By John Yates
Save the date – 25 May 2018, when the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 (DPA). In actuality, the term “replaces” may not accurately portray the paradigm shift GDPR will bring for both data subjects and those holding their data. In some ways – especially in terms of penalties for non-compliance – GDPR and DPA are practically night and day. And, for those familiar with the changes GDPR brings, there is a dawning realisation that it represents one of the biggest compliance challenges in generations.
What GDPR Changes
Along with enhanced rights for data subjects, the GDPR’s most substantial change is the new duties it introduces for companies, which include:
- Applying appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of systems and services and to restore them in a timely manner following an incident
- Conducting regular testing, evaluation and assessment of those measures
- Notifying the ICO within 72 hours in the event of a personal data breach
Under this new principle of accountability, the burden rests with the organisation to demonstrate that it is compliant with GDPR and to be able to provide evidence of their compliance.
Applying GDPR Mandates to Your Organization
Now think of how this might apply to your own organisation.
You may have dozens or hundreds of legacy systems, each with many data flows to internal and external systems. You may also have several data centres, and be using SaaS and public cloud services. Your service desk could be outsourced to India, with data migration and testing being performed in Eastern Europe. All of this will be supported by a complex supply chain involving many suppliers. If you are not clear about their roles and responsibilities, then you are not compliant.
The first challenge is to unlock budget and resources. This is not as easy as it sounds, because GDPR crosses many functional boundaries: IT, compliance, operations, legal, supply chain management, sales. Then you need to develop a GDPR plan. Because GDPR is a set of risk-based requirements, the plan will involve collecting relevant information for systems, services, processes and data flows, and then evaluating it against the requirements, to identify gaps and risk mitigation. This exercise will be more time consuming and expensive than you might expect and will undoubtedly highlight missing information: contracts, documentation, systems architecture, etc.
The final stage of the plan is remediation, which includes:
- Changing systems and processes
- Considering encryption or pseudonymisation of data
- Conducting penetration testing
- Reviewing role-based access controls
- Updating security patching and
- Establishing technology and procedures to detect and respond to threats to services
This all comes with a hefty price tag, so organisations will need to take a risk based approach, assessing the impact of GDPR breaches on data subjects. Personal data linked to banking details, credit cards, health records etc will need special care, but organisations will need to make value judgments – absolute compliance is a quixotic dream.
Overall, however, there is a positive side effect to GDPR – addressing it will provide an invaluable insight into your organisation, and it will make ITIL aligned service management and IT operations more important, which is no bad thing.
So, how your organisation proceeds is ultimately up to you. However, with the broad framework presented above, you can begin to embrace the many changes of GDPR compliance. Who knows, maybe you will actually look forward to next May.
John Yates is an independent consultant specialising in technology contracts and data privacy; former IBM lawyer, and Fellow and Past Chairman of the Society for Computers and Law.