Whatever your feelings about it are, the GDPR exists to ensure companies Get Data Protection Right. It’s not there to tyrannize companies or threaten them. Rather, it acts as a guiding set of principles that helps to ensure companies are good custodians of the personal data they use. We’ve identified nine pillars of data protection which work together to form an effective data protection framework. Most elements of compliance relate to accountability, from the policies a company adopts, to the security measures it implements, to how it responds to data breaches. This article looks at our eighth pillar of data protection: monitoring and demonstrating GDPR compliance.
The way you demonstrate GDPR compliance (or your journey towards it) is through a system of record-keeping and documentation. Unless you maintain registers containing the details pertaining to personal data processing, you can’t be fully accountable. GDPR compliance is a never-ending process, since the personal data a company holds and the way it is processed changes constantly. All records must be regularly reviewed and kept up to date.
GDPR Compliance Depends on Documentation
Keeping detailed records of data-processing activities can help a business to operate more efficiently. It can improve data governance. You should think of your record keeping in these terms rather than seeing them as an onerous task. Supervisory authorities, like the ICO in the UK, may request documentation at short notice. An example of this is when a serious data breach occurs. For many breaches you only have 72 hours after finding such a breach to file a report with the supervisory authority. An efficient process for recording and evaluating breaches helps in gathering the required information quickly. It also reduces a lot of potential stress. Another instance where detailed documentation helps is when an individual or data subjects makes a request access to their data (these are know as as subject access requests, or SARs). Ideally, you should have a process to simplify and record your responses and in a couple of mouse clicks be able to see where the requested information is – whether inside your organisation or with a third party. Unless a request is particularly complex, companies have one month to deal with a DSAR. Furthermore, under Article 30 of the GDPR, record-keeping of processing activities is an explicit requirement of compliance. Thus, as well as helping in the timely execution of GDPR tasks, it is necessary in and of itself. Using the right tools, can reduce the burden of record-keeping to inform you of your progress in compliance and help you stay on top of it. We’ll look at that next.
Monitor and Prove Your Compliance
Article 5 of GDPR sets out the chief responsibilities of a data controller with regard to processing personal data. It also requires controllers to prove they’re complying with these responsibilities, which is achieved mainly through record keeping and documentation. Having established the importance of documentation and how it’s necessary under GDPR, – how to you use your records to gauge progress in compliance? One way is to use GDPR compliance software with built-in monitoring tools.
Monitoring Compliance Example
Imagine a company that aims for GDPR compliance but isn’t sure whether or not it has achieved it. By using software like Relentless GDPR-247, which features a compliance dashboard, allows you to get a quick overview and see the tasks needed for maintaining compliance. A workflow management tool for allocated and tracked progress lets the company see at any point in time what needs to be done when and by whom. Furthermore, Relentless GDPR-247software gives feedback on any compliance gaps . These are just some of the areas of GDPR compliance monitored by Relentless GDPR-247 include the following:
Data subject access requests**: a case management and workflow tool for simplifying the process of responding to individual’s requests in relation to their data.
- Processing risk management: You’re able to do risk assessments either through DPIAs or on core data protection areas related to the GDPR and attach thorough documentation relating to your mitigation efforts.
- Legitimate interests: When legitimate interests are being used as the legal basis for processing personal data you can indicate and defend your reasoning.
- Information use and cybersecurity controls: all aspects of cyber security can be recorded, including technical measures, company policies and practices, and staff training.
- HR practices: employees also have data rights under the GDPR, so the handling of staff data must be monitored to ensure GDPR compliance.
An example of how documentation helps proving compliance
A debt collection agency holding sensitive personal data on EU subjects needs to prove its GDPR compliance in order to build trust. To achieve that, the agency might subscribe to the FENCA code of conduct in data protection. GDPR Article 40 encourages creation of codes of conduct within various trades. These codes of conduct can often clarify some of the regulation’s more abstract requirements and give guidance on specific industry problems. They also install confidence in potential customers.
