EU’s New Data Rules Are 1 Year Away

Uploaded on 2017-05-31 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

May 25 2018 is a date that should be etched in red on the calendars of any company that does business in the European Union (EU).

That’s the day companies must be in full compliance with the EU’s General Data Protection Regulation (GDPR), which requires them to take specific steps to more securely collect, store and use personal information.

For companies still at the beginning of their efforts, that’s not much time. The Sophos security blog, Naked Security has produced the follwing guidance.  Companies ignore GDPR at their peril

First, a dose of reality: companies not in compliance this time next year face brutal fines for violations. For example, NCC Group came up with a model that extrapolated from the fines actually imposed for breaches by the UK’s Information Commissioner’s Office and calculated what they might be under GDPR. Under the model, British companies that were penalized for breaches last year could have faced fines totaling £69m under GDPR, rather than the £880,500 they collectively had to pay up. 

TalkTalk, which last year was slapped with the biggest fine ever in the UK for a data breach, of £400,000, would have faced a bill of £59m, calculated NCC, while Pharmacy2U, which was fined £130,000, would have faced a bill of £4.4m.

Those are sobering numbers, especially in light of a January report from (ISC)2’s EMEA council, which covers issues concerning Europe, the Middle East and Africa. According to the report, organisations aren’t doing too well, having accomplished precious little in the first year they had to get things in order. The council warned of what it sees as poor acceptance of accountability across organisations and an apparent belief that the task ahead is one for the specialists, either legal or technical.

Meanwhile, a recent report by Crown Records Management found that nearly a quarter of UK businesses surveyed said they had stopped preparing for GDPR, with 44% saying they didn’t think GDPR would apply to them once the UK leaves the EU in March 2019 as a result of last year’s Brexit vote.

Since the UK will still be in the EU when GDPR comes into effect, and presumably will continue to do business in the EU after Brexit, that’s an unfortunate and potentially costly assumption.

Size matters not
Another point of confusion for companies is about size. Specifically, do small businesses face the same requirements under GDPR as the big enterprises?
GDPR requires that any company doing business in the EU, no matter the size, more securely collect, store and use personal information. Like the big guys, smaller companies face fines for violations that might occur.
But the regulation accounts for the fact that smaller businesses lack the same resources as larger enterprises. UK-based data protection consultancy DataHelp makes note of the differences on its website:

Under the current law, as contained in the Data Protection Act, (DPA), the same rules apply, regardless of the size of an organisation. However, the General Data Protection Regulation (GDPR) … recognises that SMEs require different treatment from both large and public enterprises.

One area of concern for small businesses is the GDPR requirement that companies hire a data protection officer. But that part is for firms with more than 250 employees. Though smaller firms may still need to employ someone in this role if handling personal data is core to their operations, it may not have to be a full-time employee, but rather a consultant, which could be less costly. Daunting as it all may seem, small businesses can take comfort in this: as long as they can demonstrate that they’ve put their best foot forward to meet the requirements of GDPR, regulators will work with them on any problems that might arise. The key is to bring in the right consultants and document all actions taken.

Now what?
Now that we’ve outlined what’s at stake, let’s look at some concrete steps companies must take to be taking to be ready for May 2018.
Naked Security recently reviewed a 12-point checklist published by Ireland’s Office of the Data Protection Commissioner. The compliance practitioners we talked to have repeatedly cited that list as particularly helpful.

The checklist is as follows:

1.    Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organisation need to be extensively educated on the regulation’s importance and the role they have to play.
2.    Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
3.    Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organisation does and how aware customers, staff and service users are.
4.    Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
5.    Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
6.    Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
7.    Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
8.    Process children’s data carefully. Organisations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
9.    Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
10.    Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
11.    Hire data protection officers. The important thing is to make sure that someone in the organisation or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
12.    Get educated on the internal organisations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organizations operating in EU member states. Multinational organisations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

Making it your own
Those approached for the Naked Security Sophos piece cited in the main article noted how they’ve taken the guidelines of Ireland’s Office of the Data Protection Commissioner and put their organisations’ stamps on it. One of them was Craig Clark, information security and compliance manager for IT services at the University of East London. 

