Transfer Agreements (utilised by businesses)
- Privacy Shield
Privacy Shield is the new “Safe Harbour” – where the European Commission finalised the adoption procedure on 12 July 2016. Safe Harbour has recently been invalidated, as it didn’t provide adequate protection against access to data by US authorities, or ensure protection of that data in onward transfer(s).
Loads to think about right? You have to now ask yourself a few questions:
• Do you know what personal data you process?
• Do you know where it is and how it flows in the organisation?
• Do you consider privacy at every level?
• Have you reviewed your information risk management process for data privacy?
• Have you reviewed your security controls against privacy requirements?
• Do you have robust detection and monitoring processes?
If you can’t answer any of the above questions then you’re really not ready for GDPR and could probably use some help…
Help is at hand however! In the next post I’ll discuss some of the ways in which you can use solutions within the Arrow ECS portfolio to aide you in not just complying with GDPR but being able to prove you’re compliant.
If you have any questions about this post please drop me a line in the comments below or email me.
Part 2 will be live on the blog next Tuesday.
Make you to also give our podcast a listen, the below episode features David Fearne, Richard Holmes and special guest Neil Cattermull from Compare the Cloud discussing GDPR and what it means for your business.
Chris Collier is a Technical Account Manager within the Arrow team.
Arrow Bandwidth Episode 10 – Big Data in Action with KnowNow
David and Rich are joined by Chris Cooper from KnowNow to discuss the real world outcomes of Big Data
Are your customers secure in the Cloud?
The main concern most end users have about cloud is security. Scott Murphy takes you through how to handle common objections and what Arrow can do to support your cloud business.
Arrow Bandwidth Episode 6 - Security 101: What are the threats of today?
This week we're shedding light on the deep, dark world of IT security, David is joined by joined by Lorcan Murphy, Pre-Sales Manager and Alex Tijhuis, Technical Architect.