With the GDPR implementation deadline fast approaching, it is essential that your business has a comprehensive understanding of the resulting changes to data protection laws.
This includes an expanded definition of ‘personal data’, with additional requirements on how it is processed and protected, and more stringent sanctions for organisations that suffer a data breach.
What is ‘personal data’?
The GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. This covers any information that could lead to the direct or indirect identification of a living individual.
This definition includes many common forms of information including names, postal and email addresses plus telephone, driving license, bank account, credit card, passport and social security numbers. It also encompasses, under certain circumstances, identifiers such as biometric data, web cookies, mobile device IDs and other factors specific to ‘physical, physiological, genetic, mental, economic, cultural or social identity’.
The qualifier of ‘certain circumstances’ is an important one, as context can be crucial when determining whether or not information can be used to identify someone. In isolation, a name, which may be the same as many other individuals, will not constitute personal data, but if it is combined with additional information that could help to identify the subject then it will fall within scope.
Pseudonymisation of data is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information held elsewhere. Pseudonymisation is encouraged by the GDPR, but not excluded from its scope. Indeed, organisations should be careful to ensure the process is sufficiently complex, as there are recent examples of personal data being retrieved from supposedly anonymised information, and in such cases any organisation that processes this data will be liable.
Processing, consent and the right to be forgotten
Under the GDPR, ‘processing’ is similarly broad in scope, referring to any set of manual or automated operations performed on personal data, including collection, storage, organisation and alteration.
There are also additional requirements for consent from the data subject, which must be ‘freely given, specific, informed and unambiguous’. Consent requires an active, positive opt in, so efforts must be made to ensure, for instance, that all data relating to employees, customers and business partners is fully consented and evidenced.
All individuals also have the right to see a copy of the data that an organisation holds on them, and if so desired, request its deletion – known as ‘the right to be forgotten’. Organisations must therefore have mechanisms in place not just to protect personal information from compromise, but also to identify, analyse and remove it from processing.
While identifying most forms of structured personal data, such as contact information in spreadsheets, databases and CRM systems, may be straightforward, dark data can pose a significant challenge. Personal data may reside in logs, email exchanges, call and meeting minutes, old document versions or unused scans or photocopies, so retrieving this information may be easier said than done.
The importance of breach detection and reporting
Even if an organisation has taken the necessary steps to structure and permission the information they process, they will still be liable to receive significant sanctions if they fail to detect and report personal data breaches.
Under the GDPR, a breach encompasses any destruction, loss, unauthorised disclosure of or access to personal data. It is mandatory to report all breaches that are likely to result in ‘a risk to people’s rights or freedoms’ to a relevant authority within 72 hours, and where this risk is significant, to the individuals themselves.
Beyond notification of a breach, organisations must also make efforts to share details concerning the nature of the breach, the amount and type of data compromised, and the measures being taken to address it. Failure to comply with any aspect of the legislation could lead to a fine of €20m or 4% of annual turnover, whichever figure is higher.
With breaches now an operational reality, the GDPR means that it is essential for businesses to be proactive by implementing appropriate measures to detect and investigate attacks in their infancy.
Preparing for GDPR compliance
The prospect of complying with the GDPR in less than 4 months may be daunting, but organisations that make demonstrable efforts to improve their data security are likely to be looked upon more favourably by regulators.
Indeed, the GDPR is an ideal opportunity for organisations to get their cyber security in order, while at the same time making the necessary improvements to the way in which they collect, store and handle personal data. Redscan offers a range of services to ease the burden of GDPR compliance.
A GDPR Data Readiness Assessment is a good starting point for any organisation wanting to understand its level of GDPR preparedness and identify where improvements need to be made. Achieving Cyber Essentials certification, a government-endorsed cyber security standard, is recommended to demonstrate good practice. So too is commissioning a regular penetration test to identify and help address more complex vulnerabilities pertaining to technology, people and processes.
An effective way for organisations to increase visibility and improve data protection is to implement a 24/7 network and endpoint monitoring capability. ThreatDetect™, Redscan’s award-winning managed detection and response service, combines certified security expertise, leading detection technologies and up-to-the-minute threat intelligence to not only identify and report breaches but also remediate them before they escalate.