GDPR – Ready or not, here I come
In a Nutshell
In this article we’ll discuss the new General Data Protection Regulation (GDPR), and in particular its effect on small and mid-sized businesses. Using a case example, we’ll give a straightforward interpretation of the regulations and outline some practical steps a SME-sized business can take towards compliance.
Introducing the GDPR
So, in brief, what is GDPR, and what’s all the fuss about?
It’s the Data Protection Act (1998), brought up-to-date for the information age, with the protection of personal data – the raison d’etre for the old act – expanded to encompass all things Internet.
Its arrival means that we’ll need take a fresh look at the way we handle personal data.
Ready or not, here I come.
The GDPR is almost upon us. In May 2018 it becomes enforceable, and with fines of up to 4% of global turnover or EUR 20 million, it’s got teeth.
Some organisations are well into their GDPR journey, but many are yet to start. For business of all sizes and across all sectors there seems to be a common theme – a rush to get ready and anxiety they won’t be ready in time.
I spoke to a director of a mid-sized business recently:
“I know it’s coming, I know I need to do something about it, I’m just so busy! I really need an IT supplier that will be proactive and give me some guidance on what I need to do”
GDPR – an IT issue?
Implicit in her question is the idea that it’s an IT related problem. That’s one myth worth debunking straight away. Sure, it’s about IT, but it’s not all IT. More than technology, it’s about the processes, procedures and staff training within the company itself. In this case technology is the cart, the organisation is the horse. Horse goes first.
That said, IT isn’t off the hook entirely, data privacy and IT security go hand in hand. The GDPR may spur us to tighten in a few areas, more on this later.
I think many SMEs are crying out for a checklist where a tick in every box means ‘compliant’. Regrettably, it’s not that simple. The GDPR lays down the rights (of individuals) and principles (of data processing) and we must interpret those into something applicable to our businesses.
GDPR rules apply to all organisations, from governments and multinationals, to small businesses and not-for-profits. There’s no one solution that can be applied across the board. Unfortunately, this means that we need to put our thinking caps on, interpret the regulations, and apply where appropriate.
What makes it personal?
The question on the tip of everyone’s tongue: What makes data personal data? If this whole thing’s about how we handle personal data, knowing what is and isn’t is the key.
So, is a name personal data? No.
Name and email address? Yes.
Okay, so what about name and postal address? Yes.
Not hard so far is it!? What about postal address, gender, age but remove the name. That should be depersonalised, right?
Even though we’ve taken out the name, it’s not a big stretch to identify the 47-year old male living at that address. Therefore, it’s personal data.
And those are the easy combinations. A picture taken by an estate agent, that accidentally catches a passer-by in shot? Not personal.
The same picture passed to the police because you think they robbed the bank next door – personal.
To save our sanity with endless scenarios, I’d like to propose a simple approach – it’s all personal data. If we take this approach, it starts to engender a ‘privacy by design’ approach into the business. Then, by considering the potential impacts, we can start to design processes and systems that are appropriate and proportionate to the data we’re protecting.
I know my rights!
The GDPR enshrines a number of rights the individual data subject has in relation to the personal data we hold about them:
The right to be informed
At risk of over-simplification – what data you process for an individual, who’s processing it, for what reason, and for how long.
The right of access
In brief – You must confirm whether you’re holding / processing an individual’s data, and give them access to it.
The right to rectification
If you are holding data that’s inaccurate, they have the right to ask you to correct it.
The right to erasure
Delete me please! (unless there are mitigating circumstances)
The right to restrict processing
In the case of the mitigating circumstances above, you might keep the data (at least temporarily) but stop using it.
The right to data portability
The individual’s right to move their personal data from one service provider to another.
The right to object
Stop! (unless there are mitigating circumstances)
Rights in relation to automated decision making and profiling
Restrictions on “computer says no” decisions.
What do these rights mean for you? In effect, it means that your organisation will need to know how to handle – both procedurally and technically – these potential requests from people whose data you hold.
It’s an outrage!
Data is newsworthy. I can almost guarantee that, in any given week, there be at least one story about a hack, a misuse of data, or a laptop full of something top secret left on a train. Alongside the actual or potential impacts, there’s the reputational damage. Red faces and dented share prices all round.
