In the light of the highly anticipated new General Data Protection Regulation, which will come into force on 25 May 2018, this month Finance Monthly reached to Alan Calder – the founder and Chief Executive of the single-source provider of products and services in the IT governance, risk management and compliance sector – IT Governance. Alan is an acknowledged international cybersecurity guru and a leading author on information security and IT governance issues and over the next couple of pages he discusses all things data protection and GDPR.
What are the common issues that businesses face, with regards to data protection? How can these be avoided? What should be the main data protection considerations for businesses?
In 2016, a large number of high-profile organisations suffered a data breach or were targeted by cyber-attacks. In executing cyber-attacks, criminals rely on exploiting weakness: well-known methods such as phishing scams and spear phishing exploit human gullibility, weak and unchanged default passwords, unpatched, vulnerable and outdated software, all allow attackers and malicious code into your systems.
Every organisation should tighten up in the three main areas that attackers target: their people, their processes and their technology. Clients can protect themselves with anti-malware, or by switching on a firewall but that’s only one part of the cyber security.
Criminals also take advantage of internal staff and employees unaware of the current cyber threats to get access to the organisation’s most valuable assets.
To prevent “around 80% of cyber threats” and implement a basic level of cyber security, we encourage organisations to achieve certification to the UK Government-backed Cyber Essentials scheme. The scheme allows organisations to identify vulnerabilities in their system and implement security controls. We recommend using Cyber Essentials to stop low-level attacks, and adopting it in addition to ISO 27001, the international best practice for information security. An ISO 27001-compliant information security management system (ISMS) encompasses people, processes and technology.
Organisations can put antivirus software and firewalls in place to protect themselves from malware, but employees still represent the weakest link in information security. ISO 27001 not only addresses the ‘people’ area of cyber security but also monitoring, maintenance and continual improvement of information security. Certification to the Standard demonstrates to staff, customers and stakeholders that an organisation has taken all the necessary measures to protect their information.
What rules govern companies that have access to more sensitive information (health records and criminal records for example)? How is this information protected by the Data Protection Act?
Organisations collecting and handling the personal data of European residents will be required to comply with the General Data Protection Regulation (GDPR). In addition to this, digital service providers and organisations providing essential services in critical sectors such as healthcare, energy, banking, transport and distribution will be required to comply with the Network and Information Systems (NIS) Directive.
While the GDPR imposes a 72-hour breach notification deadline for reporting personal data breaches, the Directive mandates that organisations notify supervisory authorities every time there’s a significant impact on the delivery of the organisation’s service. The Directive requires essential services and digital service providers to implement “appropriate and proportionate” security systems.
What consequences face companies if they do not adequately protect their clients’ information?
Under the GDPR, which is set to come into force in May 2018, non-compliant organisations can face fines of up to €20 million or 4% annual worldwide revenue – whichever is higher. As most failures to comply will be revealed by data breaches, these administrative fines – which are discretionary, levied on a case-by-case basis and must be “effective, proportionate and dissuasive” – will be in addition to the costs of remediating the breach and mitigating the loss to affected data subjects.
What consists of adequate protection of data? What methods can companies put in place to ensure that their clients’ information is protected to a high standard?
To implement adequate data protection measures that help organisations ensure their clients’ data and information is protected to a high standard, we encourage organisations to first comply with the GDPR. Conducting a data flow audit and data protection impact assessments are essential steps towards GDPR compliance as they help organisations identify where data is stored and reduce privacy risks by identifying efficient and effective processes for handling data.
However, as Internet-based activities become integral to everyday operations, so do cyber threats. Technology alone (e.g. software and antivirus) is not enough for businesses to protect their data. By implementing an ISO 27001-compliant ISMS, organisations can prevent threats resulting from human error, faulty processes and flawed technology with an overall strategic and operational approach to information security. Accredited certification to ISO 27001 proves to clients, stakeholders and third parties that the company is following international information security best practice.
What is the purpose of a data protection audit? What type of company benefits from a data protection audit?
Every organisation worldwide can benefit from a data protection audit. It helps identify potential data protection issues and allows organisations to address key risk areas. A data protection audit is the first step organisations need to take to comply with the GDPR. The main benefits of the audit are visibility over data flow, insight into the development of effective strategies to protect personally identifiable information (PII), improving data lifecycle management, identifying efficiencies related to processes, systems and protocol, and reducing privacy-related risk.
More importantly, an audit improves customer satisfaction by reducing the possibility of data breach that could lead to the client submitting a complaint or even potential lawsuits.
What are the particular legal issues that UK businesses face in relation to new technologies? How do you assist clients with developing appropriate IT policies?
IT Governance helps organisations save the time and cost of developing appropriate policies and procedures for standards such as: ISO 27001, PCI DSS, and ISO 9001 through various documentation toolkits. Each toolkit contains pre-written model policies and procedure templates which account for all the key issues in compliance with all aspects of the standards. The toolkits are developed by our in-house information security experts to fit our clients’ compliance requirements and are designed to help organisations accelerate their compliance projects by ensuring that all control areas are covered and carefully addressed.
Additionally, our risk assessment software vsRisk, helps organisations carry out ISO 27001-compliant risk assessment by providing a simplified and automated risk assessment process that fits for the needs of large and small companies.
Do you see the need for any legislative change regarding data protection in the UK?
The primary change in data protection legislation of which organisations should be aware is the GDPR superseding the Data Protection Act (DPA). The GDPR aims to harmonise data protection laws currently in place across the European Union’s member states. Organisations have less than two –years to transition, during which they need to update policies and procedures, potentially appoint a DPO.
What has been your flagship piece of work and how did you apply particular thought leadership to this scenario?
We were the first organization in the EU to launch an integrated portfolio of GDPR guidance white papers, webinars, books, documentation toolkits, practitioner and DPO training, transition and compliance consultancy and online staff awareness training. Our management and privacy team identified all the major transition and compliance issues thrown up by the GDPR and, at a point when most UK businesses were wondering whether or not GDPR would apply post-Brexit, we established that it would not only apply but is likely to become integral to UK law for many years after Brexit. Since then, both the government and the ICO have confirmed the position we took and our GDPR portfolio has become the fastest-growing area of our business.
- Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
- Writing the definitive compliance guide,IT Governance: An International Guide to Data Security and ISO27001/ISO27002 5th edition (co-written with Steve Watkins), which is the basis for the UK Open University’s postgraduate course on information security.
- Alan was a member of the Information Age Competitiveness Working Group of the UK Government’s Department of Trade & Industry, and a member of the DNV Certification Committee, which certifies compliance with international standards including ISO/IEC 27001.