GDPR and NIS - Where do I start?
GDPR, the General Data Protection Regulation developed and implemented by the European Union, is coming. There is no escape and it will be the law in the UK from 25th May 2018 come what may and regardless of Brexit.
This Regulation will affect anyone and everyone who collects, processes, stores or manages personal data about living individuals subject to a few very limited exceptions. One of the significant changes from the previous Data Protection Act of 1998 is that now both the data controller (or owner) and the processor can be held responsible for a breach and be fined. If a set of data is processed by a third-party data centre on behalf of a client, both client and data centre could be fined if there was a breach.
Personal data is defined as “any information relating to an identified or identifiable natural person”. There are some refinements on this very broad definition such as it doesn’t include that information which is not already in the public domain, such as a simple name and address. There are also certain special categories of personal information classified as “sensitive data” which would include racial or ethnic origins, for example, where extra care needs to be taken. Overall though, if any personal data is collected for any reason it would be appropriate to consider the implications of the GDPR on the business’ activities.
The fines that may be levied by the Information Commissioner’s Office (ICO) in the UK are very significant. They are a maximum of €20 million for smaller companies or 4% of worldwide annual turnover for larger companies. The ICO has the choice of choosing which of these two amounts is the larger for any infringement and, whilst it is clear this will be varied depending on the severity of the information breach, the prospect of being fined such significant sums of money is helping to concentrate the minds of directors and board members. These fines do not take account of any reputational damage that might also be the result of a breach, nor of any compensation that might have to be paid to those whose data was breached.
There are some simple but critical steps that should be taken by any organisation that holds personal data.
Step 1 Produce a comprehensive sheet of all the personal information the organisation holds. This will often start with a name and address, postcode, telephone number and similar basic information. It might also be tied to an account number and, if there is a web trading facility, perhaps a login, email address and password. It might also include date of birth and other more sensitive information, and may lead into bank account or credit card details. It is vital there is a full list of all the information that is held and/or processed by the organisation. Even if it is a transitory process, for example during an online sale, processing this type of information must be done in accordance with the Regulation.
Step 2 Understand where the information comes from (how it is collected) where and by whom it is processed and stored, and then how it is deleted when no longer required. This might include automated processing where everyone who has visited a website is automatically sent an email inviting them to an event. It might be a simple business process where the sales team take the information and ring up the customer to check on an order or to see if there could be further sales. In all circumstances it is vital to know what is done with the information so that a full trail of the information is produced. This will include those with whom the information might be shared – suppliers, data centres, mailing companies or any other partner. This might be an opportunity to decide that some of the information collected is not really necessary – is the date of birth really used for example? If it is not required then don’t collect it. It is much easier to deal with if it is not collected at all.
Step 3 Ensure that all aspects of the journey of this personal information, from the initial collection (along with the way consent is requested) through to disposal when no longer required, are properly protected. Where appropriate and applicable this might include encrypted transfers and storage, anonymization, limiting the people who have access to the information and a range of other potential controls. Data minimisation is a clear direction from the regulation and should be encouraged and pursued at every opportunity.
At the end of the day if these steps have been taken, it should lead the organisation into the development of a culture of looking after information appropriately at all stages. This regulation should drive every organisation to take a real hard look at their security measures and make sure they doing all that they can to reduce or ideally remove the risk of an information security breach. This applies regardless of the size of the organisation but clearly, the impact of a breach will be proportionately heavier on smaller organisations where fines and reputational damage could be terminal when they have fewer resources to deal with the aftermath.
For larger organisations the EU Directive concerning the measures for a high common level of security of Network and Information Systems across the EU will have, arguably, a bigger effect and will require a much more comprehensive approach to information security. This Directive comes into force on the 10th May 2018 – about the same time as the GDPR. This Directive will require any organisation that provides essential services within the UK to be identified and to come under the reporting and security arrangements of the Directive.
Essential services are classed as those that provide:
- support for critical societal and/or economic activities;
- a service that depends on network and information systems which includes but is not limited to:
- electronic communications networks (ISPs for example);
- any system used for automatic data processing of digital data (an HR system for example);
- any system where digital data is stored, processed, retrieved or transmitted (data centres for example).
- a service that would cause significant disruptive effects if it suffered an incident.
The last point of the definition could include some smaller companies too but overall it is expected that it will be larger companies who are affected by this.
The Directive requires these organisations to provide evidence to the UK government about their (amongst other things):
- governance framework for the security of networks and information systems including documented security policies;
- audit programme and its results for the security measures taken;
- preparations for, response to and recovery from an incident along with their notification process;
- security training and awareness-raising programme;
- research and development plans;
- risk assessment plan.
None of this is quick to achieve and will require significant effort by any organisation but the larger ones in particular. There will again be fines but as yet the ICO has not stated what they will be but it is anticipated that, to encourage conformance with the requirements, they will be significant. The APMG Cyber Defence Capability Assessment Tool (CDCAT®) can help to provide the evidence required for the maturity of the security capabilities that are in place. This will be very useful as mitigating evidence in the event of a breach but, more importantly, can identify where there is a lack of maturity and hence a vulnerability in the systems in place.