Getting Data Protection Right
There are several ways a business can make itself accountable to it’s data protection practices, one of them is through meticulous record-keeping. Documentation brings the various elements of GDPR together and surfaces tasks that need to be completed for full compliance. By using Relentless GDPR-247 as the foundation of your data-protection framework, the path towards compliance becomes clear. You’ll be able to set goals, gauge progress and manage data-processing tasks efficiently. Why not begin a free trial today?
Introduction: data Breaches how can organisations improve?
With the new focus on digital privacy and data privacy regulations, data breaches are increasingly in the news. Global data privacy regulations have outlined the types of data that are considered sensitive and the penalties for a breach. Global data protection laws, as well as the number of high-profile data breaches, have caused organizations to commit to a greater focus on privacy. Organizations are actively working to decrease their potential exposure to a data breach by enhancing their cyber-security defenses.
When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.
Common causes of data breaches
Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons.
Here we define seven different causes of data breaches:
- Accidental Web/Internet Exposure:Sensitive data is accidentally placed in a location accessible from the Web. The news stories about improper usage of Amazon S3 permissions (and other cloud storage) fall into this category
- Data on the Move:Securing data in transit is often a challenge for companies. Using HTTP and other insecure protocols is a common cause
- Employee Error/Negligence/Improper Disposal/Lost:This category covers all data breaches caused by employee negligence. Data security policies that are weak and/or unenforced can lead to unintentional data breaches
- Hacking/Intrusion:Data breaches involving an external party (i.e., a hacker) are what most people expect when they hear of a data breach. This category includes phishing, malware/ransomware and skimming
- Insider Theft:This category also deals with employees, but covers cases where insiders are intentionally breaching sensitive data
- Physical Theft:Laptops and mobile devices commonly store sensitive or valuable data. These devices can easily be lost or stolen when brought to public areas
- Unauthorized Access:Poorly designed or implemented access controls can allow people to access data that they are not authorized for
Data breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches.
Causes of large data breaches
Data breaches occur practically every day. According to statistics there were 264 breaches in Q1 2019, or almost three breaches per day on average.
However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.
Causes of the largest breaches
In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table.
|Organization||Publication Date||Exposed Records||Root Cause|
|Centerstone Insurance and Financial Services d/b/a Benefitmall||1/4/2019||111,589||Hacking/Intrusion|
|Columbia Surgical Specialist of Spokane||2/18/2019||400,000||Hacking/Intrusion|
|University of Washington Medical Center||2/19/2019||973,024||Accidental Web/Internet Exposure|
|Health Alliance Plan||3/7/2019||120,344||Hacking/Intrusion|
|Federal Emergency Management Agency (FEMA)||3/15/2019||2,300,000||Employee Error|
|ZOLL Services LLC||3/18/2019||277,319||Not Disclosed|
You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.
Causes of most lost records in March 2019
In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach.
|Root cause||Exposed Records (%)|
|Employee Error/Negligence/Improper Disposal/Lost||2,313,460 (69.6%)|
|Unauthorized Access||427,356 (12.9%)|
|Accidental Web/Internet Exposure||381,812 (11.5%)|
|Physical Theft||21,221 (0.6%)|
|Data on the Move||2,088 (0.1%)|
|Insider Theft||0 (0%)|
As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.
Many Organizations purchase generic online training materials and privacy awareness materials. Whilst these can be informative they are generalized and often do not reflect your organisations data processing operations. Bespoke training for your organization ensures your employees fully understand the importance of data privacy, enhance their data handling processes, leading to high levels of customer satisfaction
The Relentless GDPR Data Privacy model can be used to set benchmarks for organizations starting out can be used by organizations that have an existing privacy function and some components of a privacy program. The Relentless GDPR Data Privacy model provides structured means to assist in identifying and documenting current privacy initiatives, determining status and assessing it against the Global privacy maturity model criteria. Complete the enquiry form for more details
Your employees are uniquely positioned to help boost your customer engagement. You will have key staff members who are your front-line ‘face of the company’ members that deliver and enhance your customer experience. These key members of staff need to be chosen carefully for their positive mental attitude because customers cannot help but to respond positively to upbeat, warm and friendly treatment.
