The hidden security challenges of the GDPR
There’s no shortage of information out there about the importance of security when it comes to protecting sensitive data – especially with the GDPR looming. But with just two months to go before this new legislation kicks in, there are still certain aspects that haven’t been given the attention they really need.
One such area is security. There are reams of advice about how crucial it is for businesses of all sizes to have effective defences in place, in order to safeguard personal information – but what precisely does this involve?
Data security is a hugely hot topic at the moment – and rightly so. The whole point of the GDPR is to uphold the rights of individual data subjects when it comes to how their personal information is obtained, stored, used and disclosed. And one of these fundamental rights is that as long as their data is being kept and processed, it is done so with adequate defences in place.
Looking after personal data
One key thing to remember when it comes to handling personal data is that it does not belong to you. As one Computer Weekly article states, “The data has been loaned to us by the data subjects who have a right to expect it will be used for the express intention it was collected for, then kept safe and deleted when the mutually agreed purpose for collection has expired.”
So, a good real-life analogy might be to imagine this data as a precious and fragile object that you have borrowed from someone. They have entrusted it to you, expecting you to use it only for the specific reasons you initially requested it for, and to return it as soon as these uses have been fulfilled.
If your mother-in-law loaned you her most treasured china teapot for a sophisticated afternoon party, for example, you would – hopefully! – not also use it as replacement watering can, keep it for seven months longer than you needed to, lend it to a friend without asking her permission first, or lose it. And if she asked for it back – even before you’d had chance to use it – you would, of course, smile sweetly and return it graciously.
So in a nutshell, the GDPR is about treating customer, employee and other individuals’ data with this degree of respect.
Securing sensitive information
But of course, when it comes to data security – particularly that of the digital variety – there are a number of external considerations to contend with. Having the intention to protect personal information isn’t enough – tangible security mechanisms also need to be in place to ensure that it doesn’t get misused or fall into the wrong hands.
The truth is, there is a huge volume of information relating to data security within the GDPR – and it’s not all that fun to digest. But helpfully, the GDPR Report has condensed the five key articles pertaining to the safeguarding of sensitive information, and the main takeaway points from each.
- Data protection by design and by default (Article 25)
This element relates to your company’s obligation to ensure that your processes meet the data protection principles – and that you take the necessary technical/organisational measures to achieve this. For instance, you might use data masking – or pseudonymisation –to ensure that personal data can no longer be directly linked to individual data subjects, without the use of extra information.In line with the principle that says information must be used adequately, relevantly and only when needed, you should only process the minimum amount of data that’s required for a specific purpose. An example of this would be that if you keep a directory of all employees’ contact information for internal office use, you don’t need to include other data that you have on file within this – such as employee ID or passport numbers.
- Security of the processing itself (Article 32)
Although the GDPR has been designed with the fast-evolving nature of technology in mind, there are certain data security requirements outlined in this article that you’ll need to keep in mind.These rule that you must implement certain technical measures to keep sensitive information safe – taking appropriate costs, scope, risks, context and purpose into account. In summary, these relate to:
o The pseudonymisation/encryption of personal data
o Ensuring processing systems/services are confidential and well-protected
o Enabling access to data, including how this is restored after an incident
o Frequently checking processes/technologies that are used to protect data.
- Notification of data breaches to the appropriate regulator (Article 33)
In the event of a personal data breach, you’ll have to notify the ICO within 72 hours of discovering it. If you fail to do this, you’ll need to provide adequate reasons as to why you weren’t able to meet the deadline. Similarly, within your business, the Data Processor who finds the breach will need to notify the Data Controller immediately to avoid unnecessary delays. (If you’re unsure of the difference between the two roles, check out this blog!)The minimum amount of information to be provided to the ICO about the breach will be its nature, what data has been affected, the estimated number of individuals/records impacted, the contact details of the Data Protection Officer (if applicable), its likely impact and what mitigating measures have been taken. This can be supplied in phases if needed.
- Notification of data breaches to the affected individual (Article 34)
As above, Article 34 requires you to notify any person impacted by the data breach without delay. This communication must be clear, easy to understand and contain the same details as those provided to the ICO.However, there are a few exceptions to this rule, meaning you don’t need to notify the individual if the following conditions are met:
o All data remains secure, through encryption or other measures
o Appropriate steps are taken in the aftermath to effectively protect the data and minimise the risk to the individual
o The process of informing each affected person would involve “disproportionate effort”, in which case you’ll need to communicate the breach in another way – for instance, by sending out a press release.
- Data Protection Impact Assessment (Article 35)
Whenever a new data process is introduced that has the potential to put individuals’ rights at risk, you’ll need to carry out a Data Protection Impact Assessment (DPIA). The Data Controller conducting this will need to do this under the guidance of your Data Protection Officer (if your company has one).You can find out more about the DPIA process here, but in summary, you will need to conduct an extensive audit of the personal data processing carried out by your business. Along with identifying and documenting the location, risk level, access to and use of all sensitive information that you store, you’ll also need to ensure you have the measures in place to repeat this procedure on a frequent basis.
So, there’s admittedly a lot of information to take in when it comes to your data security obligations under the GDPR. But hopefully, by breaking these key elements of the regulation down into bitesize chunks, we’ve helped you get your head around your duties a little more!
If you’re still baffled by data security or unsure of where to start with a DPIA, don’t suffer in silence! Get in touch to find out how we can help.