GDPR - The 5 Ws and How to get compliant
"I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who."
Rudyard Kipling, "I Keep Six Honest, Serving Men..."
Kipling's six honest serving-men are as employable now as there were back then. With the General Data Protection Regulation (GDPR) soon to come into force, we set the six to work to examine what this new legislation really means for your business.
The GDPR is an updating of the European Data Protection Directive 95/46/C which was introduced in 1995 to protect the underlying human right to privacy regarding the way personal data is collected and handled. In the UK, this directive was implemented in the Data Protection Act 1998.
The guiding principles of the 1995 directive were laid down by the Organisation for Economic Co-operation and Development (OECD) and adopted in September 1980. Endorsed by both the US and the EU, these principles for the processing of data centred around the lawfulness of obtaining data, providing access upon request of the subject to the data held about them, the security and accuracy of the data, and safeguards regarding the purpose and use of the data.
GDPR builds on the previous legislation and has been drawn up with the intention that it suits the technology of today's data-driven world whilst at the same time remaining general enough so that it can accommodate future technological advancements.
So, what is personal data exactly?
Personal data is any information related to a natural person (aka data subject) that can be used to directly or indirectly identify the person. Some typical examples could be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. There is no distinction between personal data about an individual in their private, public, or work roles – all are covered by the legislation.
Some information is further classified as special category data. This is is similar to the concept of sensitive personal data in the 1998 Data Protection Act and relates to information concerning a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. See article 9(2) of the regulations for more details about the conditions that must be met in order to process such information.
A data controller is an organisation that decides how and why personal data is to be processed.
A data processor is an organisation that processes personal data on behalf of another organisation.
Both types of organisations have responsibilities under the regulation but it is important to note that controllers are not relieved of their obligations if a processor is involved. Controllers must ensure that any contracts with processors comply with the provisions of the GDPR.
Article 5 of the GDPR describes the main responsibilities for organisations. It requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Further, Article 5(2) requires that:
- the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
The reasons behind the new legislation are two-fold, designed to support both businesses and the individual. Back in 1995, only around 1% of Europeans were using the internet, a statistic which seems inconceivable today with e-commerce, Cloud storage and social media commonplace. As the number of digital opportunities increasingly opens up in society, the processing of data has become ubiquitous. With this comes an increased need to strengthen the legislation to safeguard the right to privacy.
All very noble. But why bother?
Under the GDPR, fines for non-compliance are intended to be "effective and dissuasive", ranging from whichever is the greater of 2% of your gross annual turnover or €10 million, rising up to 4% or €20 million for the most serious contraventions. Certainly dissuasive by any standards!
Forward thinking companies however look beyond the financial stick brandished by the GDPR and focus on the carrot it contains instead. Today's consumers are increasingly data-savvy and understand how brands use their data for sales and marketing purposes. Recent high-profile cases of data breaches affecting household name brands have increased people's awareness that organisations obtain personal data correctly and use and store the information they gather securely. Compliance with GDPR protects your brand integrity and reputation. Your customers are reassured and safe knowing they are dealing with a business which is open and transparent about how personal data is handled, leading to a solid foundation for mutual trust and respect between you and your clients.
The GDPR was adopted on 27 April 2016 by the EU Parliament and becomes enforceable in all EU member states from 25 May 2018. Unlike the directive of 1995, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
Periodically the IT industry has had to respond to deadlines such as these, be they created by changes in legislation or to an event, such as Y2K. In the case of GDPR, the commercial implications of not doing anything are very plain: the legislative landscape will change and the penalties for non-compliance are significant.
As the GDPR was adopted by the EU Parliament, you may think that the legislation only applies to Europe. This is not the case. The GDPR explicitly states that it applies to all organisations that process the personal data of EU citizens, regardless of the organisation's geographical location and whether the processing takes place inside the EU or not. Furthermore, non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
The reality is the legislation is worldwide and anyone who processes the data of EU citizens is affected.
While the full implications of Brexit are not yet clear, as the UK played a key role in the development of the GDPR legislation via the Information Commissioner's Office (ICO), it seems likely that the principles of the legislation will be followed in the UK's data protection regime and will need to be adhered to, even if your organisation operates solely within the UK.
