Some things are important, but boring… like politics. Our parliament is full of awfully tiresome people saying utterly dull things. Nonetheless people pay great attention, no matter how irksome, because ultimately what is said has real-world impact on our lives.
This is the way with the GDPR. There is no getting around it: its DULL. Around 80% of it is pure administration, such as; who is responsible for data in certain events; what is required in particular circumstances; and includes a raft of bizarrely specific terminology.
For many then, the GDPR is to be ignored and put-off, at least for now. It seems far enough away that by the time it arrives most of the issues will be resolved, or at least less boring. The fact, however, is that the principles of the GDPR are NOT NEW and the core issues they uncover are not going away.
If you are ready for a quick blast of knowledge, go grab a coffee and prepare to engage in compliance talk! Unlike so many articles out there, we won’t use overly complicated phrasing – just plain English. The aim is to uncover a little meaning here, not to confuse anyone more than they need to be.
You should know that the GDPR will not affect everyone. Many larger businesses, especially those who have focused on ISO certifications, already have the proper procedures in place. More than that – having worked with the ICO and considering their risk profile for QA they have found that the measures outlined in the 99 articles of the GDPR are the bare minimum requirements for any large organisation that intends to operate effectively and, importantly, safely, in a business environment that is expanding digitally.
So, while for some it seems like a bridge too far, for others the GDPR is not enough for their purposes. This is the point. The ICO are releasing the GDPR as a minimum requirement for a regulatory world which is fast becoming much larger and broader. This makes things easier in some ways: it ensures basic protection for larger businesses when working with smaller businesses and ensures consumer protection throughout the entire digital world.
In real terms though, businesses should look to be actively involved in the creation of their own processes, along the guidelines of the ICO, which are relevant to them and their business specifically. Anyone complaining about the GDPR is living in a dream world. The protections for people are not just a requirement for good business practices but they are a fundamental part of living in a free market economy where the rights of individuals matters to businesses and governments.
Why GDPR fines will be imposed… but why they won’t be the maximum possible.
To be clear, the GDPR is in effect right now. In fact a regulatory framework has been in place for at least 5 years which goes far above and beyond the GDPR. What is changing is the enforcement aspect.
Companies must take active steps to understand the requirements and to consider how the data they collect could be used against their customers or employees, in order to fully protect them. For many companies this has always been the case and will continue to be the case while technology requires them to hold sensitive data. The new legal responsibility aspect, though, is only one very small part of the real changes in the GDPR, which are designed to promote new terminologies and practices that protect that data in a formal and considered way. Terms like ‘data subject’ and ‘encryption’ are no longer the realm of techies. Now they must be understood by everyone – at least until a technology comes along which makes all of this obsolete.
NOTE: A new technology is not going to make these regulations obsolete for AT LEAST 10 years (with our best estimate). This means that, while annoying, there are some things you will need to know and some things you will need to do until it gets here.
Two things you can’t avoid from the GDPR.
Breach Notification (same as exists in the US)
Right now, in the UK, there is no set requirement for companies who have been hacked to share this information with a regulatory body or customers. Considering that doing so often leads to a drop in share price and public outcry, this has become an issue. The GDPR will mean that any company who suffers a breach where data is taken must report it to the ICO. Not doing so will result in fines.
This addition is simply ensuring the law follows good guidelines to halt cyber-crime and create an informed regulatory body. Breach Notification is currently enforced in a number of countries already, including the US.
Privacy impact assessments (PIA’s)
“Privacy impact assessments (PIAs) are at the heart of building a privacy by design approach. They allow organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a breach of data protection laws and regulations. Such projects could include a new business acquisition, a new service, or even a new marketing campaign targeting a group of prospects. Privacy impact assessments also help to meet the growing privacy and data security expectations of customers, employees and other stakeholders.
Our view is that PIAs (or DPIAs in EU parlance) should be used as default strategic tools for all UK organisations that process, store or transfer personal data. In addition to meeting any requirements of the GDPR, they are an essential component of an ISO 27001 risk management-based approach designed to implement and maintain effective information security.”
Some terms you’ll need to know
“Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. The term does not recognise a an individual who has died or who cannot be identified or distinguished from others.”
One thing to note is that the GDPR is about PEOPLE and NOT BUSINESSES. The GDPR doesn’t care about sensitive data as it relates to businesses. It cares about the subjects who can be affected by that data being in the wrong hands.
If you have two pieces of information, such as a name, email and an address, this is classed as a business holding personal information about a data subject. This data being stolen could have consequences for a data subject and thus a company which lost this data would be liable for a breach of the GDPR.
If you have a shoe size, height, date of birth, browsing history, favourite colour and mothers maiden name, but the data is not, and cannot be, in any way connected to a data subject, then this is NOT classed as sensitive data which could affect a data subject. This is just plain old data.
In this case while a company may have to admit a data breach, under the GDPR, they would NOT be culpable for a fine because the data breach will not affect the data subject. The point here is firstly to understand how to break up data so that it cannot impact data subjects (either through a process of removing key fields from big data which might make that data a risk).
In other words… the data you hold is irrelevant – it’s the damage which can be done against a single person which matters. For each single person you could damage, there is a separate instance of potential damages.
A person who requires a data subjects information to do their job or process something through a business. This could be someone like a doctor, who needs access to medical records, or a police officer, who needs regular access to personal information.
A data controller is a person within the business who is responsible for data compliance. This means they have to create data protection plans and ensure data subject data is not accessible while stored or in transit by anyone apart from data users.
Data controllers are independent from the business and have set inalienable rights including protection from being dismissed for bringing data protection malpractice and GDPR breaches to the relevant authorities.
(Data Processor – a person, public authority or agency who processes personal data on behalf of the controller. This includes service providers who process personal data on behalf of other businesses.)
Encryption (noun): The process of systematically encoding a bit stream before transmission so that an unauthorized party cannot decipher it.”
What is 128 bit AES encryption? (Industry standard)
“When somebody says a cipher has a 128-bit key, what they mean is that the length of the key is 128 zeros and ones.
Why is this important to cryptography? Well, most good ciphers have only one known way of breaking them; trying every single key. The more keys there are the more keys have to be tried before the chances that you will stumble upon the correct one become reasonable. If a key is 128-bits long then there are 2128 different keys. On average you will have to search half of these keys (2127) before you get lucky. This is simply impossible with current technology and will remain so for a hundred years even if the growth in computing power stays at its current rate.”
Everyone understands how a code works. Unfortunately so do machines – in fact they understand it much better than humans. Encryption is the process of making data on a machine just too difficult to be plausibly hacked. 128 bit encryption is the standard because it strikes a balance between being extremely difficult for a machine to break and not taking too long to code. 256 / 512 / 1024 bit Encryption is available but takes twice as long to code and decode at either end.
Want to get prepared?
KJL help companies with compliance every day. We go far beyond the GDPR in terms of how we can help, but if you are just looking to make sure your business is on the right side of things, we are very happy to let you know what needs doing.
From a simple informal meeting, we can guide you through the steps you will need to take and ensure that by May next year your business is not exposed to any data risks or fines because of bad data protection practices.
If you want to do this on your own then that’s fine too! A great place to start is with the twelve step guide released by the ICO earlier this year.
12 Steps: Prepare for the GDPR
If you need any guidance then please feel free to give us a call, otherwise – good luck!