Countdown to GDPR: One Year to Go Until Deadline D-Day
In insight / By Phil Muncaster / 23 May 2017
In exactly a year’s time (25 May 2018), UK organisations will face a stark choice: comply with sweeping new European privacy rules, or risk the wrath of regulators and new fines of up to 4% of global annual turnover. The EU General Data Protection Regulation has been years in the making and is now just around the corner. But what does that mean for UK firms, many of whom will be wondering if they’re even covered by the new law?
Heads in the sand
There’s no getting around it, a large number of UK firms have adopted an age-old stance when confronted with news of yet another onerous regulation to comply with: head in the sand. Some estimates claim 84% of small UK business owners are unaware of the GDPR. Others say that firms are on average complying with less than 40% of GDPR principles, and a poll at the start of the year claimed 54% of global firms had not advanced their readiness plans.
All of these stats are concerning given the potential repercussions of non-compliance. Card industry body the PCI Security Standards Council (SSC) calculated last year that UK organisations could face fines in excess of £120 billion next year, based on 2015 breach levels. These levels are likely to have risen over the past year if anything. In fact, a roll call of UK firms from Wonga to Debenhams Flowers have already been found wanting so far in 2017. Government figures claim that two-thirds (66%) of medium and 68% of large firms have identified at least one cyber security breach or attack in the past 12 months.
So, what’s the GDPR for? The idea is to make Europe’s data protection laws fit for the digital age. Part of that process involves broadening the scope in terms of the types of data and organisations covered. Personal data now means “any information relating to an identified or identifiable natural person”, and the law will now apply to data processors as well as the data controllers previously covered.
The bad news for smaller firms is that the GDPR defines an “enterprise” as any legal entity engaged in economic activity. However, in reality, those at the very small end of the spectrum whose “core” day-to-day activity is not processing data may well find themselves under less scrutiny than their larger counterparts. Non-compliance, though, is a dangerous game to play as a fine from Brussels could be enough to send a small business under. The ICO’s broad rule of thumb is: if you comply with the UK Data Protection Act, you’ll need to comply with the GDPR.
So what’s new in this regulation? There are three major new responsibilities:
- Firms will need to ask their customers for explicit consent for the use of any personal data. This will apply retrospectively to any data collected previously, meaning new opt-in requests must be sent out
- A Data Protection Officer (DPO) must be appointed to deal with GDPR compliance, although broadly speaking those with fewer than 250 employees may be exempt, unless they monitor data subjects on a large scale or monitor special categories of data
- Mandatory breach notifications within 72-hours to data protection watchdog the ICO. This is the part of the GDPR most firms are nervous about as it will force many to invest significant sums into cybersecurity, both to prevent breaches and to ensure they know as soon as possible if they’ve been breached
Time for compliance
The big question for many UK firms today will be: “Do I have enough time to get compliant?” That will of course depend on the size of the organisation and the type of work you do. However, a good place to start is appointing that DPO, or at least a team to deal with compliance. They should first of all be looking to classify and map all the data processed by the organisation. What is it, where is it stored, who is it shared with and how is it secured?
From there you can appraise the controls currently in place to protect that data and calculate if they’re strong enough to meet the regulation. A useful process might be to wipe all customer data that isn’t strictly essential to the organisation, thus reducing your compliance scope and attack surface.
Staff education is vital. They need to be taught best practices in data protection handling, the importance of what they’re doing and the repercussions if they make a mistake. This should be organisation wide to effect any lasting cultural change – which is really what you’re after, rather than approaching this from a tick-box compliance point of view.
In fact, the GDPR is specifically written so as to discourage the latter approach. Apart from pseudonymisation and encryption, no technologies are specifically mentioned as helping the compliance process. That means you’ll have to think for yourself, look to industry best practices, and ensure they cover any partners or other ecosystem providers. These include:
- Up-to-date software and systems, patched regularly
- Strong data encryption at rest and in transit
- Regular pen testing
- Comprehensive incident response plan, featuring input not just from IT, but also other relevant departments including marketing, HR, finance etc
- Rigorous access controls: multi-factor authentication and “least privilege” policy
- Defence in depth security covering endpoint, email, web gateway, network and physical/cloud servers
There’s much more to the GDPR, of course, so look to sources such as the ICO or the Article 29 Working Party for independent advice on compliance. Your managed services provider, if you have one, can also help out. The government-backed Cyber Essentials scheme can be a good place to start if you’re a smaller business looking to establish a good baseline of security on which to build.
With one year to go, there’s still time left to comply, but certainly no more to waste.