Add to that the creepy antics of some organisations, using deep profiling of customers to sell more or target their advertising, it’s no wonder that many of us have the sense we’ve been in some way violated by organisations that we trust with our data.
It’s little wonder that in response to this growing sense of public indignation regulations are now being tightened up.
Back to the good old days
Let’s put technology to one side for a moment, and look at a business that uses absolutely no technology at all. My case example is a psychotherapy practice which runs on completely paper-based systems.
Does that mean GDPR doesn’t apply?
No, if you hold or process data, it’s still applies. To my earlier point, it’s not only an IT thing. As I go through the case example I’ll call out some key points along the way.
The first question to ask, which is the same for is the same for all organisations: Does the business hold or process personal data?
Answer in this case, absolutely. At the most basic level the practice holds names and addresses of clients. That makes it personal data as far as the GDPR is concerned.
Key Point: If the data can be used to identify an individual person, it’s personal data. Even something as simple as a name and email address qualifies.
Additionally, they keep notes about the therapy sessions. This raises the bar somewhat.
Key Point: If you hold medical-type records, or records about children, you’ll need to be extra diligent.
The practice needs to ask themselves a fundamental question. Would the leak of that data have the potential to cause harm or distress to her clients if the data were unintentionally exposed? Answer in this case, yes.
Key Point: The measures you take to protect the data must be proportionate and reasonable. What would be the potential impact on the clients (known as ‘data subjects’ in GDPR speak) if their information were leaked? The answer to this question will inform your decision making. You’ll take very different measures for safeguarding say, a mailing list than you will for guarding someone’s financial or medical details.
In practical terms, this therapy practice protects the data by splitting the personal information into two separate files. Contact details are in one filing cabinet; notes of therapy sessions (without identifying details), are locked in another filing cabinet in a different office. It takes a unique code to tie the two together. External doors are double-locked and the building is secured with an alarm.
Because of these measures, they could be regarded as taking reasonable and proportionate measures to protect the data. So far, they’re doing well GDPR-wise.
Let’s move on to the procedural side of things. At their first session, the therapist lets the client know she intends to keep notes. She describes what they’ll be used for, their confidentiality, legal exceptions, and advises that records will be destroyed after the final session.
Key Point: The client is informed about what data is kept, why, and for how long. They are have given ‘informed consent’ (GDPR term). In fact, according to the GDPR, the client can ask for a copy of their data at any time, or ask have it deleted altogether (they have a ‘right to access’ as well as a ‘right to erasure’ under the GDPR).
If the therapist needs to write to the client’s GP, she asks their permission.
Key Point: She gets informed consent from the client for the data sharing, as it’s different way of using the data than originally described.
Has she complied with the GDPR?
I would say yes. Preserving client’s privacy – their right to a private life – has been designed into the way the practice runs. They’ve taken measures that are both secure and reasonable considering their business model and the sensitivity of the data they are holding.
I chose this example because there was absolutely no technology involved. No computers, no networks, only old-fashioned paperwork. Because it’s based around things you can see and touch – filing cabinets, locks, and alarms – you don’t have to be a technologist to get your head around it.
Does it really describe the situation of most businesses these days? No, it doesn’t. Businesses need technology, our case example is a curious exception, not the rule.
If our psychotherapy practice made the step into the digital world, then all these physical security measures would need to be transformed into technological ones. Let’s go through some of the implications for GDPR if this were the case.
Internet Firewalls & Gateways
A firewall sits at the boundary between our computer network and the public Internet. It’s like the front door of the office, we open it to those we want to let in, shut to those that we don’t. It provides a security barrier to unathorised access to our network and the computers / servers holding the data we want to protect.
Unfortunately our experience shows the firewalls of many SMEs are badly configured and often have ‘back doors’ left open. Imagine leaving your actual office back door wide open when you lock-up at night, you’d be inviting trouble.
GDPR Compliance to-do: Get your network ‘penetration tested.’ Your IT provider will test your network from the outside to make sure there are no loopholes or backdoors left open. From GDPR point of view, substandard security due to bad configuration is a definite breach.
