This week, I was asked a very simple question which has a very complicated answer.
‘How do we know that we are GDPR compliant?’
My answer is that no organisation can ever, hand on heart, attain a magic badge of ‘GDPR compliance’. Data protection and security involves moving targets – people, process and technology.
People are probably the flakiest – many data disasters happen because humans just do something silly like using cc instead of bcc or opening a dodgy PDF attachment when they have just been warned about phishing attacks. Processes need to evolve to meet changing business needs, technology needs constant patching with new security fixes because hackers just get smarter and more determined by the day.
We all now understand that the EU’s GDPR initiated a major overhaul of how organisations manage personal data. However, it also caught a lot of people on the hop and the policies and procedures that were put together in the race up to May 2018 were all a bit of a rush. When you consider all the elements that are needed to bring any organisation up to scratch, it’s highly unlikely that anyone actually nailed it. We are now a year on and many are still finding the regulation challenging.
Anyone who is subject to GDPR – and it has a very broad geographical reach- must evaluate how they collect, store and process personal data to protect the privacy, rights and freedoms of their data subjects.
In this article, I am going to discuss my top ten tips for placing data protection and security at the heart of your organisation. It’s not a race and there is no finite destination – you must think of it as an ongoing strategy and continuously revisit, re-evaluate, and revise.
Review what you have achieved and what still needs work.
The chances are that you, or your consulting or legal team, carried out a Gap analysis to look at all the areas that needed action prior to May 25th last year. GDPR compliance is very much a continuous process, and now is the time to revisit your original plan to look at how it can be adapted and changed to further reduce the risk to your organisation. Remember that’s it’s not just about the much-hyped fines. A data breach will cause a significant financial loss in terms of lost business opportunity and revenue and is also hugely damaging to reputation.
Revisit your awareness and training programme for all staff members.
Ensure that the content is interactive and can be delivered in manageable chunks. The concepts of data protection and information security can be either difficult to understand or dull and dry. Consider posters, cartoons, games and quizzes alongside any formal obligatory training. Also, consider the roles of the trainees. Someone in marketing requires different training and awareness to someone in HR or procurement. What about people who handle children’s data? You need to ensure that the training is tailored to the culture of your organisation and the job function of the employees.
Audit your data!
Yes, that’s right, audit it, audit it again and keep auditing it. Organisations have to have a deep understanding of the types of data that they process, how they process it, the legal basis under which it is processed, how it is protected and how it may be shared. Data flows are not static. It is not a good assumption to think ‘Oh, but we just did that last year’. It has to be an ongoing iterative, process. The end game is to always fully understand what kinds of personal data you’re processing, its origin, its destination and how it is protected at rest and in transit. If you get these things right and understand your own data flow mappings then you are winning the battle.
Review your IT systems.
Make sure that security updates are applied by default. Patch, patch and keep patching. Hackers have lists of vulnerabilities and will exploit them. As an example, SQL 2008 will be retired in July this year which means no more security updates. Running legacy unsupported software is like leaving the front door open and inviting the burglars in.
Certify where possible.
Whilst there is no ‘magic badge’ that proves GDPR compliance, appropriate certification is definitely is an asset. Smaller organisations can obtain Cyber Essentials, a Government scheme that helps protect companies from all kinds of cyber-attacks. Healthcare organisations must subscribe and adhere to the DSP toolkit. For all, ISO 27001 standards are the ‘Rolls Royce’ of information security- the standard is designed to help organisations manage their information security processes in line with international best practice while optimising costs. It is technology and vendor neutral and is applicable to all organisations – irrespective of their size, type or nature. If you are employing privacy professionals to advise you then they should also hold reputable certifications such as those awarded by IAPP (CIPP, CIPP/E. CIPM, CIPP/T) or awards from the British Computer Society such as the BCS practitioner in data protection certificate.
Create and rehearse your incident response plan.
Always ensure that your incident response plan is understood and accessible. A security or data breach is a big deal and has to be managed fast in order to mitigate damage. It is no good just having a policy, it is important that employees have a genuine understanding of the policies and procedures within the company and how they are expected to react if the worst happens.
Be open and transparent.
Keep privacy policies for customers and employees up to date, accurate and accessible. The ICO advocates mission, vision and goal and I always encourage my customers to encapsulate their own privacy aims in a privacy vision statement. Here is an example from the ICO:
To uphold information rights for the UK public in the digital age.
To increase the confidence that the UK public have in organisations that process personal data and those which are responsible for making public information available.
To increase the public’s trust and confidence in how data is used and made available.Improve standards of information rights practice through clear, inspiring and targeted engagement and influence.
Maintain and develop influence within the global information rights regulatory community.
Stay relevant, provide excellent public service and keep abreast of evolving technology.
Enforce the laws we help shape and oversee.
Your website is your shop window.
When I was auditing suppliers for the NHS last year as part of the GDPR due-diligence process I always started with their website. Nothing screams ‘we don’t do data protection and value our customer’s privacy very well’ like an out of date website. I look for things which are obvious ticks or crosses:
Is there a dynamic cookie management strategy and is consent for cookies that are not strictly necessary obtained in advance?
Is there a minimal data collection form which a privacy notice displayed at the point of collection?
Are there any pre-ticked boxes to assume consent?
Does the organisation portray that it cares about data protection and security? Do they display logos for Cyber Essentials or other such certifications?
Is the connection a secure https one?
Don’t become dazed and confused.
Remember that data is not just letters and numbers. Photographs, fingerprints, IP addresses, video – anything that can identify a living individual is data. Think about the physical security of any paper records, adopt a clean desk policy, shred personal data and if you have a fax machine, take it to be recycled right now – those things aren’t just so last year, they are so last century! Always use secure applications to share personal data and perform due diligence on anyone that you use as a data processor.
Ask the audience!
When you’re planning any project that involves processing personal data you must consider how to consult with relevant stakeholders and be able to describe how you will seek individuals’ views – or alternatively justify why it’s not appropriate to do so. This is part of the data protection impact assessment process. Who else do you need to involve within your own organisation? Do you need to ask other processors to help? Do you need to consult with a data protection specialist, an information security expert, or any other niche professional? Involvement, collaboration and co-operation are key as no one can be expected to navigate the choppy waters of the GDPR as a solo swimmer!
By Claire Robinson – Director, CIPM, CIPP/E, Certified GDPR Practitioner,BITIL, CIS F and CIS LI.