GDPR is Coming
A friend outside infosec and GRC recently asked me to provide him with a high level overview and introduction to GDPR. He’d been engaged in watercooler discussions about the approaching changes to data protection and, as a non-security IT professional, wanted a jump start to finding out more about it sensing the need to be informed. The below is what I sent him and includes guidance I’ve received from other security practitioners currently discussing the issue on the local circuit.
Essentially, GDPR (general data protection regulation) is a tooled-up revision of the DPA (data protection act), a chunk of law that looks to ensure that personal information is sufficiently protected. The current DPA is based on an EU directive so any backhanded comments you might hear about this all going away ‘cos Brexit are nonsense. Without consistency across Europe (Brexit or not), doing business would be impossible.
When does it come into effect?
- GDPR comes into effect May 2018 and for most businesses (if not all) there is a lot to do.
Key things to Consider - GDPR is about Privacy
- As cliché as it might sound, privacy is a business issue and not just an IT problem.
- Personal information is key to privacy and it’s the thing all business should be trying to protect.
- The definition of Personal Information is constantly expanding and now includes a lot of not-so-obvious, non-human elements like IP addresses, phone numbers, location data, etc, etc.
- The controls, capabilities and processes a business puts in place to protect personal information need to protect it from the minute they acquire it to the moment they delete it.
- Businesses should only retain data for as long as they need it, and be able to prove that they need it and be able to still protect it for all that time.
- The default position of “hold on to everything, forever, just in case” runs contrary to privacy and security best practice (and really, always has).
Key things to Consider - The fines
- The fine system is 2-tier: [£10m or 2%] or [£20m or 4%] of world-wide turn over.
- For benefit of perspective its worth considering that the ICOs ability to fine under DPA was capped at £500k.
- At a talk I went to before Christmas they exemplified this with the Talk-Talk breach. If that had happened in a post-GDPR world, the fine would have been £50,000,000 rather than £400,000.
- Either tier could represent an extinction-level event for many businesses.
Key things to Consider - Governance structure
If a business is unable to demonstrate governance it’ll be unable to demonstrate commitment to privacy (and with it, GDPR). This will likely land a business in the 4% fine category in the event of an incident. The governance structure should include specific privacy roles / positions (advise to follow from the ICO) and can use external parties. Data Processors (on behalf of the data controller) must conduct due diligence, resulting in an informed decision around suitability of selection of data processors. In laymen’s terms, a business now needs to know EVERY 3rd party that processes its information, understand the controls and processes they employ and be able to prove they understand their Governance structure.
Key things to Consider - Mandatory Breach Notification
Business will have to report breaches to the regulator within 72 Hours and the data subject (i.e. who is affected by it) and the definition of breach may be refined to include near misses etc (again, one to check via the ICO as we get closer).
A businesses ability to report accurately on a breach will likely play a big part the outcome of an incident. If you can’t provide specifics, metrics, real-world numbers and provide the regulator with assurances that you did everything you could you’ll likely end up in the 4% fine camp.
Key things to Consider - Security Controls
There will likely be specific requirements around certain security controls.
Most businesses are beholden to other standards which prescribe or mandate security controls. These often include testing and assurance exercises which are intended to ensure (and demonstrate) that these controls remain effective. The challenge for these organisations will be extend this level of coverage to systems and processes which handle information which to date has been ‘out of scope’.
Key things to Consider - Privacy Impact Assessments
The ICO has already published privacy impact assessment (PIA) guidelines for activities considered ‘high-risk’.
Use of PII post GDPR without consent could result in complaints and action against you and the ICO will have the power to request evidence of assessments and controls consideration retrospectively. Some within the big four have gone further and now advise that they see the use of PIAs as mandatory right now.
Key things to Consider - New Data Subject Rights and Explicit consent
The concept of implicit consent goes away with GDPR and the data subject gets a bunch of new rights.
- Explicit consent (with proof) covers all use of personal data, including ‘portable’ data – data which is formatted so it can be used elsewhere or by another organisation. This is a huge deal.
- Right to Erasure / Right to be forgotten – many organisations don’t know where all their customer data is and will be pushed to provide assurance that they can then delete records on a case-by-case basis.
- The control environment now needs to be fully documented and auditable and must reflect the above two considerations.
- International transfer (outside the EU) of personal data now needs ‘suitably’ legitimizing (with proof).
Next Steps - What should you do now / next?
We’re about 15 months away now so (hopefully) there is already a load of work underway to start/ensure everyone is working toward identifying and addressing requirements
- Keep up-to-date – keep checking back with the ICO for specific guidance and requirements as they emerge.
- Understand Impact (Gaps assessment, review existing governance structure, identify major gaps / sources on non-conformities…).
- Senior Exec Awareness (Get GDPR on the agenda for the boardroom, get outside help to explain the issue if need be, get buy-in…).
- Factor in Privacy (PRIVACY BY DESIGN) – there is no ‘fix it later’. Non-compliance is non-compliance.
- Plan to address gaps (in both your controls and in your organisation).
- Ensure approach is pragmatic and RISK BASED (deal with the biggest issues first).
Questions to ask today:
- Who is responsible for Privacy?
- Are provisions in place to report / respond to an incident within 72 hours?
- Are provisions in place to detect an incident?
How are you going to demonstrate to the ICO that you…
- We’re taking GDPR (and Privacy) seriously?
- Had a plan that you had a plan to identify and treat your risks?
- We’re doing everything you could to protect the information in your care?
Here are some key resources to keep tabs on:
- ICO Guidance: https://iconewsblog.wordpress.com/2017/01/17/gdpr-guidance-in-2017/
- ICO on GDPR: Updated Monthly https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
- ICO on GDPR: Overview https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/