The hidden security challenges of the GDPR

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up

Plumber/Electrician

Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday

Crete

If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer

Likes

Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

There’s no shortage of information out there about the importance of security when it comes to protecting sensitive data – especially with the GDPR looming. But with just two months to go before this new legislation kicks in, there are still certain aspects that haven’t been given the attention they really need.

One such area is security. There are reams of advice about how crucial it is for businesses of all sizes to have effective defences in place, in order to safeguard personal information – but what precisely does this involve?

Data security is a hugely hot topic at the moment – and rightly so. The whole point of the GDPR is to uphold the rights of individual data subjects when it comes to how their personal information is obtained, stored, used and disclosed. And one of these fundamental rights is that as long as their data is being kept and processed, it is done so with adequate defences in place.

Looking after personal data

One key thing to remember when it comes to handling personal data is that it does not belong to you. As one Computer Weekly article states, “The data has been loaned to us by the data subjects who have a right to expect it will be used for the express intention it was collected for, then kept safe and deleted when the mutually agreed purpose for collection has expired.”

So, a good real-life analogy might be to imagine this data as a precious and fragile object that you have borrowed from someone. They have entrusted it to you, expecting you to use it only for the specific reasons you initially requested it for, and to return it as soon as these uses have been fulfilled.

If your mother-in-law loaned you her most treasured china teapot for a sophisticated afternoon party, for example, you would – hopefully! – not also use it as replacement watering can, keep it for seven months longer than you needed to, lend it to a friend without asking her permission first, or lose it. And if she asked for it back – even before you’d had chance to use it – you would, of course, smile sweetly and return it graciously.

So in a nutshell, the GDPR is about treating customer, employee and other individuals’ data with this degree of respect.

Securing sensitive information

But of course, when it comes to data security – particularly that of the digital variety – there are a number of external considerations to contend with. Having the intention to protect personal information isn’t enough – tangible security mechanisms also need to be in place to ensure that it doesn’t get misused or fall into the wrong hands.

The truth is, there is a huge volume of information relating to data security within the GDPR – and it’s not all that fun to digest. But helpfully, the GDPR Report has condensed the five key articles pertaining to the safeguarding of sensitive information, and the main takeaway points from each.

·         Data protection by design and by default (Article 25)

This element relates to your company’s obligation to ensure that your processes meet the data protection principles – and that you take the necessary technical/organisational measures to achieve this. For instance, you might use data masking – or pseudonymisation –to ensure that personal data can no longer be directly linked to individual data subjects, without the use of extra information.

In line with the principle that says information must be used adequately, relevantly and only when needed, you should only process the minimum amount of data that’s required for a specific purpose. An example of this would be that if you keep a directory of all employees’ contact information for internal office use, you don’t need to include other data that you have on file within this – such as employee ID or passport numbers.

·         Security of the processing itself (Article 32)

Although the GDPR has been designed with the fast-evolving nature of technology in mind, there are certain data security requirements outlined in this article that you’ll need to keep in mind.

These rule that you must implement certain technical measures to keep sensitive information safe – taking appropriate costs, scope, risks, context and purpose into account. In summary, these relate to:

o   The pseudonymisation/encryption of personal data

o   Ensuring processing systems/services are confidential and well-protected

o   Enabling access to data, including how this is restored after an incident

o   Frequently checking processes/technologies that are used to protect data.

·         Notification of data breaches to the appropriate regulator (Article 33)

In the event of a personal data breach, you’ll have to notify the ICO within 72 hours of discovering it. If you fail to do this, you’ll need to provide adequate reasons as to why you weren’t able to meet the deadline. Similarly, within your business, the Data Processor who finds the breach will need to notify the Data Controller immediately to avoid unnecessary delays. (If you’re unsure of the difference between the two roles, check out this blog!)

The minimum amount of information to be provided to the ICO about the breach will be its nature, what data has been affected, the estimated number of individuals/records impacted, the contact details of the Data Protection Officer (if applicable), its likely impact and what mitigating measures have been taken. This can be supplied in phases if needed.

·         Notification of data breaches to the affected individual (Article 34)

As above, Article 34 requires you to notify any person impacted by the data breach without delay. This communication must be clear, easy to understand and contain the same details as those provided to the ICO.

However, there are a few exceptions to this rule, meaning you don’t need to notify the individual if the following conditions are met:

o   All data remains secure, through encryption or other measures

o   Appropriate steps are taken in the aftermath to effectively protect the data and minimise the risk to the individual

o   The process of informing each affected person would involve “disproportionate effort”, in which case you’ll need to communicate the breach in another way – for instance, by sending out a press release.

·         Data Protection Impact Assessment (Article 35)

 
Whenever a new data process is introduced that has the potential to put individuals’ rights at risk, you’ll need to carry out a Data Protection Impact Assessment (DPIA). The Data Controller conducting this will need to do this under the guidance of your Data Protection Officer (if your company has one).

You can find out more about the DPIA process here, but in summary, you will need to conduct an extensive audit of the personal data processing carried out by your business. Along with identifying and documenting the location, risk level, access to and use of all sensitive information that you store, you’ll also need to ensure you have the measures in place to repeat this procedure on a frequent basis.

So, there’s admittedly a lot of information to take in when it comes to your data security obligations under the GDPR. But hopefully, by breaking these key elements of the regulation down into bitesize chunks, we’ve helped you get your head around your duties a little more!

If you’re still baffled by data security or unsure of where to start with a DPIA, don’t suffer in silence! Get in touch to find out how we can help.

The hidden security challenges of the GDPR