It is important to note that the GDPR affects all levels of your organisation. If you process data of EU citizens to offer goods or services, everyone and all departments in the company are involved. Bear in mind that your internal staff recordswill need to comply with the legislation too. The legislation does not just apply to those actively involved in the day-to-day processing of data but affects everyone, up to C-level. C-level are in fact those individuals most affected by the legislation and whose involvement in its implementation is key, due to the risks associated with non-compliance.
Time now for Kipling's sixth honest fellow to make an entrance.
Firstly, you need to consider how to become compliant with the legislation.
Following on from this, you must put in place the systems and processes that ensure that you remain compliant with the legislation and these steps are reviewed regularly. Regular reviews are critical as it allows you to demonstrate at any time that you are meeting the requirements of GDPR.
To avoid unpleasant surprises in May 2018, it is important to start preparing now. The first step is to review the documentation and familiarise yourself with the legislation. The primary source is valuable, if information dense. A good accessible starting point is the UK Information Commissioner's Office (ICO) website Guide to the General Data Protection Regulation (GDPR).
None of this can replace professional legal advice however and we strongly advise you seek this and consider using external IT consultancy to provide implementation services.
The timescale to successfully implement is very short with no grace period. Develop an implementation plan with the backing of senior level sponsorship at the very early stages. Make sure that your implementation plan considers both personnel and budget resources; there may be significant changes required within your organisation to meet GDPR's challenges.
Depending on the size of your organisation, you may need to appoint a Data Protection Officer (DPO) and certain types of organisations are required to do so, for example public authorities or organisations that engage in large scale systematic monitoring of individuals (e.g. tracking user behaviour) or processing of sensitive personal data.
The DPO's minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
The DPO must report to the highest management level of your organisation (i.e. board level) and must operate independently and not be penalised or dismissed for performing their task. They must also be given adequate resources to meet their obligations under the GDPR. An existing employee can be appointed the role of DPO provided the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interest. They do not need specific qualifications but the DPO is expected to have professional experience and knowledge of data protection law. The role of DPO can also be contracted out externally.
An important first step is to identify the data that your organisation currently holds that falls within the provisions of the legislation. This initial audit is an important foundation step. Some areas to consider are:
- What kind of data is being collected and stored, where and why?
- How is the data used (i.e. processed) both internally and externally?
- For how long is the data retained?
- Who has access to the data both inside and outside of the organisation?
- What procedures and controls are in place to keep data safe?
If your existing documentation is comprehensive and already up to date your organisation is an exception. More often, documentation for systems may be unavailable or be out of date. For systems where the documentation seems inadequate we have often found that interviewing business and IT staff together can often be helpful to discover how systems are actually used in practice.
It may also be useful to consider a data profiling exercise. Data profiling is the act of analyzing your data contents. The reason that we recommend this is that you can test your assumptions about the data that you hold, therefore establishing the true content of your data and where personal information may be found. Don't be caught out by unknowns, for example customer information being stored in comment fields.
Another factor to consider is so-called shadow or stealth IT, i.e. systems and solutions built and used without explicit approval from the IT department or indeed, without their knowledge. How many spreadsheets exist within your organisation that include customer or employee details? How many Cloud services are being used "unofficially", e.g. Mailchimp for customer satisfaction surveys? Do BYOD initiatives risk the security of your data subjects' privacy?
Identifying these data sets is quite the challenge.
Bear in mind that teams may be reluctant to disclose shadow IT systems if they feel that by doing so they will lose access to these. This part of the audit is likely to require the support of management teams throughout the business to explain and educate staff on the reasoning behind the need for access to such systems and personal devices.
Another source of data that may include personal information is data sets used in testing. Often copies of production data are used for this purpose due to the difficulties of creating large scale sets of data for volume testing. You may need to identify these test data sets and where possible generate alternative sets of data. Although this is a complex and time-consuming process, this will reduce the number of employees that have access to personal information.
It is important to review existing agreements that you have with your data processors, including Cloud services. This is particularly important if they are based outside the EU. You must ensure that they will meet the requirements of the legislation as it is your organisation that will be held responsible for any data breaches.
Review your organisation's privacy policies and consent notices to ensure that they reflect the provisions of GDPR, in particular statements of the data subjects' rights and how they can exercise these.
It may be necessary to consider re-confirming the consent of your customers or employees if it is not currently possible to demonstrate that they actively gave consent when the personal information was originally obtained.
Following the information audit, identify those pieces of information that you currently hold that may no longer be required. Examples include: obsolete records that no longer need to be stored, data that is not needed to fulfil the business purpose, e.g. do we need the customer's date of birth?
