UK GDPR just won’t lie down, and as citizens we shouldn’t want it to as it provides us with a great deal of protection against the unwanted use of our personal information. Businesses on the other hand can find it somewhat onerous, although it doesn’t have to be. Once you understand it’s basics, following the rules isn’t all that difficult, or so you’d think.
The Information Commissioners Office publishes penalty notices that it enforces against breaches of the Regulations, on its web site, and arguably one of the biggest differences between the current Regulations and their predecessors, is that this time, the ICO has real teeth, something that many companies find out the hard way.
I breach raises some questions for any company of course, such as how will this effect customer and supplier confidence? How much will it damage the brand and what will be the reputational fall out? All of that before remediation costs and any penalties from the ICO kick in.
As I said above the Data Protection Act 2018, based as it very much is on GDPR, is a very different beast from its predecessor. The ICO now has powers to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing. Such penalties are intended to be effective and proportionate, rather than punitive, and are judged on a case-by-case basis.
These penalties come in two flavours, firstly the higher maximum amount, which is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Ouch!
Then there is the standard maximum, which applies If there are infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Still Ouch!
In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.
DPA/GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights. So how does that work for most SMEs? How many process sensitive information that could threaten individuals’ rights? What is sensitive information?
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
- trade-union membership.
- genetic data, biometric data processed solely to identify a human being.
- health-related data.
- data concerning a person’s sex life or sexual orientation.
So how much of this type of data is likely to be held by the average SME? Well, that depends very much on what that company does for a living. Whilst many companies, such as manufacturers for instance, will be holding personal data regarding its employees and possibly some data concerning their client base, all of which it is lawful to hold, and should not pose a great problem to process and store securely within the Regulations. However, when you stop to think about it, there are a considerable number of company’s out there that process large amounts of personal data and are required to hold it for many years because of other legislation. For example, financial data must be held for 7 years, and many companies’ deal with financial data.
Just about everyone processes personal data of some sort. Data that can identify a living individual. HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers. The exposure of some or all of that could be judged as a regular activity and prejudicial to an individual’s rights. Think about financial advisors, estate agents, pharmacies, solicitors, recruitment agencies all of whom hold huge amounts of personal information. I recently spoke to one financial advisor who told me that they had received a Data Subject Access Request (DSAR), from a client. This essential means that under the Regulations, anyone is allowed to submit a DSAR and have that organisation declare exactly what data it holds on that person, why and for how long. It took a partner offline for nearly 10 days to identify that data, before they could declare it. It’s also worth knowing that there is a time limit on how long you can take to satisfy that requirement.
On the ICO website it lists a solicitor who were fined £98,000 for failing to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. Solicitors are excellent on telling you what to do to ensure you stay within the law, but they are not always all that good at telling you how to do it.
GDPR compliance requires that companies who process or handle personal data and have more than 10-15 employees must appoint a Data Protection Officer (DPO). A DPO will help with the maintenance and regular monitoring of data subjects as well as the processing of special categories of data on a large scale. Personal data is any information which is related to an identified or identifiable natural person. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.
We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it. There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP. These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.
Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.
We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed. Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.
Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).
Step 1: Data Risk Discovery and Quantification
Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.
Step 2: Data Risk Monitoring and Auditing
Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.
Step 3: Data Risk Remediation by Encryption
Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.
Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost. If you don’t like it, we take it away.
Recent Comments