In the first post looking at the upcoming EU GDPR Nick Baskett looked at its scope and the sorts of areas it's likely to cover.
The second part will assess how the Act will be implemented, and some of the steps organisations need to be taking now to meet its requirements.
Implementing the Act Consistently
Currently, each country implements the EU Act in their own way. In the UK we have the Data Protection Act, and other countries do something similar. From 2017 there will be a single act, with minor variations to account for legal differences, such as the definition of a child’s age.
The EU now has a single set of rules with a single Supervisory Authority, referred to as a ‘One Stop Shop’, which they expect will reduce costs, and make application of the rules consistent across all 28 countries.
Data Processors and Data Controllers should create a risk-based framework to evaluate their data processing where personal information is included. This means that you assign more controls and protection to data that is considered higher risk.
The risk framework should be regularly monitored and adapted as there are changes in the business and the way it collects, stores and processes information.
Secure by Design
It has long been the mantra of security experts that security needs to be baked in. It is unfortunately more common for systems to be built first and then security to be assessed later, by which time its often too late to make important design changes. The new regulation wants to redress this with the ‘Secure by Design’ concept.
One method the act identifies as a cornerstone of its Secure by Design principle is the use of pseudonymous data. This refers to data about an individual that in itself cannot be used to identify that individual. This can be achieved through a number of methods, but typically is achieved through replacing identifying data with tokens or artificial identifiers. The Supervising Authority wants to see more use of this practice baked into applications at the design phase. We hope that organisations make use of security consultants to help in the design process to achieve this effectively since there are cases of databases that made use pseudonymous data where hackers were able to derive personal data through inference attacks and other methods.
Notifying Data Subjects of a Breach
In the past some companies that suffer breaches have been noticeably lethargic in notifying their customers. A number of reasons have been given, including that the company was conducting investigations, and that they didn’t want to notify the customers of the breach until all the relevant facts had been accumulated and the risks to the data subjects properly assessed.
The new regulations will take a dim view on this approach. It will be a requirement to notify customers within 24 hours of the company discovering the breach. It doesn’t matter if you don’t have all the facts, but you are expected to put the data subject on alert.
Fines will be up to 4% of Worldwide Turnover
The level of fine is graded based on the seriousness of the event. For example, not having your records in order, or failing to notify the data subject of a breach, could result in a fine on worldwide turnover of €10m or 2%.
A failure to comply with the fundamental Data Protection Principles of Security by Design would be a more serious violation, and could attract a fine up to €20m or 4% of worldwide turnover.