Transform your data security, privacy policies, consents and more with the help of our expert GDPR Consultants. There are potential fines of up to €2m or 4% of your group’s global annual turnover for companies and organisations that fail to comply – per breach! Check out our full guides, and email [email protected] for solutions for YOUR business.
Our Director is currently taking a leading role in helping insurers with their new data protection obligations. He is currently:
- Working for international Japanese insurance firm Sompo on an ongoing basis with regard to GDPR and Data Protection
- On the GDPR Forum which is hosted by the LMA (London Market Association), the IUA (International Underwriters Association), and the ABI (Association of British Insurers)
- Working with the ABI on the derogation of the Data Protection Bill (changes to the law) through the House of Lords currently, in order to give insurers clarity on the legal basis upon which they can process users’ data. (He’s working with lawyers DAC Beechcroft, Clyde and Co, and Norton Rose on this.)
- Providing Information Security and process consultancy to 3 telematics companies – Cybit Plc, Masternaut, and Blue Finger. Their ‘black boxes’ are mostly on shipping trucks, also ships.
Activa GDPR consultants – the General Data Protection Regulation…..
…..is here, and continues to apply regardless of Brexit. Using GDPR – General Data Protection Regulation, the EU has decided to make the information hierarchy that businesses hold over individuals fairer, mostly because of a few bad apples. Activa Consulting would like to spell out how we feel about the General Data Protection Regulations and how we can develop a programme as GDPR consultants.
Here’s the headline, if you have a breach of information security and data covered under the GDPR is affected, you have to report it to the relevant Data Protection Authority, and you have to do this within 72 hours of the breach. If they subsequently find you were operating outside of the GDPR regulations, they have the right to fine you up to 4% of global revenue of your organisation or EUR20m whichever is the greater. **THIS IS A BIG DEAL**. What is 4% of your global turnover? Do I have your attention yet?
I intend to set out a guide to address the requirement of GDPR in the same way as I have other international standards so as it make the requirements obvious to understand, if not always easy to implement (it depends where you start from). This page will grow and grow as I get through the raft of legislation and I’m able to translate this into text that’s more useful for the average user. The bad news: the regulation document is 88 pages long and make not much sense to anyone other than a lawyer.
The good news: For the SMEs reading this, you get a break! From section 13, page 3 “To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC ( 1 ). ” This does not mean you are exempt from meeting the requirements, but that they will be looked at in a different light by regulators – how they choose to do this is not yet confirmed.
So if you hold details on businesses, not people, this does not affect you. In the eyes of the law you are either a controller or a processor of data. A controller manages the who, when, where the decisions relating to what data is collected and how it is processed, the processor only processes under the controllers remit. The law treats these entities differently, but the controller should look to back to back any liability or requirement with the processor in order to protect itself. I’m working through this legislation and don’t know how it will unfold, or how I will structure this, so until I’m finished it may be a little messy.
These are the headlines of the GDPR practitioner exam and I’ll be organising my thoughts around these subject matters
- GDPR privacy principles
GDPR is to redress the balance, so that if you hold data on an individual, to quote the regulation “everyone has the right to the protection of personal data concerning him or her” this legislation in the world of big data, big corporations, means that business who hold data deemed to be relevant need to take care of this information and understand that the information belongs to the individual not the organisation.
Protection is afforded to natural persons “a person (in legal meaning. i.e., one who has its own legal personality) that is an individual human being ” but specifically excludes (section 14) a legal person, “which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization”. Anonymous personal information where it cannot reasonably establish the identity of the person (pseudonymisation) may not fall under this regulation. Even if the processing takes place outside the EU it would appear it is still covered within the law, and the controller would be perused. The law applies to EU citizens, not who or where the data is held or processed. How the law pursues legal persons outside the EU, is down to the authorities, I don’t know, that’s their problem, but it you process the data of EU citizens, this applies to you. I’m not a lawyer, but given the fines, for larger companies I would not see why the controller/processor would not set up as a separate legal entity (like triple-A swap vehicles) to minimise any financial risk.
- Developing a risk management framework – the implementation path to EU GDPR compliance
If you looking to see how we will implement GDPR within your organisation, here’s the GDPR project plan that we would execute as GDPR consultants for you. Essentially, the DPO needs to establish a framework of Data Protection from the outset of privacy by design (make sure considerations are undertaken before you collect data), reviewing data and conducting risk assessments, dealing with Data Subject Access Requests (DSAR) and providing information to regulatory / legal bodies.
- Dealing with subject access requests / rights of data subjects
Data subject (that’s a person – a natural person) access rights
have been enhanced since the DPA 1998 and subject requests can take the form of access to data held, rectification of incorrect data, erasure of data, objection to processing and portability of data (moving data from one controller to another). Whereas in the past a £10 fee could be charged under the DPA 1998, this should now be free of charge unless exceptional circumstances exist. Requests should be acknowledged and processes now within 30 days not 40 days and under again exceptional circumstances (huge swathes of data) an additional 2 months processing time may be requested.
