GDPR Data Regulations & Commercial Fines

The goals of the General Data Protection Regulation (GDPR) are simple: a law to ensure data protection and privacy for all individual citizens of the European Union and the European Economic Area. However, the maximum fine under the GDPR is up to 4% of annual global turnover or €20 million, whichever is greater, for organisations that infringe its requirements.
 
But, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
 
  • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.
UK Government Fines
There have been a few large fines made by the UK Government against organisations who have misused personal data and recently some in the government has said that more fines will take place against commercial operations that operate in the UK, but break GDPR rules and these fines will be issued in the new year.  
 
One of the most important aspects of GDPR is the ability for citizens to see what data is held on them by an organisation and how it is being used. 
 
However, in the rush to comply with the data retention, security and usage requirement of GDPR, the process for enabling consumers the right to access their data is still somewhat ad-hoc for many organisations. One of the most challenging issues is how does an organisation determine that a request from an EU citizen to see retained data, is truly from the person making the request? 
 
GDPR is vague on how an organisation should verify that they are the legitimate person and different processes are starting to evolve that could cause some serious GDPR issues. For example, requesting copies of physical documents such as passports or driving licenses, which would need to be verified (and potentially held for audit), are a potential goldmine for criminals engaged in identity theft. If badly handled, this could lead to a GDPR compliance breach.
 
Digital to Paper
The public and private sector are both impacted, although government agencies have more leeway across GDPR in general due to requirements to retain and use data to deliver services to citizens. In terms of what best practice should be in dealing with a request, the advice from the UK’s Information Commissioner’s Office is that there should be a policy for recording all “subject access requests” and that based on Recital 59 of the GDPR, organisations “provide means for requests to be made electronically, especially where personal data are processed by electronic means.”
 
This process will start with an access request form but when it comes to identity, the guidance is unclear. A number of organisations are asking for a similar set of documents that most banks require to open an account which includes a “proof of identity” such as a passport, photo driving license or birth certificate along with a “proof of address” such as a utility bill, bank statement or credit card statement.
 
This requirement to verify from copies or scans of electronic documents is a major weakness in this process. With a modicum of Photoshop skill, faking a photocopy of a passport and utility bill is an easy task and as such, some organisations are instead requiring stronger validation methods. 
 
Best and Worst
The UK banks have possibly the best method of validating identity through the e-banking processes. Although banks must accept subject access requests by letter, many are prompting account holders to make the request through online banking platforms. This has many advantages as the platforms are linked to an account which was opened using validated identification and access and is further strengthened by Multi-Factor Authentication (MFA).
 
This concept of using an online identity to act as an arbitrator for GDPR compliance is gaining favor. This process, especially when it is tied to a credit or debit card which tied to a physical account holder and address, provides responders to a GDPR request with at least, a verifiable trail to assure identity.
 
The right to access issues exposed by GDPR point to a larger challenge around how people can confirm identity in the digital age. 
 
Estonia’s digital identity scheme, which although had a short outage when a vulnerability was discovered and later rectified, has become a model for best practice in the field of identity. The Estonian ID-kaart is a mandatory identity document for citizens of Estonia, and along with a photo and chip and pin, the ID-kaart has a companion smart-ID app that is compatible with standard X.509 and TLS infrastructure. 
 
The government issues a client certificate to each citizen that has made it a convenient means of identification for web-based government services, medical records, tax claims, online banking and to make secure GDPR subject access requests.
 
For public services and local government that want to ensure a citizen’s identity, the best advice is to sign up for GOV.UK Verify, which the Department for Work and Pensions (DWP) uses to check the identities of users who apply for Universal Credit.
 
Keep the Shredder Ready
Unfortunately, until GOV.UK Verify or similar services emerge that can help third parties to carry out digital identity assurance for free, or at least at low cost; the requirement to gain copies of physical documents will remain.
However, to ensure that documents submitted for access requests don’t themselves become targets for cyber-criminals; organisations must develop verifiable processes to destroy these documents after they have been examined and the request has been delivered.
 
For organisations that have developed rigorous customer on-boarding processes for Internet services that include identity validation methods, specialist data protection websites like IT Governance can provide the most effective way to verify and process access requests. However, this cannot be an exclusive option as non-electronic means must also be available to meet GDPR requirements.
 
Please contact Cyber Security Intelligence to connect with expert  GDPR Lawyers.
 
ITGovernance:             Infosecurity Magazine
 
You Might Also Read:
 
The GDPR Wake-Up Call Is Being Ignored By Business:
 
 
« Parliament Wants A New Cyber Security Director
WEBINAR: How to Leverage a CASB for Your AWS Environment »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigiCert

DigiCert

DigiCert is the only provider of enterprise-grade SSL, IoT and PKI solutions. Our certificates are trusted everywhere, millions of times every day, by companies across the globe.

Kore Telematics

Kore Telematics

Kore is a leading managed service provider for IoT and M2M applications.

Cyber Triage

Cyber Triage

Cyber Triage is an automated incident response software any company can use to investigate their network alerts.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

National Forensic Sciences University (NFSU)

National Forensic Sciences University (NFSU)

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

itbox.online

itbox.online

Itbox.online offers IT solutions to ensure that your company's technologies are always available and secure as your business demands.

Crosser

Crosser

The Crosser Platform enables real-time processing of streaming or batch data for Industrial IoT, Data Transformation, Analytics, Automation and Integration.

OXO Cybersecurity Lab

OXO Cybersecurity Lab

OXO Cybersecurity Lab is the first dedicated cybersecurity incubator in the Central & Eastern Europe region.

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center is dedicated to combating adversaries who desire to harm our citizens, our government, and our industry through cyber-attacks.

Rostelecom

Rostelecom

Rostelecom is Russia’s largest integrated provider of digital services and solutions, covering all market segments including consumer, governmental and private organizations.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Talon Cyber Security

Talon Cyber Security

Talon delivers the leading enterprise browser designed to bring security to managed and unmanaged devices, regardless of location, device type or operating system.

NightDragon

NightDragon

NightDragon is a venture capital firm investing in innovative growth and late stage companies within the cybersecurity, safety, security, and privacy industry.

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

Apex

Apex

We aspire to make the AI revolution run faster, securely, for the benefit of all. We are purposely built for the new AI era and are creating capabilities to safely enable AI.