The General Data Protection Regulation: Shackleton’s Analysis

12
Jan
Steve Smith

Written by Steve Smith, 12 January 2017

With Britain’s recent decision to leave the EU there is a lot confusion about which regulations and rules will continue to affect British businesses after we leave the economic bloc. One regulation in particular could have huge ramifications for your business…

While leaving the EU is an incredibly complex subject, what we know so far is that any EU regulations which are already in place will be enshrined into UK law, and updated when necessary. After we leave, Britain won’t be automatically subject to new rules from Brussels. But what about in the case of the upcoming General Data Protection Regulation that comes into effect on the 25th May 2018? As always, things aren’t quite as simple as they seem. 

If your business supplies goods or services to a citizen or company based in the EU, regardless of whether Britain is part of the EU or not, you must comply with the GDPR - or face some big consequences…

The GDPR actually stems from positive intent, as The European Court of Human Rights states that every living person has a basic right to privacy. This includes who has and who uses your personal information such as names, addresses, credit card information, social media user names, collar size, ethnicity, etc. Where businesses might start to see issues is that technical information can also be deemed personal, such as your home PC IP Address.

Who Is Responsible for Data Breaches?

Let’s suggest your business holds all its client information in a CRM database. The provider of that database has a security breach and personal details of your clients are leaked. Are they to blame for the repercussions, or are you to blame for not having a proper authentication policy for uploading all your client information? Prior to this regulation, it would have been the CRM originator, but now, it’s you too I’m afraid! As the processors of the personal data, you must ensure you have the correct hardware, software, backups and staff training to deal correctly when handling personal data.

“Dealing correctly” also covers why you have this data and what you intend to do with it. There are now three key areas that need to be considered:

  1. Organisations must seek unambiguous consent for data collection – before you capture data from a client, you need to make them aware you would wish to do so and obtain their consent.
  2. The right to data portability – it needs to be extremely simple and quick to take data stored with one provider and transfer this to another provider.
  3. The right to erasure – nothing to do with late ‘80’s pop music, more to do with having the right to demand your information is deleted from any database carrying it. Unless there are legal or medical reasons to keep this data, your compliance is required.

What Happens if Data is Leaked?

Let’s suggest the worst happens and you suffer a data breach. Under this new law, you have 72 hours to notify the UK Information Commissioner’s Office. The clock starts ticking the second the breach occurs, rendering a defence of ignorance completely useless. Knowing the breach happened is your responsibility, so if you set off home on Friday at 1700, are breached at 1730, things are going to get bad around 1730 on Monday, no matter how much or how little you are aware.

You also have to let the individuals whose data has been compromised know that the breach has occurred. Failure to do so leads to the aforementioned consequences, and they can be BIG. Consider this – do you feel 100% comfortable that you have adequate technology to protect your client data? To detect a breach and identify the victims within 72 hours? Do you have a process in place to notify the UK ICO?

You’d better be confident as it’s time to talk about these consequences for not complying.

Understanding the Consequences

If you fail to cover yourself adequately, you are now looking down the barrel of up to either 4% of your annual revenue or a minimum €20m whichever is the greater. Looking back to 2015, TalkTalk were severely breached and enjoyed a fine of “only” €460k. If this breach had happened under the new GDPR, experts have suggested that fine would have been nearer €72m. Scary stuff indeed.

How do you protect yourselves better than you are now?

  1. Have robust policies and reasoning in place for why you capture data, what data you need and where you store it.
  2. Ensure your staff are up to date with the regulation and why it is in place.
  3. Ask your IT provider for a strategic review of your hardware, software, security and backup to ensure you have the correct kit for the job.

Making Sure You’re Protected

The good news? The three step process above is hardly onerous, as one would like to think most businesses already know why they collect data and what they use it for - so all that is left to do is put it on paper. Your IT provider should already be on the case with advice and recommendations as to how you can improve your security and backup to keep yourself safe. It’s time to take IT and the security of your infrastructure seriously, by giving your provider the time to let you know where the gaps in your system are. It’s also now time to consider these improvements as an investment, not a cost. An investment in protecting you, your staff and your clients.

Positive intent indeed!

Ethical Hacking - A Cyber Security Event

We at Shackleton thoroughly enjoy a networking event. The opportunity to meet new people, catch up with old friends, sprinkled liberally with bacon rolls or sandwiches and some high quality presentations, sees us beat a path to any door.

Technology Hits of 2016

2016 is now behind us and as New Year’s resolutions lie around us in tatters, this seems like a good time for a look back at a huge year in technology….