Right to access
Data subject should have right to access the data collected. Where possible the controller should provide remote access to the data (there’s a can of worms). Where a lot of data is collected on a subject, the controller is permitted to ask the subject to specify the data required. As GDPR Consultants we can help you identify what is needed and how to translate it into your everyday activities.
Right to be forgotten
We all make mistakes; the data subject has the right to have the data erased and no longer processed typically where data is held by way of consent rather than a legal requirement. Controllers should take reasonable steps to inform other controllers processing data of any request actions. Retention of the personal data is legal where necessary, for:
- exercising the right of freedom of expression see Article 10 of Human Rights Act
- compliance with a legal obligation
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- public interest in the area of public health
- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- establishment, exercise or defence of legal claims.
Deceased persons are not covered by this law.
The role of the DPO
The DPO should be the caretaker of the GDPR framework, they should ensure DSARs are completed (within time required), respond to regulatory and legal requests and work with the rest of the business to ensure that the information security of the data is maintained (confidentiality, availability and integrity) so that it is not in any way compromised.
Updating policies and procedures
Privacy notices / policies, marketing requirements and consent
These need to state what data is being collected and for what purpose, a catch all statement is no longer good enough, you need to establish and document a legal basis under GDPR – General Data Protection Regulation which you’re collecting this information. This can be as follows:
- Consent (now much more stringent)
- Necessary to perform a contract
- Legitimate interest
- Legal obligation
Privacy policies and consent forms need to be written in clear concise language, particularly if it collects consent from children – it should be understandable by a child. Children are specifically identified as warranting protection under the regulations, although above and beyond parental consent, the regulations fail to identify specific actions to be undertaken.
Controllers should provide data subjects with information relating to the circumstances and nature of any processing. This should be at the time of data collection.
Privacy by design
You will need Data Protection (DP) Policies and procedures. This should ensure that DP is included as part of your business processes, and subsequent service development, by design not afterthought. Privacy by design should be implemented in conjunction with a Privacy Impact Assessment. Essentially this is a process (often a document) used before a new project or data collection / processing exercise identifying what data is going to be collected, used, processed and for what reasons, by whom and what lifespan the data is required for. This should be conducted before the data exercise is carried out ensuring safeguards and consents (where applicable) are in place and that information security relating to the data is sufficient.
- The roles of and relationships between controllers and processors
Cookies, RFIDs, MAC addresses, SIM IDs, geo-locations and IP addresses will leave traces and may be used to create profiles of natural persons. This means the data should be treated as such.
Ditto genetic / health data.
In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.
Pseudonymisation and anonymisation
There are various techniques for adding anonymisation to data sets. These are in brief
- Noise addition – add or subtract variables to existing data to prevent individuals being profiled
- Differential Privacy – when third parties have access to personal data, the data provided is the anonymised set not the original held by the company.
- Substitution – instead of using the actual data it is replaced with another code eg town of residence could be represented by a number / colour / animal with a key only held by the processor.
- Aggregation – instead of specific data individuals are categorised within ranges – eg patients are only identified as having a height of 5’10” – 6’1″ not specifically 5’11.
Types of pseudonymisation
- Hash functions – a version of cryptography applied by a computer
- Tokenisation – data is substituted with a number or code which is a reference back to original data.
Data should be processed with consent. The degree to which this processing is carried out should be transparent, specifically the controller should be identified should the person use their right to obtain confirmation and communication of their personal data. The specific purposes for which the data will be used should be explicit at the time of collection and that information whilst adequate should be limited to the extent of performing those purposes. Data retention should be minimised and time limits established by the controller for review/erasure. Reasonable steps should be taken to ensure inaccurate data is rectified or deleted. Personal data should be protected to maintain confidentiality, availability and integrity as managed through the implementation and management of ISO 27001 standard and ISO 27002 controls throughout its life with the organisation which will no doubt be the remainder of this piece.
Dealing with third parties and data in the Cloud
Processor contracts and information security affected 3rd parties
Many companies will be affected by this and this is not a small piece of work. They will need to demonstrate to the business that they are taking their duty of care seriously. Management of suppliers that process or support the processing of personal data may well form a significant piece of work by the business to demonstrate the duty of care over the data that is collected and managed. The controller should be in your head office (main establishment).
Data mapping – Information assets
You need to identify where data is held, sometimes this will be easy, eg HR records other times it will be harder, if someone is made redundant or hired, where is the supporting data that helped make that decision? In emails spread all over the company servers? You need to be able to locate these data when the time comes. Staff need to be trained to understand what sort of information they are collecting, processing and controlling. Firstly, in order to firstly ensure data is stored in an appropriate manner, and secondly that in the event of data subject requests, they know how to deal with them.
Significant efforts will need to be taken to ensure legacy data is compliant with GDPR, exceptions will not be made just because it is old, or bought because of M&A activity – you bought it, caveat emptor applies.