From a manager’s point of view, these ‘front-line’ members of your team are in a position to observe and monitor your customers experience on a regular basis. They are in the best position to feed back to you any subtle changes in customer attitude and opinion to any changed to the products or services you offer.
CRM, or customer relationship management, is a very important factor for the success or ultimate failure of your business. Customers are key, and you want to ensure that each and every individual customer has a positive and pleasant experience while dealing with you. It is the thought and care that goes into the customer experience that will keep your customers loyal, and encourage them to come back for more.
Switched on company leaders understand the influence that their employees have on their customer experience, and will actively seek out ways to improve and build even more quality into customer engagement. It is in their best interests to build a winning team that can deliver great service every time through CRM.
There is an ever present danger that inexperienced company leaders will become so detached from their customer base that their focus becomes company-centric, and will put into place working schemes that better for the leaders, investors and shareholders. But without a solid and loyal customer base, there really will be no business!
A customer-centric business on the other hand is built through good customer relationship management. Listening to what the customer wants via regular feedback will enable a good manager to tweak their customer experience for the better, and the customer will feel important that they were part of the mission to improve your customer services.
To start off with, you will need to understand your customer inside and out, and be able to build a full 360 degree picture of your customer to be able to fully meet their needs and requirements. You can help this task by using good CRM software, and there are a few good systems available that can be tailored to suit your needs.
By conducting regular customer feedback sessions, implementing positive changes within your service, and then feeding back to your customers the results of their involvement, you will be building good levels of customer engagement.
You should always reward your front-line employees when they serve customers well, especially when customers are taking the time to leave positive feedback about individual staff members. This will not only encourage employees to keep up the good work, but compliments are infectious, and will boost overall team morale.
Research has proven that staff who work for a customer-centric company are six times more likely to be fully engaged with their work, which in turn leads to much higher levels of customer engagement. At the end of the day every company needs to delight their customers, and establishing good CRM practices is the key to all this.
You can use specialist’s tools such as CRM programmes to conduct market research campaigns, manage social media interaction, and help to build a 360 degree profile of your customer, but this is only one piece of the puzzle. Your employees on the ground who are customer-facing in their job every single day are the ones who can actively engage with customers, listen to their needs, and feedback to you about their experiences.
Employees should be encouraged to feedback to their managers about customer engagement and reaction to new promotions, products, marketing techniques etc. This can be easily done via access to an online company forum for example, where they can discuss feedback and ideas with other staff members and managers. Or if using a CRM programme, granting access to the system to allow them to make notes.
Most modern CRM programmes can be tailored to suit your individual company needs, so provision should be built within your system to allow for input from customer-facing staff, especially while trying out a new service being offered, or when a new product is being launched to customers. It is a great way to get real-time, honest customer reactions and opinions.
CRM software packages, whether online or stand-alone, can be a great tool for a growing business, and an essential piece of kit for large companies, but the most valuable customer relationship tool a business owner can possess is their own staff that are in a unique position with direct involvement with customers. It is the human touch that provides great customer service, be that face-to-face, over the telephone, or via online interaction.
Relentless Privacy and Compliance Services provides expert consulting on CRM and data privacy regulations. Our award winning GDPR assessment services are available and competitively priced.
Find Out More
It’s time to discuss one of the horrible truths of data protection and cybersecurity. This is that breaches will happen, no matter how many steps and procedures you put in place to avoid them. This is because systems are designed, built and run by people and people are not flawless. People make mistakes and this can lead to a data breach.This is why, no matter how strong your data protection policy is, you need a plan of action just in case the dreaded incident happens and your company suffers from a data breach. The implications of a breach go far beyond a potential GDPR fine and extend into serious reputational damage for your business. Your main concern shouldn’t be the legal implications, but the potential consequences for your business. Whilst GDPR compliance often focuses on the threat of huge fines that can result from a breach and preventing the breach. Less commonly discussed and equally important are the the steps that must be taken when a breach occurs.The best way to prepare for a data security breach is to accept it as an inevitability and plan accordingly. No matter how many security protocols and steps you put in place, there is always the chance that someone will get around your systems or (more likely) that someone in your team will make a mistake and a breach will occur.
