On 25 May 2018, the EU General Data Protection Regulation (GDPR) becomes law, ushering in a new regulatory regime for handling data security and privacy, and it is one that brings significant reputational risk and communications challenges. Newgate Partner Alistair Kellie has been working with clients in secure communications to prepare them, and other firms, for the challenges ahead. Here he gives his views on what firms need to consider when preparing for GDPR:
“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” Richard Clarke (former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States).
Not so long ago, when sensitive personal data in financial institutions did not sit in cyberspace, but was punched onto paper by typewriters, squirreled into endless rows of filing cabinets and deposited in labyrinthine vaults, it was inconceivable that such details would not secured under lock and key. More likely, they would be behind many locks, requiring many keys, in the possession of many reassuringly obstructive people.
But what if, in this torturous metaphor, customers had discovered that these locks were not heavy-duty but basic and rusty? That if you asked the right person they could knock up a skeleton key which fit all these locks anyway? And that the security guards, while in sinister uniforms, were old and frail?
There is an increasingly loud chorus of analysts warning that, as the sophistication of cyber-criminality outpaces the security in place to guard against it, companies are leaving the safe door wide open…with the combination scrawled on the lock.
So, the question is, why have the realities of securing confidential data, since the digitisation of data still not permeated into the boardroom? And is the reputational risk of failing to appropriately secure personal data fully understood?
Soon, it will have to be. Because GDPR is coming.
From 25 May 2018 GDPR will replace, and to a large extent harmonise, current national rules which transpose the current EU Data Protection Directive (DPD).
With the UK a key influencer in the drafting of GDPR, a parallel UK Data Protection Bill will enshrine these regulations (and a few more) into law, ensuring that Brexit will not derail their implementation.
But despite GDPR looming large on the horizon, a recent survey suggests that, worryingly, 73% of UK firms are still wholly unprepared for its arrival.
Put simply, the regulation covers the “processing of personal data”, defining additional data security requirements which organisations will need to comply with. For each organisation, the solution to securing personal data will differ, but there are some key strands.
The biggest red flag for companies, is that GDPR’s arrival will bring with it a huge increase in regulatory risk. Maximum penalties for a lack of compliance include hefty anti-trust style fines of up to 4% of global annual turnover, for a wide range of breaches. In short, many organisations will need to give privacy compliance a much higher priority.
However, linked to this will be the subsequent reputational risk…particularly for an organisation which is regarded by the Information Commissioner’s Office (ICO) has having breached data-privacy. Any Board of Directors of a firm in breach will be treated as having been asleep at the wheel and will struggle to control the fallout, let alone retain their jobs.
Under GDPR, where a personal data breach is “likely to adversely affect the protection of the personal data or privacy of the data subject”, the controller must (after telling the supervisory authority) also inform the individual without undue delay. This communication to the customer, or other affected individual, should describe the nature of the personal data breach. However, the data controller is not always required to inform the data owner if it has demonstrated to the satisfaction of the supervisory authority:
- (a) that it has implemented appropriate technological protection measures;
- (b) that such measures were applied to the data concerned by the personal data breach;
- (c) that such measures render the data ‘unintelligible to any person who is not authorised to access it’.
What this means is that organisations will need to be prepared for a media tsunami once they have notified their customers as these individuals will be entitled to then inform journalists of a breach.
Ultimately, GDPR has broadened the scope of what constitutes personal data, and now includes any information relating to an individual whereby a person ‘can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
This means that, overnight, much larger tranches of data will now need to be made safe, including when being processed. Securing this data will be governed by the requirement that appropriate security measures must be designed into any system which handles sensitive details.
The regulation resulting from GDPR is related to the processing of personal data and it requires organisations to comply with additional data security requirements. However, the solution to securing personal data held by each organisation will differ, although there are common themes in order to comply with the regulation. But what should organisations be considering when looking at securing their communication channels?
A new, not-for profit membership organisation, Secure Chorus, was established in 2016 to develop an innovative new approach to secure communication based on open technology standards and industry collaboration and is responding to the requirements of GDPR. For instance, Secure Chorus compliant products provide for interoperability and end-to-end encryption and these two features combined enable an organisation to process data securely within its security perimeter and beyond. These technologies can also be centrally managed by an organisation, giving the domain manager full control of the security of the system as well as the ability to comply with any auditing requirements through a managed and logged process.
So, whichever route an organisation chooses, Executive Directors and decision-makers need to consider very carefully their technical and operational planning ahead of GDPR. Any organisation which does not have appropriate technology in place to secure its multi-media communication (both internally and externally), along with a robust and flexible Breach Protocol Plan is at significant risk of considerable economic sanction and then a potentially more existential fall-out from reputational damage.
Alistair Kellie is a Partner of Newgate Communications and an adviser to Secure Chorus