GDPR and Cyber-security ‘technical and organisational measures’
The General Data Protection Regulation (GDPR) and cyber-security go hand in hand. The primary focus of the regulation is to improve the security of data for data subjects and to update outdated regulations across all of Europe. Throughout the regulation it is regularly stated that appropriate ‘technical and organisational measures’ should be taken with regards to preventing data breaches and working with trusted suppliers.
The GDPR will come in to place in May 2018 in the form of the New Data Bill in the UK and various other acts across Europe. With Brexit negotiations underway, many had thought that this could sway the way that the GDPR was implemented in the UK but if anything, it will make it more important. The British government will have to ensure that data laws are in line with European policy and that any agreements with the EU around trade, include regulations on data that may be associated.
New areas under the GDPR
There are several areas under the GDPR that are significantly different to previous data acts, notably the Data Protection Act in the UK, that relate to the protection of personal data. The definition of personal data has also been updated and now refers to ‘any information relating to an identified or identifiable person (data subject); This now includes information such as an IP address.
Another new area under the regulation is The Right to Erasure; this gives an individual more control over how and when their data is used and makes it easier to request for an organisation to stop processing data and ultimately delete all records of it. There are conditions that must be met (or not met) for a data deletion request to be granted and there are also certain conditions in which a data processor can refuse a request.
Facts and figures make headlines and some that are likely to have ruffled feathers since the regulations announcement are the new penalties that can be issued by data regulation authorities. A serious data breach can be penalised by a fine of up to €20 million or 4% of global revenue, whichever is higher. In addition to this, all data breaches are subject to a new reporting process that allows 72 hours for a report to be made, if this does not happen a penalty of up to €10 million or 2% of global revenue (whichever is higher) will be enforced.
The increased responsibilities on data processors
“The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.” – Article 29
Another area that has been significantly updated under the GDPR is the rights and liabilities of data processors. A data processor is ‘a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller’. Controllers now have an added responsibility to help data controllers become compliant with the regulation and can be liable if a data breach happens under their control.
‘The protection of the rights and freedoms of natural persons with regard to the processing of personal data, require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet, in particular the principles of data protection by design and data protection by default.’ – POINT 78
What are appropriate ‘technical and organisational’ measures?
Appropriate technical and organisational measures may be down to an individual’s perception of the regulation but given the areas being strengthened by the regulation there are some assumptions that can be made. It is clear that there is an importance to understanding who has access to data and what they do with it, it is therefore important to ensure all due diligence is done on suppliers, vendors or processors. Efforts must be made internally to ensure that the chance of a data breach is minimised and that data is kept safe. Methods such as ‘pseudonymisation’ and ‘encryption’ are some of those recommended within the regulation but are not mandated.
Cyber security best practices
While the GDPR may represent significant changes in the law around managing and protecting data, especially personal data, there are many parts of the regulation that are in line with current best practice. The regulation talks about pseudonymisation and encryption as methods of securely protecting data, best practice would suggest that any data that can be easily removed should be encrypted.
Preventing unauthorised access to data and tracking who can access data is an important best practice step. In the event of a data breach, details about how the breach occurred and who was involved must be reported, now within 72 hours; internal breaches are still one of the leading causes of data breach. In additional to this it is important to have processes and policies in place that allow the company to manage data correctly and to deal with any mismanagements correctly and quickly.