The Principles and Practicalities of the General Data Protection Regulation
- Interpret the key principles of the GDPR
- Create a practical plan for reviewing your information stores and systems
- Determine the work to be done
I: Processed fairly, lawfully and in a transparent manner
II: Collected for specified, explicit and legitimate purposes and not processed in a way which is incompatible with them
III: Adequate, relevant and limited to what is necessary for processing
IV: Where appropriate, kept up to date
V: Retained in a form which permits identification of data subjects for no longer than needed
VI: Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damageThe first principle is clearly expressed and looks simple to interpret. Article 6 specifies the conditions which much be satisfied lawful processing. The definitions could not be clearer; the data subject must have given prior consent. Taking Principle II into account, that consent must relate not only to the information you hold, but the way you process it, which should be necessary for:
- The performance of a contract between the data subject and the data controller;
- Compliance with the data controller’s legal or regulatory obligations;
- Protection of the vital interests of the data subject or another natural person;
- The performance of a task carried out in the public interest when exercising an official authority vested in the data controller;
- The legitimate interests pursued by the data controller, except where they are overridden by the interests or fundamental rights and freedoms of the data subject
Applying the Principles of the GDPR in Practice
Where do you start? As with asking for directions in Ireland, the chances are you would not wish to be setting out from where you are currently. But as every programme manager and consultant will gladly remind you, we are where we are so we best get on with it!
Begin with the end game in mind and envision if you will a situation where you have the ability to consult a database (preferably with visualisation capabilities) which would show where your repositories of personal data are physically located and which systems/applications make use of them. It would also display what technical and managerial security measures protect each repository and what processing the systems and applications perform.
You would have the ability to call up details of who has access to the applications and systems and whether the information can be accessed any other way. You would also be able to identify which data subjects have provided current and/or historical consent to process their personal data, including the explicit details of the consent provided.
Taking the example of a data controller with a medium to long range road-map, a few in-flight programmes and a several legacy systems, how would you approach this ideal?
As a first step, and to prevent unnecessary pain later down the line, we recommend embedding the GDPR requirements into your road-map for future systems and applications. The rationale for this is that Article 83 states that in the event of a personal data breach “fines should be effective, proportionate and dissuasive” and stipulates that due consideration should be given (among other factors) to the “nature, gravity and duration of the infringement” and the “intentional or negligent character of the infringement.“
Our interpretation of these last strictures is that by commissioning a new data processing application, system or service in the full knowledge of the GDPR but without incorporating its requirements, the data controller would likely be found negligent. So, whilst you may have a job on your hands with some of your existing arrangements, you can more easily build in what the ICO term ‘privacy by design’ for all future data processing systems.
Expert opinions vary as to whether the Information Commissioner’s Office will take a hard or soft line when it comes to imposing fines for infringement. Whichever is the case, data controllers need to be aware not only of the potential for fines, but also that all affected data subjects will be eligible for compensation, regardless of whether they have been materially damaged by the infringement. Yes, deep breath, you read that right…
Secondly, we recommend that you retrofit the requirements into your in flight programmes to the greatest extent possible. For programmes in the early stages of analysis and design, full incorporation of the GDPR requirements should be a priority. Where significant work has already been done, they should be built into the road-map for future releases. Where they cannot be incorporated into the deliverables, additional management controls should be viewed as essential to avoid the accusation of negligence.
This brings us to the legacy estate, which in all cases of new legislation, regulation or just new business requirements, is the biggest concern. The older a system or application is, the less easy it is to retrofit new requirements, especially those as broad and deep as the GDPR. Sadly, we cannot offer a panacea or magic bullet solution for this; each system will need to be reviewed and a cost/risk/benefit case developed to determine the most appropriate course of action for the data controller to take.
In many cases, additional organisational and access control measures may be sufficient to reduce the GDPR infringement risk until a legacy system is retired or replaced. In other cases, re-engineering may be required.
The GDPR: Questions to ask yourself
When reviewing your existing information security controls beyond the specific data protection and privacy measures discussed above, we recommend posing four questions:
1. Is all personal data adequately protected against risks liable to result in an infringement?
2. If an infringement was to occur, would we know it had happened and could we identify the data subjects affected in a timely manner?
3. Do we have a proven response capability to manage the impact of a data breach, including notifying affected data subjects and the supervisory authority?
4. Do we have a proven capability to recover from a breach so that the long-term viability of our organisation is not compromised?
The Rights of the Data Subject
One of the key features of the GDPR is the clarity it brings to data ownership – that being the data subject owns their data. As data controllers and data processors, we are the custodians of the information and are obliged to act accordingly. The terminology, a rarity for legislation, is clear and unambiguous, namely that the data subject has the right to:
1. Be informed
5. Restrict processing
6. Data portability
8. & Rights in relation to automated decision making and profiling
The UK Information Commissioner’s Office has issued guidelines to the effect that if you cannot demonstrate these rights are fully embedded in your systems and management controls, you should either stop or not start processing personal data.
The GDPR: Where Best to Begin?
Whether you act as a Data Controller or a Data Processor, the GDPR applies to you and all the “personal data” you capture, store, process and disseminate, regardless of whether it exists in electronic form or any other medium. Any information that falls within the definition of “sensitive personal data” needs additional protection, but more of that in a future blog.
The following activities should be carried out to determine what you have, why you have it, how you use it and whether you are compliant with the legislation. The scale of each activity will, of course, vary according to the scale and complexity of your organisation and business processes. In all cases, you should ensure that the scope includes personal and sensitive personal data relating to staff, suppliers and customers as each individual is a data subject with rights.
1. Identify all instances of Personal and Sensitive Personal data being captured, stored, and processed, including purpose and;
2. Being transmitted internally or externally, including recipient and purpose and;
3. Identify processes for data subjects to verify, update and/or request deletion of their Personal or Sensitive Personal data
4. Assess GDPR compliance status of each identified instance of Personal and Sensitive Personal data being captured, stored, processed and transmitted and;
5. Information security management controls and processes against the GDPR principles
6. Identify opportunities for data rationalisation and process improvements
We are Perspective Risk
Information security is crucial to every aspect of your business – operational efficiency, profitability, business continuity, customer confidence, brand loyalty, protection against fraud and meeting regulatory requirements.
Our penetration testing, pen testing, pen tests and cyber security testing has proven time and time again to be an effective security assessment of business IT infrastructure.
Perspective Risk provides in-depth security assessments, risk management and compliance solutions to help you keep your confidential information safe and your critical systems secure. We’re innovative, flexible and supportive, helping you through any information security issues to deliver real business benefits and excellent value.