Since the GDPR came into law with the UK’s Data Protection Act of 2018, there has been considerable noise about what it means for businesses. In reality, things are still evolving and we don’t fully know yet. The true consequences of the GDPR will be determined by case law, which will take several years to emerge. The Information Commissioner’s Office (ICO) in the UK is still finding its feet when it comes to enforcing compliance and is taking a relatively slow approach when it comes to sanctioning companies.For this reason, it’s important to see the GDPR as a framework that can help you get you get adequate data security protection and mitigation measures in place.
Your Legal Obligations
After a breach occurs, you have 72 hours to inform the relevant GDPR regulator in the country where the breach took place. In the UK, this means the ICO. The ICO has devel self-assessment tool to help companies determine whether the breach t is reportable or not.
Putting Together Your Plan
What the ICO doesn’t provide is a plan for dealing with a data breach. If you don’t have one, then you should start to make one now. The last thing that you want to be doing when you are dealing with the reputational fallout that accompanies a data breach is working out the practical steps that you need to take.If you can assign distinct responsibilities to everyone on your team and make it clear to them what they are it will save time in mitigating the impact of the breach. If members of your team already use an existing agile methodology or something similar then use this framework for your GDPR response plan.Remember there are a number of steps that you are required to take by law in the event of a data breach:
- Determine if you must inform the regulatory authority and do so if required.
- Ensure that the breach is repaired and no further information can be compromised.
- Determine if you must inform your customers and do so if required.
How to Inform Your Customers
You are legally obliged to inform anyone impacted by a data breach if the breach is likely to result in a ‘risk to their rights or freedoms’. There is not yet any case law that gives a more specific definition of this but it’s generally taken to be a function of the sensitivity of the personal data that was breached, so if medical or tax records were disclosed you would want to inform the impacted individuals. While it is clear you must inform the individuals the law but does not prescribe a course of action, leaving it up to companies to determine how much detail their customers need to know. Case law may change this in the future but, for now, it’s most important to draw out your own approach in advance.
People across a company have a habit of going to ground when this type of data breach incident takes place. While the chances are that you will be incredibly busy mitigating the breach, this doesn’t mean that you should avoid communicating internally about what has happened and the steps that you are taking to fix things.Industries which have been dealing with security incidents have developed robust approaches to ensure lessons are learned from failures. For example the civil aviation industry has a ‘no blame‘ culture which is designed to ensure that lessons are learned from mistakes and all parties are honest with investigators.Managing data breaches can be difficult and it’s still essential to do everything you can to avoid a breach, but it’s also important you have a culture that allows people to report them when they occur.To make sure you have processes in place not only to protect breaches, but also to react effectively when they do occur, book a demo with one of our GDPR experts to see how Relentless GDPR 24/7 can help.
We’ve begun to see news headlines where organisations receive fines for lack of adequate data protection. Regulators will never be able to police every non-compliant company, so what’s the data protection regulation for in most cases? While the GDPR is an enforcement framework, it is also a set of guiding principles that you can use to build a data protection framework. This is why we think the GDPR is really about “Getting Data Protection Right”.We’ve studied the regulation and used it to create a framework consisting of nine pillars of data protection. If you travel naturally down the path of GDPR compliance and implementa these nine pillars, you’ll improve your businesses data handling as well as reduce the possibility of being sanctioned.. In this article, we look at the fifth pillar: Data Security Policies. We’ll review the different types of data security policies and offer a solution for generating them.
Document Your Security and Operating System Configurations
Documenting security configurations, OS configurations, and other IT configurations is the work of security managers or security engineers. These tasks sound unproductive, but they’re vital. Why?In our world, where even the smallest companies use technology to do their day-to-day work, it’s better to record and track the configuration of that technology to ensure the smooth running of the business. The practice of documenting has several benefits:
- Reducing the risk of outages and data breaches and the harm they cause.
- Helping quickly identify configuration errors made by administration staff.