From a project point of view, he suggested the following be completed or nearly completed by mid 2017:

•    C-Suite Awareness
•    User Awareness
•    DPO Appointment
•    Information Identification
•    Updated Privacy Notices
•    Updated Data Protection Policies
•    Updated Information Sharing Agreements
•    Approved Data Privacy Impact Assessments
•    Identification of any cross-border transfers
•    Establishment of Data Subject Rights Management protocols
•    Privacy by Design implemented into the Project Methodology

Clark added "A lot of guidance is still to be written by the ICO [UK Information Commissioner’s Office] but I’d want at least the above to be implemented"

Brexit doesn’t exempt UK companies
As mentioned, some assume they are free of GDPR because the UK is leaving the EU. That is not true. The following facts apply:

1.    British prime minister Theresa May sent a letter to the president of the European Union officially triggering Brexit in late March 2017. The exit process will take at least two years to complete, meaning those UK companies will still be a part of the EU on the day GDPR takes effect.
2.    Once the UK is no longer part of the EU, many of those companies will still do business with companies that are in the EU. That alone will keep UK businesses on the hook for compliance.

Therefore, companies should approach GDPR as they were before Brexit happened.

Sophos

You Migh Also Read: 

TalkTalk's Cybersecurity Lesson:

EU / US Privacy Shield Affects Your Organisation:

Tesco Could Have Been Facing £2bn Fine After The Bank Hack:

Implementing EU Privacy Laws Requires 28,000 New Data Professionals:

 

 

« Current Cybercrime Threats Originate In Espionage
Algorithms: An Unseen Influence On The UK Election »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

SecureAuth

SecureAuth

SecureAuth delivers cutting edge identity and information security solutions for cloud, mobile, web, and VPN systems.

Cyber Security For Critical Assets (CS4CA)

Cyber Security For Critical Assets (CS4CA)

Cyber Security For Critical Assets is a global series of summits focusing on cyber security for critical infrastructure.

Center for Identity - University of Texas at Austin

Center for Identity - University of Texas at Austin

The mission of the Center is to deliver the highest-quality discoveries, applications, education, and outreach for excellence in identity management, privacy, and security.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

Cycuity

Cycuity

Cycuity (formerly Tortuga Logic) is a cybersecurity company that is transforming the way we secure silicon with comprehensive hardware security assurance.

Greensafe IT

Greensafe IT

Greensafe offer various onsite and offsite data erasure services, aimed at increasing data security whilst reducing any risk of data loss during transit.

Enterprise Ethereum Alliance (EEA)

Enterprise Ethereum Alliance (EEA)

EEA is a member-led industry organization whose objective is to drive the use of Ethereum blockchain technology as an open-standard to empower ALL enterprises.

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center is dedicated to combating adversaries who desire to harm our citizens, our government, and our industry through cyber-attacks.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Bitbone

Bitbone

Bitbone develop IT infrastructure and IT security solutions that create long-term value.

TuxCare

TuxCare

TuxCare make Linux more secure. We take care of Linux so that organizations can use Linux to support environments that require high levels of Cybersecurity, stability, and availability.

Daisy Corporate Services

Daisy Corporate Services

Daisy is one of the largest providers of communications and IT solutions across the UK, with a portfolio spanning unified communications, cloud, cyber security and resilience.

Bastazo

Bastazo

Bastazo provides tools for vulnerability and patch management. Focus your cybersecurity operations on vulnerabilities with the highest risk of exploitation.

SecureWeb3

SecureWeb3

SecureWeb3 helps businesses and brands to secure their Web3 presence by offering a full suite of security services including training, consultancy & brand protection solutions.

PDI Technologies

PDI Technologies

PDI Technologies helps convenience retail and petroleum wholesale businesses around the globe increase efficiency and profitability by securely connecting their data and operations.

Career Smarter

Career Smarter

Career Smarter offers accredited online courses in cybersecurity and other sectors, helping learners gain industry-recognised certifications.