Another important difference between the Data Protection Act and the GDPR is that two existing Privacy concepts will be entrenched in law in Article 25, namely ‘Privacy by Design’ and ‘Privacy by Default’.
These concepts are not new but will have enhanced prominence and importance with the enforcement of the GDPR, under Article 25.
Privacy by Design means businesses need to consider privacy at the initial design stages and throughout the development process of any new products, processes or services that involve processing personal data.
Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones.
Sounds simple, right? Well, maybe not…. It is far more than a tick-box compliance exercise that can be buried within audits and contracts…it requires full commitment to build data protection into company culture and all aspects of its operations. Essentially, these Principles encapsulate an ethos that should permeate every organisation that controls or processes personal data.
So here are a few tips for applying these key principles (and soon to be legal obligations):
Educate all staff so they understand the principles – and that the Privacy obligations and accountability sit with ALL staff not just IT or compliance teams
Conduct a Privacy Impact Assessment – or PIA. A PIA is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained within the organisation
Best practice is to create a PIA template which can then be filled in for each new system or product/service. The ICO have provided a PIA template https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-template-v04-post-comms-review-20180308.pdf
Implement appropriate technical and organisational measures to ensure that only personal data necessary for each specific purpose are processed. This applies to the amount of personal data collected, the extent of processing, period of storage and accessibility
Data collection techniques – including cookies – should also be reviewed and revised to avoid excessive data collection. Ensure that automated deletion processes are in place to remove personal data after an appropriate (and set) period of time
Remember this is a legal obligation – no longer a ‘good idea’ or a ‘nice to have’
One big benefit of applying Privacy by Design and Default, is that it will also make it easier to be transparent, which is absolutely key when it comes to earning the trust to collect the data in the first place – and also a fundamental principle of the GDPR.
So, time to embrace Privacy!
Read about how REaD Group have embraced information security and implemented Privacy by Default [https://gdpr.report/news/2017/10/23/breach-level-index-findings-must-businesses-better-protect/]
By Andy Bridges, Data Quality and Governance Manager at REaD Group
The Gemalto Breach Level Index (BLI) recently published some rather concerning findings – more data records were leaked or stolen in the first half of 2017 than in the whole of 2016. An even greater cause for concern, and perhaps somewhat surprising, the report also revealed that the most common cause for data breaches was accidental loss and data being inadvertently left exposed.
While attacks by cyber criminals make for more compelling reading, more attention needs to be brought to internal threats such as accidental loss and other acts of negligence. If nothing else, the BSI report highlights that UK data security culture is in serious need of an overhaul. So how exactly can businesses better protect themselves?
However much we like to believe that information breaches are largely the result of strategically orchestrated attacks by criminal masterminds, the truth is generally far less dramatic. They are frequently the result of human error, such as misplacing hard drives, bad password management, careless file sharing or lack of vigilance to the increasingly prevalent phishing emails. All can be easily prevented.
More than anything, businesses must incorporate information security into office culture – protecting information is no longer the sole responsibility of IT and compliance departments; data security is a companywide responsibility.
As a first step, staff should be trained on a regular basis to ensure that everyone understands best practice in the workplace. The HR policy should also be altered to reflect the fact that responsibility doesn’t lie solely with IT to instigate better behaviour.
Additionally, employees should be on the lookout for potential threats to information security, such as leaving computer screens unlocked and leaving confidential paperwork unattended, and should be encouraged to self-police. Implementing a clean desk policy is a good first step towards safeguarding confidential information.
In order to better protect an information estate, companies need to understand what information they have. As well as ensuring that data is clean, viable and that all relevant permissions and consent are held for the data, companies must also ensure that the appropriate data protection and information security practices are in place. It states in Recital (100) of the GDPR that:
‘In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.’
It is not currently compulsory to report a data breach, but once GDPR comes into force next year, all companies must report a data breach to the Information Commissioner’s office within 72 hours. In addition to risking a hefty fine, companies will also stand to incur the longer-standing loss to their reputation.
With this in mind, it seems highly probable that we will see an increase in breach reports – most likely not due to an increase in breaches, but because companies will have much more incentive to be transparent and open about such occurrences.
Overall, GDPR presents a great opportunity for UK businesses to step up their data protection strategies and better protect themselves against data breaches. The new regulation stipulates that companies will have to be much more rigorous in their approach to collecting, storing and using customer data – which should correspondingly see a vast reduction in accidental loss. Inevitably, this increased transparency will result in a more trusting and loyal consumer.
It is now less than 6 months until GDPR is introduced, and the more earnest businesses are to prepare and implement the necessary data protection strategies, the sooner we will see a significant reduction in the number of data breaches.