- IT staff can restore service faster if they have base configuration and change records.
- Helps IT staff to design safe, non-disruptive future changes to configurations.
- Reducing costs by identifying or avoiding overlapping functionality.
Password and Account Management Policies
Computer hacking via weak or stolen passwords tops many lists for cybercrime It’s a common data breach cause. Hence, it’s always advisable to create robust policies for password use.A useful password policy should consider:
- Limiting the number of times a password can be reused or how long it is usable.
- Setting minimum limits for length and complexity. This makes passwords harder to crack.
- Requiring passphrases are harder to crack than passwords yet easier to remember.
- Auditing passwords and password changes to help track security threats.
- Blocking account for wrongly entered passwords.
Account management policies are broader in scope than password policies. They cover topics such as account-user access and levels of access, the principle of least privilege for new account creation (only giving access to minimum and required resources), and multi-factor authentication. Password policies often feature as a subset of account management policies.
Antivirus, Firewall and Database Policies
As part of an efficient data-protection framework, companies need policies in place which govern the use and configuration of antivirus software, firewalls, and databases. Let’s take a quick look at each of these.
Antivirus policies for workstations and servers control the software in various ways:
- Timing: when to scan for viruses and download new definitions.
- Functionality: how the software handles unwanted programmes and spyware.
- Emails: method of email scanning and how harmful messages and attachments are reported.
- Identity theft measures: configuration that protects user identities and web-browsing.
The role of antivirus software is to disable the tools hackers use to infiltrate your computer or network. For more direct attacks such as SQL injections, businesses put firewalls in place.
Firewalls come in two main forms; network-based and host-based. The latter is installed directly on individual PCs as software, while the former resides in the cloud or on a dedicated server and filters traffic between the Internet and a LAN. A firewall policy defines how a firewall should handle various types of traffic and which firewall features are enabled or disabled.Best practice for creating a firewall ruleset is to block traffic by default and be as precise as possible about who can access what using available parameters (e.g. source and destination IP addresses, destination port). The same “principle of least privilege” applies here as elsewhere.
The security policies for a database may encompass many areas, including these:
- Acceptable usage policies restrict the ways employees or others can use the internet or network.
- Authentication controls ensure people accessing the database are who they say they are.
- Backup policies stipulating what data must be backed up when and by which means. Encryption policies to ensure data is encrypted.
- Physical security policies defining physical access to buildings, data centres and servers.
- System maintenance policies defining time scales and methods for patching, purging and updating.
Templates to Get You Started
For many businesses, designing good security policies is a challenge. And yet they’re crucial for companies of all sizes. You need them to make sure they are appropriate to your risks, define them, implement them and communicate the procedures and best practices to staff so they are aware of their responsibilities.While it’s not possible to create high-quality security policies automatically using our templates can be your point of departure. They will make Generating data-protection and acceptable-use policies easier by making sure you’ve at least considered standard practices. get started today by booking a demo!
Find Out More
Although GDPR supervisory authorities can issue fines when companies disregard data protection, it’s really a last resort. We encourage you to view the GDPR as a useful framework for getting your Data Protection Right.Seen in this light the GDPR can become a business opportunity rather than an obstruction. It’s a chance to make intelligent use of data by processing it effectively and creating new business models. It can also be a PR and marketing opportunity. Your business can build trust with clients who are becoming more aware of how their personal data is being processed and are scrutinising companies handling of the data.This blog series has been about the nine pillars of data protection around which you can build a solid GDPR framework. This blog post discusses the seventh pillar: data security awareness. The human element remains, one of the biggest threats to good data security in any company. Untrained or unaware staff magnifies that risk manyfold..
The Legal Obligation
Data controllers are legally accountable for protecting the personal data of individuals that they process. This includes taking responsibility for the negligent acts of employees conducted during the course of their job. Controllers may even be y liable for deliberate data breaches undertaken by spiteful past employees. The ongoing Morrisons appeal is an example of just how far a company’s liability towards it’s current and past employees could go..Article 25 of the GDPR advocates data protection “by design and default”, this requires controllers “to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights”. This legal requirement encompasses staff training and awareness of the regulation and the employees legal obligations to protect personal data..