Additionally, an Internet gateway monitors your outgoing traffic (internal users accessing the Internet). It will check Internet sites against a blacklist and prevent access to sites that may spread virus’ and malware. Malware’s job is to steal data or put it out of reach until a ransom is paid. From a GDPR point of view, you don’t want it.
GDPR Compliance to-do: Make sure you have a security gateway, it’s properly configured, and that blacklist subscriptions are up to date. A sad fact is that many SMEs have a gateway that is not functioning correctly or not up to the job. Some have no security gateway at all. The GDPR expects you to take reasonable steps ‘with respect to the state of the art’. Gateway security products are now mainstream, so there is really no reason not to use one.
What did we ever do without it!? It’s the enabler of mobile computing. No need to plug-in, just switch on and your connected.
The problem is, Wi-Fi doesn’t limit itself to your office, it leaks beyond your office walls to the world outside where the signal can be picked up by anyone.
People may try to crack your passwords, or someone that’s been given temporary access in the past (a visitor for example) may try to access the network later for fraudulent purposes.
Again, experience has shown us that many SMEs have bad configuration and sloppy practices around Wi-Fi use.
GDPR Compliance to-do: Ensure that your Wi-Fi network is not using a shared password for all users. Ensure that an Internet-access-only guest Wi-Fi network is configured that prevents casual users from touching the network that supports your essential IT systems. Make sure the Wi-Fi for internal users is authenticated using their normal user name and password, so that it can be suspended / withdrawn if required and disabled if there are too many log-on attempts (indicative of someone trying to hack into the network). Lax use of Wi-Fi which leaves your network vulnerable is another clear breach of the GDPR.
Everyone that uses your network or systems should be an authorised user with their own username and password. Staff should be issued with one when they start with the company, and it should be disabled when they leave. You’ll need to be able to show there’s a process to ensure this happens reliably. There should be no shared user names and people shouldn’t ‘loan’ their user accounts to other staff members.
Passwords should be strong, changed regularly (change enforced), and will automatically lock-out after a number of incorrect attempts.
Does everyone need external access to the network or systems? Restrict external access (via the Internet) to the staff members that actually need it and only to the systems they need. The default should be OFF.
A common problem with some SMEs is that ex-employees and contractors have active accounts that haven’t been disabled, leaving systems open to unauthorised access. Sometimes systems are accessed via common user names and passwords (often to save money in licensing fees) meaning that it’s impossible to restrict access to a single user.
Make sure that any default usernames and passwords have been changed. Sloppy practice around access controls is another clear breach of the organisations responsibilities under GDPR.
The weakness of username and passwords is that anyone who gets hold of them, or guesses them, can gain access to systems. A more modern-day approach is to use two-factor authentication, where the username and password is augmented with a code sent to a second device (normally a smartphone). This is analogous the way you unlock your bricks-and-mortar office, you need both the front door keys and the alarm code to gain access to the building.
GDPR Compliance to-do: Speak with your IT partner about an appropriate password policy. Make sure it’s enforced. Ensure employees know the rules about passwords sharing. Consider two-factor authentication if feasible.
Software – which includes everything from the operating systems running on computers, servers, or devices, as well as application software – occasionally suffers with security loopholes. As these are discovered, the developers issue patches or software updates to close them off.
Virus’, malware and hackers exploit these loopholes and put your systems and the data held on them at risk. For this reason, keeping software patches up-to-date is a regular and ongoing task that can’t be ignored.
Again, experience tells us that many organisations do not do this, either in a timely manner or at all. The NHS found this out recently, a Microsoft patch issued months previously had not been applied, leaving them open to the Cryptolocker virus which closed down several A&E departments.
GDPR Compliance to-do: Make sure your IT partner has a regular patching and update schedule for all servers and devices on your network. This also applies to any hosted systems that you don’t have on-site.
For a virus or malware to propagate it needs to find a computer system to be its host. If the virus can’t run on the computer, it can’t cause havoc. Malware protection / Antivirus software will catch it, and hopefully disable the virus before it can take hold.