- Data privacy impact assessments (DPIA)
There are record keeping obligations of what you had (not just have). You will need to conduct DP impact assessment (risk assessments) and in the event of a breach, you need to inform authorities within 72 hours of knowledge of the breach (this as is often the case could be some time after the actual breach occurs). Identify your key functions – the most likely areas of the business affected are going to be HR, IT, Marketing and any data processing function (call centres/branches). External service providers need to be governed by contracts (See below).
Need to be conducted periodically on a sample basis. I prefer to use ISO 17011 guidelines for this which is enough data to provide evidence of compliance rather than a 100% audit on one small data sample. This means I am auditing a process, to understand if it is working and how it could be improved. This should give stakeholders surety that controls are in place and effective. How you decide which elements to audit should be risk based – don’t look at what you looked at last time if there was nothing wrong, look at the newest as demonstration of effective processes and look at those which present the most risk should a breach ever occur.
Pseudomynisation of users and encryption will reduce risk (especially encryption). The business should work to ensure (and prove) they are maintaining the confidentiality, integrity and availability of the information it holds. Any breaches of security need to be documented and reviewed. This should include the nature, category, number of records affected and where reporting, the name and contact of the Data Protection Officer. This requires the business needs to think about and plan for incident response before it happens and not when it bites. First and third party audits will provide evidence that processes are being implemented, maintained and monitored by way of mitigation/abrogation of liability in the event of a breach. Whilst the legislation does not specify a specific management system an organisation should implement, it is strongly pointing toward doing one or more of them, which for those previously uninitiated could be a significant task. Whether you choose ISO 27001, COBIT, PCI-DSS, SANS 20 or the lightweight Cyber Essentials is up to you, but picture yourself in the position of having to explain a data breach to a regulator having done nothing to protect the data of your customers, every extra step you take will be evidence that may help you either not being there in the first place, or at least being a position to explain all the efforts you made to try and mitigate/minimise any loss of data. However, certification against GDPR – General Data Protection Regulation itself by accredited certification bodies will be voluntary – form an orderly queue for your European Data Protection Seal!
International data transfers – replacing Safe Harbour
Safe Harbour has been replaced by the EU/US Privacy Shield which is a scheme both parties need to be signed up to. For more information see the release guidelines. Within the EU, subject to contractual agreements and possibly other member state requirements, GDPR permits, but further afield is subject to approval by the supervisory body. Here’s the list of currently approved countries. This includes the US under the Privacy Shield.
GDPR allows for transfer of personal data based on the three Model clauses without specific authorization from the DPA. However these clauses may not be modified and agreements between controller and processor will need to be verified with legal advice to ensure compliance. I have researched this long enough to be sure that this detail needs to be scrutinized by legal council. I have found this GDPR legal blog very helpful.
GDPR adds new mechanisms to afford international transfers.
- Contracts between a controller and processor in a third country where approved by the DPA
- Where a Data Seal / certificate has been issued to the company by the DPA.
- Transfers based on an approved code of conduct.
- Binding corporate rules
These may require additional consent to be sought.
Training and competence requirements
Focus on Fair Information Practice Principles (FIPPs)
- Data collection – modified consent requirements.
- Data processing and Use – data quality, limited access, confidentiality, data minimization / pseudonymisation, purpose specification (PIA / Privacy by design), information security
- Individual Knowledge and Participation – knowledge of Data Subject rights and different forms of legal position to collect data – not just consent.
- Transfer and sharing – how to share data across borders or with third parties / processors.
- Accountability – policies and procedures to ensure data protection, the role of the DPO, audit and compliance establishment / maintenance.
You might also use this opportunity to integrate this with your Information Security awareness programme and kill two birds with one stone.
Incident response and breach reporting / Data breach reporting requirements
Where personal data is lost, altered, destroyed, illegally accessed, transmitted, processed or disclosed.
Processors must notify controllers without delay and all breaches must be reported.
Controllers must notify the supervisory body within 72 hours of becoming aware of the breach unless it is unlikely to affect the rights of data subjects.
Where deemed by the supervisory body, the data controller can be compelled to breach information and advice to data subjects unless:
- Breach is unlikely to result in high risk for data subjects
- Suitable protection was in place (encryption or similar)
- It would involve more effort than a broadcasted information campaign would achieve
An internal breach register needs to be maintained.
- Demonstrating compliance with the GDPR
There is a voluntary certification programme that will be instigated by the ICO and it is yet to be determined which certification bodies will assess compliance with GDPR. Further to this Binding Corporate Rules will continue to be assessed for those companies using these rules to manage the international transfer of personal data. Compliance can also be demonstrated by the adoption of information security frameworks (ISO 27001, COBIT, NIST, PCI-DSS etc.)
- Range of enforcement, regulatory and compensatory aspects of the GDPR
Consideration as part of the data protection piece should be given to eDiscovery laws and the organisations to retain and protect data relating to individuals and organisations as seen from the Zubulakle vs UBS Warburg case where the defence lost when the court found that even though the emails could not be found although instructed to provide them, UBS should be liable for their content not being able to prove they didn’t exist and suffered sanctions. For further information on eDiscovery see the latest Wikipedia page