Vulnerability & Human Error
When you read about big GDPR fines in headlines, you may have noticed they’re typically issued to entities that either have vast resources at their disposal or a particular moral duty to protect sensitive data. Some examples are Google, Dixons Carphone and a handful of European hospitals.This leads many smaller companies to believe they’ll be shown more leniency from the supervisory authority. An irony here, though, is that cyber criminals attack these smaller companies for the same reason.Criminals employ many types of techniques to obtain access to personal data, the most common examples are malware, phishing or SQL injections. But the primary exploit and vulnerability is humans.To illustrate how often humans cause data breaches, we reviewed the ICO statistics for quarter 3 of 2019. These stats are compiled from the breaches submitted by data controllers to the ICO after personal data breaches. The top six specified causes of data breach were as follows:
- Data posted or faxed to wrong recipient (289)
- Phishing (281)
- Data emailed to wrong recipient (269)
- Loss or theft of paperwork or data left in insecure location (253)
- Unauthorised access (149)
- Loss or theft of device containing personal data (120)
Unauthorised access and phishing might be considered cyber issues, but human error often plays a part. Someone has to click on a link to make a phishing hack work and lack of awareness about phishing will help attempts to succeed. the weak passwords invite unauthorised access. The answer to reducing human error is clear.
Staff Training & Awareness
We can never completely eliminate human error. My father always used to tell me: “If I haven’t made my first error at work by 11am, I want to go home because I don’t want to see the one coming at noon.” He acknowledged his fallibility. Companies need to do the same by making staff aware of the potential negative outcomes of their actions and what they can do to become less vulnerable. Making sure your employees are being educated on threats like phishing attacks and malware is no longer an option.Is your staff aware of company data protection policy? Do they know best practices for when handling and transferring personal data? Staff training, when it’s done right, will instill this vital information into employees. So, who needs training and how?
Who Needs Training in Data Protection?
All staff that handle personal data or have access to it should be trained in data protection. If you can access personal, you can cause a data breach. If you can access the people that access it, you’re still a risk. The list might include the following:
- Receptionists & customer service staff: often the front-line targets of phishing or malware attacks.
- Marketing & communications staff: must have a clear understanding of personal data and best practices around storing and processing it.
- Human resources staff: must know how to store and handle data securely and with confidentiality, including employee data and job applications.
- Accountants: should be aware of cyber-attacks and phishing as well as general data-security issues. The financial or banking details of companies are coveted by cybercriminals.
- IT staff: experts in technical security but not always fully apprised of company policies.
- New hires: need training in best practices at the earliest opportunity.
- Senior managers & directors: are accountable and should therefore be well versed in data protection.
Exactly who needs training in data protection varies from company to company. Its relative cost and inconvenience factor tends to go up for smaller companies. Nevertheless, it’s an invaluable part of data protection
GDPR training must also cover areas, like identifying and handling subject access requests (SARs) and record-keeping requirements.. This lays a solid foundation of the legal requirements for staff awareness. But it’s also important to train on the exploits themselves – like phishing and social engineering. If a company designates a DPO, it is that person’s responsibility to be involved in defining the staff training program.A chief aim of awareness training is to reduce the number of security incidents that occur. For this to work, companies need a system that lets employees report incidents without fear of negative repercussions.. Maintaining a breach log, like the one found in Relentless GDPR24/7 software, is where security events are recorded is part of data protection awareness.Training should be as hands-on as possible in order for the message to stick. One way of achieving this is with a simulated phishing attack, which many specialist companies, like KnowBe4 offers.
Fix the Weakest Link
Human error in one form or another is a prolific cause of data breaches. It needn’t even be an attack that causes the breach.In fact, sometimes data just falls into the wrong hands by accident.Training about data protection risks and awareness of internal processes and policies is a key part of any GDPR compliance framework. Tools like Relentless GDPR 24/7 , can help make sure you’re data protection is adequate to the risks. Why not book a demo today?