Sometimes, an organisation can be using an old or outdated version of antivirus that doesn’t know how to detect newer strains.
GDPR Compliance to-do: Ensure Antivirus is installed on all computing devices and is set to automatically update with the signatures of new virus strains. Not having adequate protection will mean that your failing to meet your obligations under GDPR.
Having all the network security in the world is of no use if someone can steal the computers holding the data itself. This is especially true of laptops which regularly leave the office building and could be stolen from a car or public transport.
But even if they are stolen, they’re protected by a username and password, right?
This will shock a lot of people. Once you have a laptop physically in your hands, it can be hacked and the data accessed in less than 5-minutes.
If you’re curious about this, see our video: How long does it take to hack a laptop?
For this reason, password alone provides little protection unless you are using disk encryption. A sad fact is that amongst SMEs, our experience tells us that around 1 in around business 40 laptops are using disk encryption, despite it being readily available in the latest versions of the operating systems from the major vendors (Windows, MAC OS, Linux).
GDPR Compliance to-do: For any laptops that will be used outside of the office, ensure that disk encryption is configured. Laptops within the office (or other working space) that may be at risk of theft can be secured with a lock to make them harder to steal (often called a ‘barrel’ or ‘Kensington lock’).
You might think that data backup is your own business and outside of the GDPR. Unfortunately, it’s not. Losing data – due to a hardware failure, accidental deletion, or a cyber-attack – is another breach of the GDPR.
Backups that are stored on-site are vulnerable to cyber-attacks (the backup gets taken down at the same time as the rest of the network), additionally, there are the physical risks of fire, flood, and theft.
My insurance company recently miscalculated my premiums because certain data relating to my house was lost when systems were changed over two years previously. They ‘lost’ the data. Nowadays, they’d be falling short of their GDPR responsibilities.
‘Data subjects’ – the GDPR moniker for persons that we might otherwise call client, customer, patient, or employee – have rights. One is the ‘right to deletion’ and the other is ‘data portability’ (“I’m leaving, please give me my data so I can take it with me!”).
You’ll need to think through how you reconcile these rights alongside your need to keep backup copies, as well as the requirements of other agencies (HMRC, FCA, etc.). Requirements may be in conflict, there is no ‘right’ answer, you’ll need to find a reasonable compromise that you can articulate and stand by.
GDPR Compliance to-do: Ensure you are backing up to an off-site backup service (or one that backs up to a completely different network to the one that holds your working data). Resolve any potential conflicts between data retention, the rights of the data subjects, and the requirements of other agencies.
Staff need to be aware of your policies regarding GDPR and these need to be baked into your data handling procedures. It’s an easy sentence to write, harder to do.
Staff will need to know, understand and follow your security policy, and be wise to the signs of malware attacks and other fraudulent activities.
What would happen if the burglar alarm went off at your office, but no one responded to it? It wouldn’t be of much use. It’s the same with your cyber security technologies (firewalls and gateways). If they detect a possible threat, but no one is listening to the alarms, they are ineffective.
GDPR Compliance to-do: Make sure your IT security systems are being monitored by someone who knows what action to take. This may be something that is best outsourced to an IT partner who can provide 24×7 system monitoring.
When we think of handling personal data we normally think about our information systems – like CRM, Payroll or ERP – but communications systems, most notably email, is overlooked.
The truth is, our emails are littered with personally identifiable information, in many cases more so than other IT systems.
Names, addresses, conversations about individuals, opinions – not to ignore the obvious one of email addresses themselves – are all in there. And then of course the small matter of the attachments and all the personal data they contain.
The challenge is that many SMEs have email systems that are not backed up. Additionally, email data may be dispersed across email servers, laptops and mobile devices, leaving them open to potential loss or breach. Some hosted email systems (especially ISP-based systems) do not conform to minimum standards of security.
There’s also a matter of what to do if the customer (for customer, read, client, employee or anyone classified as a ‘data subject’) exercises their ‘right to erasure’, meaning, in effect, that you need to delete their personal data from your email systems. This puts a very different spin on the functionality required for email for a GDPR compliant business.
