Millions of businesses are still breathing a sigh of relief having taken the initial steps to put their house in order for GDPR and now the new Data Protection Act (DPA) 2018 which received Royal Assent on 23 May.
Policies and procedures are in place, and customers have been asked to opt-in or out of marketing communications. But what happens next?
It’s likely many organisations still have a whole list of actions which need to be undertaken, but the task looks daunting. Post 25th May companies are struggling with subject access requests, finding and redacting data (i.e. removing personal information from an original document) in a timely fashion, and dealing with requests from third parties. But there are IT tools in place to help with these and more.
Chris Watkins, Principle Architect Security, from Ultima has outlined eight ways to make sure your IT is helping you meet your data protection obligations.
The Data Protection Act and GDPR discuss rights on data subjects which are dependent on the organisation being able to locate and retrieve personal data at the request of the data subject, such as the right of access or the right to data portability.
As the EU is planning to promote these rights to individuals, it is reasonable to assume data subjects will exercise these rights more frequently and controllers/processors will need to be able to respond to them in the prescribed timescales.
Tools that support the effective retrieval of data from systems in common machine-readable formats are available to minimise the overheads that might be incurred as individuals exercise their rights.
While data mapping is not a specific GDPR requirement, complying would be extremely difficult without having a clear picture of the lifecycle of personal data in an organisation. This can be extremely challenging and requires ongoing maintenance, so it is worth considering using a tool to help manage the process. By identifying areas where there is a risk to the rights and freedoms of data subjects businesses can put appropriate technical and organisational measures to mitigate the risk. IT tools will help to collate the findings of the data mapping exercise, including:
- The location of in-scope data.
- The format data is stored in/on e.g. hard copy, USB or cloud.
- How the data is moved between applications e.g. email, SFTP or courier.
- The physical locations where data is processed and stored.
Protection of Information in Transit
Best practice requires that organisations implement adequate technical measures to protect personal data during transmission, over and between networks, to add supplementary protection in terms of confidentiality and integrity. This is achieved through a combination of network protection (ensuring attackers are unable to intercept data) and encryption (to render the data unintelligible). Data controllers must apply appropriate controls to ensure that data is protected:
- Between endpoints and the service.
- Internally within the service.
- Between the service and other services.
Controls could include the use of virtual private network (VPN) solutions, disabling insecure protocols, supporting strong protocols and even private point-to-point connections between data centres.
GDPR makes several references to encryption as a means of protecting data, but encryption does not represent a solution. Encryption tools can be used in a variety of ways: to protect data in transit or at rest; provide verification of data integrity and authenticity, and even offer a means of secure destruction. Encryption solutions can be applied to collective data (e.g. database encryption) at the file or database field/column level. However, the encryption may need to be reversible and data controllers must ensure that the technologies selected are appropriate for the formats needed.
Data Management, Backup and Archiving Solutions
With some estimates suggesting that 90% of all the data in the world has been generated over the last two years, effective data management is becoming increasingly challenging. Easy-to-use data visualisation tools can help organisations uncover what personal data is hidden, identify risks, and accurately classify all personal data, providing the intelligence to demonstrate many obligations for compliance with the GDPR.
Logging, Monitoring, Alerting and Reporting
The data breach notification requirements oblige organisations to notify the supervisory authority (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of a data breach (may be 72 hours from the actual breach with the Data Protection Bill). With the time involved in detecting a breach typically being measured in months, this presents a significant challenge. Tools that monitor and log the environment, that create alerts when anomalous events are detected, and support reporting should be considered. Tools that provide forensic analysis of events and the management of breach investigation evidence are also of value.
The ability to track assets is a fundamental building block of an effective data protection and information security management system. Identifying assets and defining appropriate protection responsibilities can be a challenge. Organisations should consider tools that support:
- Identification of assets and creation of an asset inventory.
- Assignment of ownership of assets.
- Enforcement of acceptable use rules.
- Tracking of assets.
- Return of assets upon termination of employment, contract or agreement.
These offer smaller organisations the use of security tools that were previously the preserve of large organisations, thereby supporting efforts to comply with the secure processing requirements of the DPA 2018 and GDPR. These could include robust firewalls, enterprise quality antivirus and web filtering, encryption of emails and management of all endpoints.