The principle of accountability aims to guarantee compliance with the Data Protection Principles. It implies a cultural change which endorses transparent data protection, privacy policies & user control, internal clarity and procedures for operationalising privacy and high level demonstrable responsibility to external stakeholders & Data Protection Authorities.
The principle of accountability
The General Data Protection Regulation (GDPR) introduces a new principle to data protection rules in Europe: that of accountability. The GDPR requires that the controller is responsible for making sure all privacy principles are adhered to. Moreover, the GDPR requires that your organisation can demonstrate compliance with all the principles. So, which steps should your organisation take to build such a culture and to be able to demonstrate accountability?
Firstly, the organisation must know what principles need to be adhered to. There are six principles set out in the GDPR. These are the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. One of the best ways to make sure these principles are adhered to is to make sure your internal privacy governance structure is set up correctly and comprehensively.
The ways to incorporate these principles are woven in throughout the GDPR. For instance, the GDPR states your organisation is required to deploy appropriate technical and organisational measures as laid out in the GDPR. Some (new) measures mentioned in the GDPR are: documented processes/policies, data protection impact assessments (DPIA), suggested data security methods, data protection by design and by default, a mandatory data protection officer (DPO) for large scale personal data processing, and keeping records of your processing activities. Special attention is given to (industry) code of conducts and self-certification, data breach notification and transparency requirements.
A culture and organisational change
A strong governance structure is essential to standardise privacy and develop privacy by design and default. To create a cultural and organisational change for GDPR compliance within your organisation, buy-in from stakeholders is of significant importance. By developing internal guidelines for employees, compliance with legal obligations for data processing and securing data can be ensured. Incorporate training and awareness programs for everyone who is going to be involved in the processing of personal data. Your organisation can also consider subscribing to an industry code of conduct or creating internal guidelines and a review process for data analytics.
Subscribing to an industry code of conduct can demonstrate compliance, especially when the certifications are issued by the certification bodies. These mechanisms are not obligatory under the GDPR, but are highly recommended. Developing your own ethical standards with respect to processing personal data, may further enhance your accountability efforts. The risks of new initiatives are weighed against possible benefits. Questions like ‘can we legally do this?’ should be complemented by ‘do we want to do this and how will it be perceived by our customers?’ to safeguard the ethical use of the data.
Furthermore the GDPR obligates your organisation to maintain an internal record of all your processing activities. Your organisation is, among others things, required to record the purposes of the processing and a description of technical and organisational security measures.
New in the GDPR is the requirement to designate a Data Privacy Officer (DPO) within your organisation. Although the requirement is only mandatory in certain circumstances, a DPO can monitor the activities of your organisation and the processing activities to help you become compliant with the GDPR.
Under the GDPR, the principle of accountability becomes more important. Your organisation is not only required to adhere to the principles set out in the GDPR, but must also demonstrate compliance. To live up to the principle of accountability a comprehensive governance structure is necessary. Adhering to the principle of accountability means a cultural and organisational shift in your organisation. With the help of strong technical and organisational measures your organisation can demonstrate compliance with the GDPR.
Relentless Privacy and Compliance guides clients through the journey starting with a comprehensive assessment covering 10 core compliance areas thorough gap analysis and remediation plan.
Find Out More
Privacy regulations regarding data protection” are both a challenge and an opportunity. A key indicator for “GDPR maturity is the data protection mindset within companies and the level of data protection provided, which means what, where and how business-critical workloads operate on cloud infrastructures.
For many companies, the GDPR is still seen as a complex project. Legal, technical and organisational challenges brought about by the GDPR have proved stressful, resource sapping and ultra-difficult to maintain. Particularly in the case of large migration projects in the cloud computing environment, in the IoT environment or in big data scenarios, day-to-day business leaves little time to afford the correct attention data regulations require.
However, in addition to numerous implementation challenges, the GDPR also offers the opportunity to excel by redefining and implementing new data protection and IT security strategies, especially in the context of cloud computing.
