7 Things You Can Do Now to Prepare for the New Data Protection Bill
The Bill is now going through the parliamentary process to be adopted into UK Law. When implemented, the new Data Protection Bill will place a number of new responsibilities on organisations who control and process personal information. However, there are a number of things organisations can start doing now to make compliance much easier.
1. Create an asset register for all the data you hold
You cannot realistically protect or assess the data you hold if you don’t know what data you have!
Now is a great time to carry out a full audit on the data you hold – and documenting this in an information asset register can simplify the management of your data assets. Your data asset register can track the types of data you hold, the method by which it was gathered, the classification and owner of the data, as well as any retention policies which may apply to it. Another important element to consider is where the data is held or transferred. The GDPR places a heavy emphasis that data should not be transferred outside of the EU or to “approved countries” without the consent of the data subjects.
Collating this information in one place also makes regular reviews easier. The GDPR states that organisations must carry out a data protection impact assessment (DPIA) when a new type of processing or technology is implemented. By having a central register of your data and the associated controls applied to it, you can record these assessments or simplify the process for future DPIAs when they are required.
As an organisation, you probably already track your physical assets such as laptops, desktops and mobile devices – your data assets should be no different. When you consider the fines or reputational costs associated with a data breach, the cost of losing a laptop could be dwarfed by losing large amounts of sensitive data.
2. Carry out risk assessments on your data
Risk is mentioned in 25 recitals throughout the GDPR, and should be at the centre of your data protection strategy. By analysing the level of risk associated with the data you hold, you can then go on to put in place the appropriate organisational and technical controls to mitigate the risk of data breaches.
The creation of a data asset register will then allow you to assess the risk against each asset. From this, you can then implement the appropriate controls in order to ensure the confidentiality, integrity and availability of your data.
3. Ensure you have a legal reason for processing – which isn’t necessarily consent!
Whilst the GDPR does put an extra focus on consent as a legal basis for processing, it isn’t the only basis on which you can process personal data. For example, an accountancy firm will be required by HMRC to keep accounting information on a subject for 7 years. Therefore, there is a legal basis for holding and processing this data. Other valid reasons for processing data could include to perform the obligations of a contract, to protect the vital interests of the data subject or for occasions where it is in the public interests when processing is undertaken by an official authority.
That said, the Regulation does put a fresh focus on consent as a legal basis for processing data. Organisations should review their data (via a process such as an asset register) and review if the consent they got for that data meets the requirements under GDPR. Likewise, the way you harvest personal information should now be reviewed. This potentially includes changes to online contact forms, customer agreements, contracts and privacy policies.
4. Put policies in place!
In order to mitigate risks and protect our data, organisations must put in place the appropriate technical and organisational controls. A key part of these organisational controls are the policies we put in place. Some of the policies we should be thinking about are information security and privacy notices.
Your information security policy document should encompass all aspects of handling confidential information your organisation holds. This policy should be readily available and distributed to all of you employees – as such, it should be written in a way whereby it can be understood by non-technical staff and reviewed regularly. Some of the areas covered by the policy could be access, asset, computer, network and environmental controls, personnel security and incident management.
5. Ensure that your staff are trained and vetted
Many data breaches are down to human error, and many cyber-attacks occur because users are not trained on what to look for in phishing emails or how to protect their IT systems. Likewise, you should be ensuring your recruitment process is sound and staff are correctly vetted if they are handling highly sensitive data, or data which could be open to criminal abuse.
You should also be reviewing if your organisation requires a Data Protection Officer (DPO). Under existing legislation, a company with 250+ staff should have a DPO, however this changes under the new regime. Recent advice states an organisation should appoint a DPO if they are a public authority or carry out large-scale processing or monitoring of data subjects – especially with regards to processing special category data.
6. Implement robust, ‘state-of-the-art’ cyber security
Whilst the GDPR goes far beyond your cyber security, it still remains true that cyber security and data protection are inextricably linked. The Information Commissioner, Elizabeth Denham, even stated this in a speech to the CBI recently.
Article 32 of the GDPR states:
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
From this, it is evident that cyber security is going to be a central component in a robust compliance strategy. Regardless of the new Data Protection Bill, cyber-attacks are now a major threat to the stability and economy of the UK, with HM Government investing £1.9bn in ensuring cyber resilience across the nation. Now is the time to review your systems and strategy!
7. Get certified!
The ICO have indicated that an official seal for GDPR compliance may be forthcoming, however one doesn’t exist at the time of writing this article. That said, there are a number of assessment and certification options open to organisations to help show that you take protection of your information systems seriously:
ISO 27001 is a framework developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” The standard centres around risk and covers areas such as security policy, asset management, communications and operations management and business continuity.
The IASME Governance standard – which is based on international best practice – utilises a risk-based approach to assess a company’s information security, and includes aspects such as staff awareness, security policies and the technical controls which underpin these.
The IASME Governance certification is seen as a realistic alternative to ISO27001 for many SMEs, and was recently recognised as the best cyber security standard by the UK Government after consultation with industry groups.
Cyber Essentials is a government-backed, industry-supported certification scheme which outlines standards of cyber security appropriate for all organisations across all sectors. A Cyber Essentials certification is already mandatory for a number of Government and private sector contracts, and demonstrates that an organisation takes cyber security seriously.
When properly implemented, it is estimated Cyber Essentials can protect against around 80% of internet-borne cyber threats.
These certifications prove to your customers and regulatory authorities that you take data protection and cyber security seriously.
These 7 steps are by no means a ‘silver bullet’ for compliance, the Regulation is extremely wide in scope and will require the support from legal, technical and data protection professionals alike. However, by putting in place processes and controls now, and designing your information management system for compliance, you can simplify – yet enhance – your information security.
Protos Networks are certified by GCHQ and the IASME Consortium to assess for GDPR readiness as part of the IASME Governance assessment, and are licenced by the National Cyber Security Centre to certify organisations against the Government’s Cyber Essentials scheme.