GDPR Compliance to-do: Ensure that your email systems meet the same security standards as your other systems. Make sure that email data is backed-up and follows the same data retention policies that you set for other IT systems. You’ll need tools that allow you to find data about an individual and delete it should a client (data subject) exercise their right to erasure.
We all enjoy the convenience of mobile devices, for in our work and our personal life. The trend is towards Bring Your Own Device (BYOD), using your personal devices for work.
The challenge for data protection is ensuring adequate security and protection of organisational data, on a device that may not be company owned or subject to company usage policies.
Mobile devices, by their nature, travel outside of the office environs. This puts them at special risk of theft or loss. Loose the device and you also loose the data it contains.
GDPR Compliance to-do: For both company-provided and employee-owned devices (BYOD), look at securing them with a Mobile Device Management solution. This will allow you to centrally enforce security policies (e.g. enforcing a 6-digit passcode if the device us used for company email), as well as allowing you to remotely wipe the device clean of all company data if it’s lost or stolen.
Good news, when it comes to GDPR compliance, the buck doesn’t stop with you!
Well, not entirely anyway.
The GDPR makes a distinction between the ‘data controller’ and the ‘data processor’. In brief, if it’s your clients or your employees represented in the data, you are the Controller.
With a cloud-based service, the service provider is normally holding the data and doing the processing on your behalf. They are the Processor.
Under previous legislation (Data Protection Act 1998), you had the responsibility of making sure the cloud provider complied. Now, under GDPR, they have responsibilities too and can also be subject to the same penalties.
That doesn’t mean that you are completely off the hook, you do need to have a contract in place which adequately protects you and your clients / customers / employees (the data subjects). It can’t be one with ‘elastic’ terms and conditions, to the effect of “We reserve the right to change these terms at our discretion”.
You also have the right to request your data, the same ‘right to portability’ as your data subjects do.
GDPR Compliance to-do: Check where your cloud service provider is up to in their GDPR compliance journey. Seek assurances if necessary, you have the right to audit. Review your current contracts to ensure that they are still suitable under the GDPR, and specifically that they don’t include any terms that limit your right to refuse any changes to the service without your agreement.
Last but not least, the good old ‘shared drive’ known as the X, Y, Z or other letter from the back-end of the alphabet. It’s the digital filing-cabinet where everyone puts all those documents, spreadsheets, presentations and pdfs for posterity and access by all.
Like email, it’s one of the places that we don’t expect to find personal data, but invariably do. If you’ve written a letter about an individual, and there’s a copy held on the ‘the server’ it falls under the GDPR. The more sensitive the information the greater the compliance impact (again, think about impact on the individual if leaked).
Consider also spreadsheets that may have extracts from your other systems or databases. They will likely contain personal data. Spreadsheets are used for analysis or stats are often derived from underlying data, perhaps personal data is caught up in this when you didn’t intend it to be.
Just as with your other systems, you have to think about your responsibilities to preserve this data, or delete it if you don’t need to hold it anymore, or are responding to a ‘right to erasure’ request.
The challenge with this type of unstructured data, gigabytes of it, is working out what’s actually in there. You will need tools that can search the file system, but also inside the documents. You may not have those currently.
GDPR Compliance to-do: Check whether you have adequate backup on your shared file systems. Check whether you have the tools to search out specific data about data subjects that may be embedded in documents or spreadsheets.
A few closing thoughts to take away:
• Mantra – we don’t own it, we on loan it: We borrow data from people, we use it for the agreed purpose, and at the end, we give it back. Whilst we have it, we look after it. We don’t do anything different with it unless we ask first, and we don’t loan it to anyone else without asking.
• Take a business-led approach to the GDPR: Compliance needs an organisational response, not just a technological one. Privacy by design needs to be baked into your business.
• It’s all personal data: If you put in place processes and technologies to protect all data, you’ll be on the right track. Take special measures where necessary depending on sensitivity.
• Don’t let your IT be a leaky ship: Your IT infrastructure is the vessel that holds and transports the data. It needs to be sturdy, watertight, and fit for purpose. Now may be a good time to nail down a few loose planks!
We wish you good luck on your GDPR journey! Any questions or points to raise, post below.
Weald IT – Portsmouth Branch Manager