As a result, the topic of cloud computing raises many questions in the context of the GDPR. In technical terms, cloud computing is a data processing contract. Hence, the cloud user should be fully aware of the way their data is always processed. Cloud providers and resource providers only support their functions and are dependent on the legal requirements of the responsible authority. In other words, both cloud providers and businesses must meet the minimum legal requirements for each cloud service under the GDPR.
Special attention should be focused on the ability of your cloud solution to meet Article 28 and Article 48. In light of the US Cloud Act US cloud service providers cannot guarantee to meet Article 48
“Any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Seize the moment
How to take advantage of the potential challenges behind the GDPR? There are two main questions. On the one hand, companies need to know which cloud providers they can trust to fully comply with the above articles.
On the other hand, companies need to know which technical and organisational measures they must take in order to be “GDPR-compliant”.
Opportunities and obligations for CISOs – the right cloud partner
The right cloud partner can be a valuable sparring partner in the light of GDPR, since with their expertise in compliance and security they can assist your company on its journey towards GDPR Compliance
If you apply a multi-cloud strategy, you need to assess the data protection policies of each cloud provider.
Hybrid and multi-cloud approaches are much more complex to coordinate and therefore may present a higher data protection risk. The multitude of different cloud providers, especially in the public cloud environment, makes it difficult for CISOs to ensure GDPR compliance. GDPR compliance is only as strong as the weakest link. For example, a breach or non-compliance by a single cloud provider within a multi-cloud deployment can undermine all efforts for a successful GDPR compliance.
Six Key Criteria
Here is a quick set of criteria you can use to evaluate your potential or existing cloud partners in terms of GDPR compliance:
Security and Privacy
A first necessary step is to assess to what extent the provider is able to comply with your IT security requirements. One easy way cloud providers can demonstrate compliance with security and “Privacy by Design” is by being ISO 27001 or ISO 27018 certified
Companies that work with a wide range of critical data must provide sufficient guarantees (in accordance with Article 28 of the GDPR Regulation) that the data controller uses “only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
” Hence, you need to make sure that your cloud provider is conducting regular audits for the review, scoring and evaluation of technical and organisational measures to guarantee the security of processing. In addition, you need to make sure that the cloud partner grants the right to audit to their customers. For EU companies appointing a EU member state sovereign owned cloud service provider ensures that your data is in safe hands and will not be handed over to a 3rd country court for example as this would expose the cloud service provider and company to large fines under the GDPR.
Knowing the location where your data is being stored and processed is important. Yet, not all cloud partners provide you with the necessary transparency related to the cloud locations. Note that the cloud provider’s headquarters might not necessarily be the location where your data is hosted. In addition, your data may be moved between different cloud locations in the background, without letting you know. This may be part of the Terms of Service of the cloud partner. Finally, cloud service providers may store data within multiple location and some of these may be outside the EEA. As a Data Controller you need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localisation laws.
The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to pseudonymous data and anonymization. In order to achieve this, the easiest way is to choose a cloud partner that has enough security features to choose from such as backup, encryption, access control policies and others. If your cloud partner does not have such policy, you need to take care of the security features yourself.
As a customer of a cloud provider you are the Data Controller which means you must maintain control and ownership of your own data. This can be achieved by signing a Data Processing Agreement with your cloud partner to guarantee that the partner is adhering to the data privacy protection requirements as per the GDPR. You can either draft your own or check if your cloud partner has created a DPA as a standard part of the Terms of Service. The advantage of using your own is that you can specify the type of personal data and “special” data collected. No matter if you use your partner’s DPA or your own, make sure that the terms state clearly that the Data Controller (i.e. you) owns the data and that the Data Processor (i.e. the cloud partner) will not share the data with third parties.
You need to make sure that once your contract with the cloud partner has ended, you can download/erase the data and that the cloud partner will delete the data once you’ve terminated the service. Some cloud providers, especially when they are ISO-certified, have defined a standardised policy for deleting data after contract expiration. Try to find out how long it takes for the cloud provider to delete your data.
A data governance framework as found in Relentless GDPR247 ensures a detailed pathway to compliance that is easily maintained and has built in continuous improvement.