100 Days to GDPR

14 Feb, 2018

Author: Dr Steven Winstanley, Security Consultant, Sapphire

London, UK, 14 Feb 2018 – The UK played an important role in the European Convention on Human Rights (ECHR) drafted by Sir Oscar Dowson, a retired legal adviser to the Home Office as a means of guarding against the rise of new dictatorships and legally securing fundamental human right in 47 Council of Europe countries. Within the ECHR it suggests a balance between Article 8: The Right to Privacy vs Article 10: The Right of Expression.

The General Data Protection Regulation (GDPR) stems from the ECHR and lays down rules relating to the protection of natural persons with regard to the processing of personal data. The Regulation protects fundamental rights and freedoms of natural persons and the free movement of personal data within the Union and countries with equivalent privacy laws.

The GDPR is educating people of their Rights and hence the way businesses operate into a much more data-driven model concentrating on areas of information security, customer centricity, data localisation and indexing, and data storage.

 

Information Security

From Article 32 of the GDPR, it states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

This means that organisations need be compliant with the Accountability Principle for their information security systems using Standards like:

  • ISO27001:2013 Information Security Management System
  • BS 10012:2017 Privacy Information Management System
  • ISO 29151:2017 Code of practice for personally identifiable information protection
  • IASME Cyber Essentials and CE+ (with GDPR) certification

Article 32.1 (a) mandates the pseudonymisation and encryption of personal data.  This means that personal data on USB devices, laptops, desktops, mobile phones needs MDM, port control and encryption.  Passing email or text-documents containing personal information from one location to another will also require encryption. Solutions such as Sapphire’s partner, Egress Technologies, can provide solutions to help manage this element.

Article 32.1 (b) mandates the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.  This means that access control e.g. Active-Directory, high-available systems, patch management tools e.g. Ivanti, will be required.

Article 32.1 (c) for the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. This means businesses will have to perform BCP and DR testing of their systems, ensuring High-Availability and Geo-diversity of their information.

Article 32.1 (d) The GDPR writes into law that Penetration testing, Information Security and Privacy Auditing (particularly for Data Controllers auditing their Data Processors i.e. vendors or outsourcers) should be carried out regularly and that a process should be defined and followed.

Article 32.4.  “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller.”.  This means that companies need to assess for “insider threat” as organisations are liable for actions of their employees.

Final note on information security is from Article 33:  “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”  This means that an organisation is required to actively monitor for information security breaches.  This can be done via a number of aspects including:  manual notification via e.g. ITIL based helpdesk or automated via e.g. Managed Security Operations Centre.

 

Data Localisation and Indexing

Another critical factor is to be able to identify and categorise where all personal and personal sensitive data is located within an organisation.

Organisations may have gone through multiple mergers and acquisitions, each of which introduces systems that may contain duplicate data. Each of these silos may contain personal data, and it will typically be challenging for an organisation to achieve a view of exactly what data sits where, how it’s related, and who or what consumes or accesses it.

Personal Data will lie in a distributed fashion in an organisation such as candidates’ CVs in hiring managers email accounts; list of customers on a Marketeer’s PC, Occupational-Health data on a HR SharePoint Directory.

This data need Labelling, Classifying and Handling in an appropriate manner. Nuix is a product that can find and classify historical data, Boldon-James to handle current classified data, and Egress to secure the transmission of personal-sensitive email data.

 

Customer Centricity

Social media has created opportunities for companies to engage better, faster and more frequently with their customers and gain richer insights. This is due to the fact that many organisations still rely on relational databases and siloed systems across their departments making it impossible to integrate and analyse social media or unstructured data.  Big Data will be critical to the ability to develop and execute customer-centric programs. However, data that is in silos across an organisation makes it difficult to really achieve customer-centricity.

Some of our customers are classic examples of having large volumes of customer data and not the ability to analyse useful statistics from the data, or simply to have collected too much information and are too protective of the data to administer Data Subjects Rights.

 

Data Storage

Data Owners (not IT departments) are assessing their data retention periods.  Personal Data is being stored on active SAN devices for this duration.  IT departments extend these retention periods with the use of back-up systems e.g. tape archives and rely on the GDPR cause “a disproportionate effort” when administering. However, on restoration, records need to be kept of subjects who have administered their “Right to be Forgotten”.

Many HR departments are challenged with the control of personal data with unsuccessful candidate’s CVs remaining in hiring-mangers’ inboxes; annual appraisal-forms lying on line-managers’ local C: drives; the ability for employees to assess the accuracy of their personal data; retention periods are a significant challenge and when assessing recommended ACAS or CIPD retention matrices.  This suggests that personal data should be centralised in structured systems that have the correct access control, mandatory record fields and automated retention application.

Companies are struggling with their paper archives and some are finding it too expensive to destroy paper securely and keep compounding the problem; while others have found massive savings on leased building costs by removing paper.

 

100 Days to GDPR

In summary, GDPR is not a one-off project that will come to an end on the 25th May 2018, but an evolutionary process that started back in 1949 under ECHR. Data Subjects are moving to a better understanding of their rights, and the data privacy issues will not stop in May, but in fact will only just begin.  Like with ISO 27001, the BS 10012 (Personal Information Management System) promotes a continual process of improvement, and many organisations are just becoming aware of what personal data is, and their responsibility to people rights and freedoms.  Customers and suppliers will expect organisations to live up to obligations for information governance and enforce that through legal and technical controls. This isn’t a one-off fix, it’s the transition to a new data protection model.

When it comes to advising your business on GDPR compliance, our consultants have extensive knowledge within information security and data protection. If you have any questions or are interested in discussing any of the areas mentioned above, please contact Sapphire on 0845 58 27001 or email info@sapphire.net