With the security of personal data having a significant impact on organisational security, it is essential that your business has a comprehensive understanding of data protection laws.
The General Data Protection Regulation (GDPR) highlights the importance of personal data and how it is processed and protected, with stringent sanctions for companies that suffer a data breach.
What is ‘personal data’?
The GDPR and the UK GDPR define personal data as ‘any information relating to an identified or identifiable natural person’. This covers any information that could lead to the direct or indirect identification of a living individual.
Why personal data is important
The importance of personal data is based on the fact that it covers so many types of sensitive information. The definition in the GDPR includes many common forms of data, including names, postal and email addresses plus telephone numbers, driving licence, bank account, credit card, passport and social security numbers. It also encompasses, under certain circumstances, identifiers such as biometric data, web cookies, mobile device IDs and other factors specific to ‘physical, physiological, genetic, mental, economic, cultural or social identity’.
The qualifier of ‘certain circumstances’ is an important one, as context can be crucial when determining whether or not information can be used to identify someone. In isolation, a name, which may be the same as many other individuals, will not constitute personal data, but if it is combined with additional information that could help to identify the subject, it will fall within scope.
Another key factor in the importance of personal data is pseudonymisation. This is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information held elsewhere. Pseudonymisation is encouraged by the GDPR, but not excluded from its scope. Organisations should be careful to ensure that their process is sufficiently sophisticated, as there are cases of personal data being retrieved from supposedly anonymised information, and in these instances, any organisation that processes this data will be liable. The potential impact of failing to meet the requirements of the GDPR highlight exactly why the effective and secure management of personal data is so important.
Processing, consent and the right to be forgotten
Under the GDPR, ‘processing’ is similarly broad in scope, referring to any set of manual or automated operations performed on personal data, including collection, storage, organisation and alteration.
There are also additional requirements for consent from the data subject, which must be ‘freely given, specific, informed and unambiguous’. Consent requires an active, positive opt in, so efforts must be made to ensure, for instance, that all data relating to employees, customers and business partners is fully consented and evidenced.
All individuals have the right to see a copy of the data that an organisation holds on them, and if so desired, to request its deletion – known as ‘the right to be forgotten’. Organisations must therefore have mechanisms in place not just to protect personal information from compromise, but also to identify, analyse and remove it from processing.
While identifying most forms of structured personal data such as contact information in spreadsheets, databases and CRM systems may be straightforward, dark data can pose a significant challenge. Personal data may reside in logs, email exchanges, call and meeting minutes, old document versions or unused scans or photocopies, so retrieving this information may be easier said than done.
The importance of breach detection and reporting
Even if an organisation has taken the necessary steps to structure and gain consent for the information they process, they will still be liable to receive significant sanctions if they fail to detect and report personal data breaches.
Under the GDPR, a breach encompasses any destruction, loss, unauthorised disclosure of or access to personal data. It is mandatory to report all breaches that are likely to result in ‘a risk to people’s rights or freedoms’ to a relevant authority within 72 hours, and where this risk is significant, to the individuals themselves.
Beyond notification of a breach, organisations must also make efforts to share details concerning the nature of the breach, the amount and type of data compromised, and the measures being taken to address it. Failure to comply with any aspect of the legislation could lead to a fine of €20m or 4% of annual turnover, whichever figure is higher.
With breaches an ongoing challenge, the GDPR put the onus on businesses to be proactive by implementing appropriate measures to detect and investigate attacks in their infancy.
Achieving GDPR compliance
The prospect of complying with the GDPR can be daunting, but organisations that make demonstrable efforts to improve their data security are likely to be looked upon more favourably by regulators.
Indeed, complying with the GDPR can actively help organisations to get their cyber security in order, while at the same time enabling them to make the necessary improvements to the way in which they collect, store and handle personal data. Kroll offers a range of services to ease the burden of GDPR compliance.
A GDPR Data Readiness Assessment is a good starting point for any organisation wanting to understand its level of GDPR preparedness and identify where improvements need to be made. Achieving Cyber Essentials certification, a government-endorsed cyber security standard, is recommended to demonstrate good practice. So too is commissioning a regular penetration test to identify and help address more complex vulnerabilities pertaining to technology, people and processes.
An effective way for organisations to increase visibility and improve data protection is to implement a 24/7 network and endpoint monitoring capability. Kroll Responder, Kroll’s award-winning managed detection and response service, combines certified security expertise, leading detection technologies and up-to-the-minute threat intelligence to not only identify and report breaches but also remediate them before they escalate.