Moving on from data minimisation, consider data anonymization. This is defined by ICO as:
"… the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information."
For example, is it possible to split off personally identifying data into a separate data set and then limit access to it? This is particularly useful if you are transferring data to a third-party for processing.
It is important to make sure that the processes put in place are adequate and are tested thoroughly to avoid any potential threat of data loss.
- Anonymisation: managing data protection risk code of practice summary
- Anonymisation: managing data protection risk code of practice
- UK Anonymisation Network
As part of GDPR, data subjects have improved rights in respect to the personal data that organisations hold about them. As part of this, they can make a number of requests of the organisation holding the data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
These requests must be handled in a timely fashion. The legislation requires that they are responded to within a month and, unlike the previous Data Protection Act, organisations are not usually allowed to charge an administrative fee.
It is imperative that any processes put in place to handle such requests are developed and tested before the legislation comes into force and live requests are received from the public. The processes themselves must not introduce risks to data privacy and security. A robust way of verifying the identity of the person making the request must be in place to prevent malicious requests which expose or delete personal data.
According to the legislation, best practice is to provide remote access to a secure self-service system in order to handle these requests. The legislation also goes on to say that the data subject must be able to make requests using other means, e.g. post, email, telephone and even social media.
Another key provision within the legislation is that organisations that suffer a data breach must notify the relevant supervisory authority within 72 hours of the organisation becoming aware of the compromise to security. In the UK the supervisory authority is ICO.
Additionally, if the breach involves certain types of data, organisations are required to inform the individuals whose data has been affected.
It is important to develop a comprehensive procedure to follow in these circumstances. This needs to be in place well in advance of a breach occurring, given that the timescale to respond to these events is a mere 72 hours. As with any emergency procedure, the process needs to be tested to identify problems in advance and also to ensure that staff members are familiar with it and can follow it appropriately.
It is important that staff members from all areas of the organisation are made aware of the implications of GDPR. Short training sessions may be appropriate; you may wish to make resources available online. ICO have some useful tools that you can adopt.
The previous sections have outlined the complexities of becoming compliant with GDPR but just as important is remaining so. Achieving compliance with GDPR is not a one-off process and you must review some of the steps on an ongoing basis and be able to demonstrate that this has been done.
In particular, the process of handling data subject requests needs careful management. It is important to track performance with SLAs and a good option is to consider having a dashboard to show how requests are being processed. This will ensure that your organisation meets the required timescales for responses.
All the previous guidance has described handling your existing systems but what about new developments? Privacy must not be tacked on as an afterthought. It must be considered early in the development process and you should consider 'Privacy by Design' best practice.
As part of this you should undertake Privacy Impact Assessments (PIAs) for any new development work carried out by the organisation. These highlight any risks that may be introduced to the privacy and security of the personal information that you already hold or may wish to obtain in the future.
As recent high-profile data breaches have shown, one of the biggest risks to data security is vulnerabilities in open source software components. Sonatype products can provide your organisation with a robust and demonstrable way of mitigating these risks across the whole development cycle. Policies can be set centrally and applied to the whole organisation without relying on manual effort – policies are applied automatically in the software delivery pipeline.
The products also provide information to your developers early in the software development process within their chosen IDE. This avoids potentially time-consuming rework of software that is near completion.
The 25 May 2018 deadline is fast approaching and time is of the essence to implement the changes required to meet the challenges of GDPR. Avoid the risk of non-compliance and a potential hefty fine by following the steps above. Consider now what external support you may need.
Utilising the Atlassian Jira Service Desk product, we offer a solution for managing and monitoring data subject requests, providing peace of mind that this aspect of your organisation meets the requirements of the GDPR legislation. The solution provides:
- Easy to use web portal for self service requests.
- Management dashboard to monitor compliance.
- Queue management for request service teams.
- Request status tracking
- Response time monitoring to ensure deadlines are met.
- Custom integration with other systems to automate data extraction for data portability requests and data deletions.
- Workflow automations to improve efficiency in responding to requests that may involve multiple teams.
In addition, BDQ has extensive expertise in data profiling and data discovery. We offer consultancy services to carry out Personal Information Audits and, by applying our in-depth knowledge of Sonatype products, we can also identify open source library vulnerabilities in your existing applications.
To find out how we can help you, contact BDQ.