The GDPR compliance fallacy
There is a curious irony that the enactment of the General Data Protection Regulation (GDPR), drawn up to protect the rights of individuals and their right to online privacy, has brought about an unprecedented torrent of spam. In the fortnight leading up to 25th May, inboxes were filled with emails asking people to opt in to mailing lists, supposedly so that the organisation in question could comply with the requirements of GDPR. There are two fallacies to be addressed here.
Firstly, although individuals should be given the option to be removed from any mailing list, if they have willingly provided their contact details to the organisation and that organisation has maintained a record of the data collected, with the data subject being informed about what the data would be used for and for how long it would be kept, their consent may be considered to be implicit. In these circumstances new explicit consent is not required.
Secondly, although the principles of GDPR are enshrined in UK law and failure to adhere to them can lead to significant fines, there is currently no concrete GDPR compliance process. It is expected that a GDPR compliance standard will be drawn up in the near future, but for now, organisations can use the organisational governance requirements provided by the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001 to provide a helpful framework. It is then the responsibility of the organisation’s Data Protection Officer (DPO) or Chief Information Security Officer (CISO) to ensure that the additional requirements of GDPR are included in their systems. These are just two of many fallacies surrounding the GDPR.
Having detailed information security policies and procedures is an important step, but on their own will not ensure that the requirements of GDPR are satisfied. Plans and policies simply demonstrate management intent and will be ineffective in satisfying the requirements of GDPR unless clear guidelines are provided in an easily understood format, to the grass roots of an organisation. Many businesses would do well to use some of the energy expended in communicating with their customers on ensuring a good channel of communication around GDPR with their employees.
It is important to remember that GDPR should not be seen as a burden but rather a positive force for change, focusing attention on implementing better processes for how we collect, store and manage data and thereby enhancing and building better customer relationships.
Professional expert guidance will assist in streamlining this process. SRM’s GDPR team provides a business-focused service to organisations of all types and size at all ends of the GDPR-readiness spectrum. We have operated in this arena for many years and our GDPR consultants have undertaken GCHQ certified training. We can also take on the full CISO or DPO role if required.
To gauge your level of GDPR readiness, see our step by step self-assessment guide.
See our GDPR web page.
Or visit our blog:
The key to GDPR is common sense
How PCI compliance puts you on course for GDPR
eDisclosure webinar: seven reasons why your firm should consider a managed service
SRM is hosting a free eDisclosure webinar on Wednesday 18th April at 3pm.
We find ourselves in an ever changing eDisclosure landscape. Join us for our upcoming webinar during which the head of our eDisclosure team Colin Gray will explore the seven reasons why your firm should consider a managed service rather than addressing eDisclosure on an ad hoc basis.
All you need to do is register here.
GDPR: 10 key issues facing UK higher education
The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.
True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.
It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.
2. Information life cycle audit
Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.
3. Incident Response
Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.
4. Data Protection by Design
GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.
5. Demonstration of consent
Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.
6. Considering the necessity of data collection
Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.
7. Reviewing privacy notices
When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.
8. Increased consumer expectations
High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.
9. Ensuring an individual’s rights can be upheld
Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.
10. Data breach notification
GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Higher Education istitutions therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place. Awareness in-house training for staff is a vital element of this process. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.
SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.
For more information on our GDPR services visit our GDPR page or our Virtual CISO service page.
To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.
Or read our blog:
How does GDPR differ from the UK Data Protection Bill?
How a CISO can exert influence at board level
This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
2. The trigger is executed every time a new order is made.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.
If you are in doubt, contact the SRM team who can arrange to run a check for you!
The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO
As Britain navigates its way through the choppy waters of Brexit, there is a great deal of uncertainty about exactly what form our new relationship with Europe will take. In many ways our trading relationships will change; this is the inevitable uncertainty. But on one level the situation is significantly clearer: UK businesses will still be required to comply with EU law if they wish to maintain any trade links with European customers. So the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018 will still apply to most of us.
But the trouble with certainty is that it is rarely ever that simple. When it comes to our relationship with Europe it appears that the words of John Allen Paulos, an American Professor of Mathematics apply: ‘Uncertainty is the only certainty there is’. So where does this leave the CISO, whose responsibility it is to ensure compliance with not only GDPR but also any future UK and EU regulations? Well the clever mathematician went on to say that ‘knowing how to live with insecurity is the only security.’ And this is the key.
By accepting a degree of insecurity and establishing a means by which to manage it, a CISO can maintain compliance and provide strategic direction for the company’s information security agenda. The following steps will help to navigate this difficult course.
- Continue to steer towards whole company compliance with the existing information security standards like PCI DSS, Cyber Essentials, ISO 27001 and ISO 9001. Embedding these standards within your business will ensure you are well placed to deal with new challenges on the horizon.
- Work with an established professional team which will not only help you set your course but will also support, enhance and resource your information security strategic agenda. As industry experts they will know about impending changes and will ensure your compliance objectives take these into account.
- Make sure everyone on your ship is heading in the same direction. To do this you will need to exert board level influence. With access to high level of technical expertise and strategic guidance the CISO will be able to articulate the state of information security to the company stakeholders and lead employees, accessing company-wide support and making the case for adequate resource. This will set you up to be flexible and responsive to change.
SRM’s VirutalCISOTM has been developed to provide a cost effective bespoke solution to organisations without a CISO or where a board level strategic adviser is required to ensure Information Security remains high on the board agenda. The SRM VirutalCISOTM has access to an extensive portfolio of professional services to help embed Information Security throughout your organisation.