Information Security, GDPR and Brexit … Joining the Dots

Today’s organisations are well aware of the importance of keeping both their own information and their customers’ data secure. An ever increasing reliance on IT systems, mobile devices and cloud computing presents a growing portfolio of vulnerabilities and threats that need to be understood and properly managed. There’s plenty of press coverage available which describes the significant financial penalties, collapse of customer confidence or even the untimely demise of those businesses who get this most fundamental of activities wrong.

The international standard ISO27001 is widely adopted as an approach for managing such organisational risk, and suggests (in ISO27002) a framework of 114 controls which should be assessed and implemented as necessary to manage a wide range of vulnerabilities and control threats. These controls, used correctly, will ensure that the confidentiality, integrity and availability of information is maintained to an acceptable level. These 114 controls fall broadly into three categories: people (managing and controlling the activities of personnel, ensuring that they do not contribute to risks), processes (ensuring that an organisation’s activities are designed, managed and operated in a security-conscious manner), and technology (the infrastructure, software and checks we need to prevent cyber security incidents taking place).

Nestled near the end of the 114 controls is a group identified as “A18 – Compliance” which identify controls requiring the identification of appropriate legislation and regulation, the protection of intellectual property and the protection of personal data. To date, one of the key activities which was required to support this area is compliance with the UK Data Protection Act 1998 (DPA). We should already be aware of the requirements of the DPA to register with the Information Commissioner’s Office, and be confident that the Eight Principles of the DPA have been properly incorporated into our organisation’s activities to ensure personal data is being properly protected.

In summary, the eight DPA Principles require that personal data shall:

• be processed fairly and lawfully
• only be obtained for specific and lawful purposes
• be adequate, relevant and not excessive
• be accurate and kept up to date
• not be kept for longer than is necessary for the required purposes
• only be processed in accordance with the rights of the data subjects
• be appropriately protected against accidental loss, destruction or damage
• not be transferred outside of the European Economic Area, unless the destination can be shown to have adequate protection for the rights and freedoms of data subjects

This important piece of legislation is about to change. The much anticipated European Union General Data Protection Regulation (EU-GDPR) will come into force across all European countries on 25 May 2018 and will replace the UK’s current Data Protection Act. The new regulation has a greater focus on the risks associated with the rights of individuals as to how their personal data is processed. Whilst many high-level GDPR principles are broadly similar to those required by the DPA (above), some of the key differences in the details include:

• The global reach of GDPR. Even those based outside the EU who process or monitor personal data of EU citizens will be required to have an accountable presence in the EU.
• Widening definition of personal data, to anything which could identify an individual – for example medical or DNA/genome data, IP addresses, facial recognition systems, etc.
• Requirements for ensuring “privacy by design” for activities relating to personal data, supported by mandatory “privacy impact assessments” for all personal data.
• Requirements for obtaining and managing the consent of data subjects, including responding to subject access requests and complying with “right to be forgotten” requests.
• A requirement for organisations who undertake large-scale processing or monitoring of personal data to have a knowledgeable Data Protection Officer (DPO).
• Joint and several liability for both Data Controllers and Data Processors.
• Tighter windows for reporting suspected or actual breaches or losses of personal data, with significant financial penalties not only for a breach, but also failing to report a breach. GDPR will also require for the open publication of all data breaches.

It is, perhaps, this final point that brings the importance of the new GDPR into focus. Currently, the UK Information Commissioner has limited financial penalties of up to £500,000 available to penalise organisations for breaching the UK DPA. Under the GDPR, the maximum penalty is set to have an upper limit of €20m, or 4% of global annual turnover. This level of penalty would be terminal for many business, so thorough preparation for full GDPR compliance is a sensible precaution.

At this point, we should pause a moment and assess what the recent Brexit vote means for the proposed EU-GDPR. Firstly, it is extremely unlikely that the UK will have completed its exit-related activities by May 2018, so organisations should plan to be compliant with GDPR by that point. Secondly, the UK will still want to trade with the remainder of the European Union, and even if UK-specific legislation is adopted, general opinion from data protection experts is that it is very likely to be closely aligned to the EU-GDPR framework.

It’s easy to see how an effectively implemented ISMS and supporting ISO27001 certification can be used as a platform to address many of the GDPR requirements, and organisations which already have such status report that such a transition is significantly less than it would be in the absence of an ISMS. One areas that should be subject to a careful assessment, however, relates to the increasing use of cloud computing solutions for the management and processing of personal data.

ISO27001 is more than capable of delivering effective risk management for organisations who consume or supply cloud services, although implementers and auditors need a greater understanding of the unique nature of risks associated with cloud services to ensure that threats and vulnerabilities are controlled. In 2014, the supplementary standard ISO27018 was introduced, and this provides a more focused approach to the threats and vulnerabilities facing personally identifiable information (PII) in cloud environments, and more specific controls which can assist in managing them. For those that have read the standard, there is ready alignment to many of the requirements of the EU GDPR, which is more than just a coincidence.

ISO27018 is a well-structured approach to managing cloud-based risks, and should be given serious consideration by those who use or supply cloud-based services. Among its set of focused controls, risks can be managed using, for example, activities linked to:

• Having defined processing purposes
• Customer notification of data breaches and legal data disclosures
• Unique identification of users with access to personal data, and monitoring their activities
• Contractual protection for personal data, including by any sub-contractors
• The geographic location of personal data, and destination confirmation is it is transmitted
• Personal data encryption, data restoration logging and restrictions on hard copies

There’s no doubt that additional knowledge and commitment will be required to properly prepare organisations – and specifically ICT businesses – for GDPR compliance in 2018. However, it should not only be about demonstrating legislative compliance. In a connected world where customers are becoming more aware and active over the protection of their personal data, and the rapid adoption of cloud-based technologies, we should all be making conscious steps to keep personal data secure.

Our customers will expect nothing less, and our businesses need to be properly protected if they are to survive.

Martin Poole
Head of Security Practice
InfoSaaS Limited

+44 (0) 203 474 1290
www.infosaas.uk