If your organisation processes the personal data of EU citizens, then the General Data Protection Regulation (GDPR) applies. The UK’s data protection regulator, the ICO, has stated that this data security framework will apply until the end of 2020, and that its principles and specific elements will continue to be maintained thereafter.
The law requires a data controller to secure personal data through “appropriate technical and organisational measures”. Under GDPR’s mandatory reporting rules, breaches affecting individuals must be reported by the data controller to the data protection regulator. In most cases, the individuals affected will need to be informed, too.
As a data controller, constant vigilance is required to avoid non-compliance. With this in mind, here are some of the biggest and commonly overlooked GDPR risks to avoid.
When GDPR and data protection hits the headlines, it’s often in the context of malicious user data breaches, usually involving the hacking of vast numbers of customer records. Recent examples include the multi-million pound data protection fines levied on Google, British Airways and Marriott.
If all a data controller had to worry about was external hackers and rogue insiders, life would be simpler. But in reality, most UK data breaches are not malicious; they stem from unintentional sharing of data. Constantly guarding against human error and accidental breaches linked to data handling processes and information sharing represents a significant compliance burden.
As organisations have digitally transformed, traditional ‘systems of record’ and information sharing have been supplemented by modern, multi-channel ‘systems of engagement’. From shopping cart software through to Cloud storage, it can mean sharing personal data with a whole new web of third party providers and information systems. Digital transformation gives rise to additional data protection requirements, requiring additional action steps to take, touching on issues such as data portability, data storage, explicit consent, purpose limitation, establishing the correct legal basis for data processing, and more.
The compliance buck stops with you as data protection officer - not your processing partner. Ultimately, safeguarding your customer and employee data is still your responsibility - even when it is processed by a partner. Compliance requires the added ability to look carefully at the defences of every business in your digital supply chain, and to choose each processing partner wisely.
It isn’t just data breaches that can cause you to fall foul of the data protection regulator. GDPR has significantly enhanced data subject rights, stressing the importance of informed consent and making it much easier for them to submit data access requests, to have it erased or transferred to another service provider. Informed consent is crucial, and failure to uphold these enhanced data subject rights can easily land you with a fine and/or censure.
If your procedures for handling data transfers and data access requests are poor, those requests could easily go unactioned. And if you haven’t mapped all the places where your related data lives - especially those managed by third-party data processors - there’s a danger of giving out misleading information to a data subject.
In itself, a data breach doesn’t give rise to a GDPR data protection regulator penalty. It’s your actions before, during and after the breach that gives rise to a non-compliance risk.
Once a reportable breach occurs, you are required to notify the regulator without undue delay. Be aware, that if you serve an international customer base, this may involve notifying multiple regulators. Tip: make sure you are familiar with all relevant reporting procedures.
Notifying the individuals impacted in a timely manner is important, too. It gives each data subject a much better chance to change their logins and the added ability to take other measures to prevent their data from being exploited. Most importantly, the sooner you identify a breach has happened, the sooner the data subject can change passwords. And with this added ability, the less each data subject will be impacted, of course.
Timing and preparation is everything
Look at a selection of the cases where companies have been fined or censured and certain common themes emerge. They haven’t adequately monitored the information security threat landscape relating to data processing outside their network. They haven’t regularly scanned their systems to check for breaches. They haven't undertaken a data protection impact assessment for new data collection and processing activities. They either failed to notify the data protection regulator and customers on time or not at all. No company needs a long, drawn-out regulatory investigation, so make sure you are doing all of those things to avoid one.
Finally, don’t forget the reputational risk of non-compliance, of failure to have an action plan, impact assessment and other data protection measures. Almost half of consumers have switched companies over their data policies or data sharing practices.
GDPR compliance, adherence with privacy law and safeguarding personal information isn’t a one-off exercise. There's more to it than a single data protection impact assessment, data collection exercise, drawing up an information policy or seeking active consents. Action steps should be ongoing. For long-term risk protection, you need the right tools and processes for spotting, evaluating risk, with the added ability of minimising your exposure. So, whatever the future holds for data protection, good practice and digital risk reduction are key to staying on the right side of regulations.