Achieving GDPR compliance: Episode I
The General Data Protection Regulation
Right, this is likely to become a series of posts, which will cover our journey towards May 25th, 2018, when the GDPR kicks in, what we're doing and how we're doing it. If it affects you, read on.
It will reference authoritative material already out there (I'm not providing any unofficial guidance of my own), but it will hopefully give you a flavour of what it's like to help guide an organisation from compliance with the Data Protection Directive (Data Protection Act in the UK) into compliance with the EU General Data Protection Regulation
It might be dry, and for that I apologise. It might serve as a sort of manual that others can follow and if so, that's awesome.
It is important.
Background
As I talked about in a previous post, I used to work for a large public authority. This was a local council in the North of England. When I joined the organisation, they were in the early stages of achieving compliance in these things:
- BS7799 / ISO17799 (Now known as ISO27001)
- Regulation of Investigatory Powers (RIPA) Act
- Freedom of Information (FoI) Act
- Data Protection (DP) Act
That was a lot to be going for at the same time!
Let's look at a subtly in that list; one of them is essentially a vanity, whereas the other three are a legal requirement. As far as FoI is concerned, that only applies to public authorities and means that anyone can contact the authority (it could be the Police, the Military or the Health Service and so on) and ask about how they go about their business, make decisions, how they dealt with a specific incident or whatever. It's a popular instrument used by the media and press, as it allows them to quiz public bodies about specific issues, such as public spend, what officials are paid and how a decision was made to build a controversial object in a place of outstanding natural beauty. That kind of thing.
ISO 27001 is an information security standard, with accreditation that is achievable irrespective of your sector. It's voluntary and is often used as a badge of honour, in the context of demonstrating good practice. It's attractive, as it often supports your aspirations to secure new business, or open up partnerships with organisations with high information security expectations. In any event, it's a choice to have. DPA and RIPA compliance are law and thus organisations have no choice in whether or not to comply.
OK, so this post is supposed to be all about the GDPR, so I'll leave the other things aside.
Where did the GDPR come from?
There's a great video that explains this. It was produced by Troy Hunt and commissioned by Varonis. There's little point in me repeating verbatim what it says in detail, so go and watch it. It's roughly an hour in length and pretty compelling. I took my management team through it and let's just say that it furthered their understanding significantly.
The key points are this:
- It's not brand new; it's an evolution of the original EU Data Protection Directive
- It harmonises the often conflicting implementations of the DPD, across the 28 (current) EU member states
- The UK will observe and enforce it, in line with the EU, pre and post Brexit
- It clarifies the rights of individuals, in terms of the processing of our personal data
- It effectively mandates security by design in systems, where they process personal data, i.e. security baked in rather than sprinkled on
- It significantly beefs up the potential monetary penalties organisations face, if they flout the regulation
- IMHO these potential monetary penalties are aimed at organisations that are complacent about their personal data security posture (and let's face it, there are plenty and seemingly, the larger they are, the more complacent they seem to be!) and also firms that use personal data specifically to make money, without the explicit consent of individuals
- It's a salutary tale of common sense, i.e. there are no reasons why you shouldn't be compliant
Watch the video. It's brilliant.
If you're UK based (and actually even if not), then the Information Commissioner's Office (ICO) is the place to go to seek guidance. This is the official UK body, tasked with enforcing laws around information security and data subject privacy. They also have a blog where they help dispel myths and general FUD around the subject. There's some essential info on there.
N.B. If you're like me and do the securities, your inbox is likely to be getting hit hard by firms selling you GDPR compliance. All I'll say is this: The ICO offers plenty of free of charge guidance, is an open organisation full of great people who will enthusiastically assist a firm in getting it right, rather than drive them into the ground for getting it wrong. Try them first, before paying money to someone else to do your Googling for you.
I appreciate that many organisations won't have the capacity or capability in house to deliver compliance for themselves, but please do go and read up on your obligations and look at the bags of tools out there to enable you to help yourselves. Do this and save money, nay a fortune. Do this and while you're at it really get to grips with why personal data security and privacy of individuals are incredibly important, as well as a legal requirement.
Think about it - it applies to you and your own privacy too, after all!
Come May 25th next year, there won't be an extinction level event for non-compliant organisations, because goodness me there'll be millions. No, come May 25th next year there'll be a requirement to comply with the GDPR. It's how you're going about it that's important. As far as I understand, the ICO will look favourably and support firms that are proactively aiming to comply, have working plans progressing and are open about that when scrutinised.
Firms with their fingers in their ears or heads in the sand however, hmmm. And those firms actively ignoring the regulation, well tough shit.
Our approach
We've been through a number of 'compliance projects':
- ISO9001 - Quality management
- ISO14001 - Environmental management
- ISO27001 - Information security
- CAS(T) - Acronym fail - (Communications Electronics Security Group (a part of the Government Communications Headquarters (GCHQ) - now known as the National Cyber Security Centre (NCSC)) Assurance Scheme (Telecoms) - Basically a scheme set up for organisations to become compliant with government specified regulations, that then open the door for them to do business with the public sector. Sometimes this is lucrative, sometimes it isn't. This usually depends on the government of the day.
- PSN - The actual accreditation required to officialy trade with the public sector
So, we're pretty experienced in going through the various processes of achieving compliance and in terms of the security related ones, I've been very heavily involved since 2012.
It's important to have a plan
Well of course it is, but it's not always obvious where to start. When it comes to compliance, I think you start with what compliance looks like and then trace your steps back to where you are now. Basically a gap analysis. What's our current situation versus where we need to be? The ICO has a great 12 point guide to GDPR compliance and guess what? It's free! We kicked off our plan thus.
Actual work
First up came a bunch of awareness sessions, aimed at managers and process owners. Basically anyone that led teams and their people that maintained business as usual.
The sessions walked folks through everything described above in the Where did the GDPR come from? section.
Then, we set about understanding our management of personal data:
- What personal data do we collect?
- Why do we collect it?
- How do we make it clear to an individual why and how we will process it?
- How do we process it? Systems, manual processes and so on
- What databases or file systems are used to store it?
- What access controls are in place, to ensure only authorised systems or people can access it?
- How long do we keep it for?
- What policies do we have in place that cover our management of personal data?
- How do we go about providing an individual a copy of it, should they request access to it?
- How do we go about erasing it, once we have no legal basis by which to retain it?
And so on.
This involved many workshops across the entire business. It was extremely valuable and gave us great insight. It also threw up some consistencies that will help us in achieving compliance by simplifying our thinking.
As well as helping us to gather important information, it gave us a vital opportunity to begin embedding the spirit of the GDPR into teams; it's about privacy, data security, common sense etc. It hasn't been universally understood yet, but the GDPR is on far more people's lips than it was three months ago.
What next?
Bringing this episode to an end, now that we've got a good handle on our data management arrangements and how we tell people what we do with their personal data, we've commissioned a bunch of workstreams / task forces that are going about reviewing policies, looking at information systems, assessing access controls and whatnot, so that we can decide on and implement improvements, to ensure we're doing the right things by the people that trust us with their personal data.
By doing the right things, we'll be compliant with the GDPR. It's all common sense.
I'll go into a bit more detail in the next episode and also provide an update, so keep reading, if the topic is relevant. It probably is. :)