Data protection risk reduction – engineering to get it right
14 March 2017
Five hundred days seems like quite a long time. It’s a little over 71 working weeks, with a little under 360 working days available across those weeks. It’s also about the length of time remaining between now, and when the European General Data Protection Regulation (GDPR) comes into effect (it’s already in force) on May 25, 2018 E(though perhaps a little less by the time that you read this).
Why does this matter? Data protection (DP) concerns everybody. Quite aside from certainly being a data subject (i.e. a living person about whom data is being held), you might also be a data controller (i.e. someone who is holding data about a data subject – customers, perhaps, current or potential), or a data processor (i.e. some who processes personal data on behalf of a data controller).
If you are working with an organisation that has been paying attention to developments in the DP area, then there’s a good chance that you need not worry too much. On the other hand, if this is essentially the first you’ve heard of this, then there’s a good chance that 500 days will seem vanishingly short.
What should engineers and managers do about this?
The first thing to understand is that data protection is not (just) a matter for IT. Yes, IT people are most closely affected in terms of tasks and very specific roles and responsibilities, but IT people should not be writing corporate policies about what non-IT people’s responsibilities are, and neither will they be the people that appear in court or pay fines.
The second thing to understand is that what’s in the GDPR applies to all forms of personal data, whether it is obtained or processed digitally, by some other automated means (e.g. CCTV), or manually. And because it applies to all these forms of personal data, the GDPR also applies to anybody who handles any personal data (or, more subtly perhaps, controls that handling in same way).
Many of you will, of course, be familiar with the fact that there is already significant data protection legislation in place (in Ireland, the Data Protection Acts 1993 and 2003, and associated statutory instruments), and so may wonder what the fuss may be about.
Importantly, the GDPR introduces some significant changes to the European data protection regime, as well as introducing a number of new elements; but there are some other good reasons for taking action:
- It’s a legal requirement, legal compliance is good governance, and good governance creates trust;
- Good stewardship benefits your reputation and brand;
- It encourages good, effective, information handling, adding value to your information assets;
- There is a duty of care towards guarding people’s fundamental human rights;
- And, as ever, an ounce of prevention is worth a pound of cure.
On this last point, it seems now to be more a case of when, rather than if, an organisation suffers a breach of some kind. Being ready for that goes a long way towards reducing the considerable downstream risks, including loss of trust, brand damage, substantial containment costs and the potential for punitive fines.
A key feature of the GDPR to be aware of is that the compliance regime has shifted quite strongly away from an audit-based model, to one of continuous compliance. This places a much bigger emphasis on record keeping and documentation. Another key change is the focus on balancing risk when making decisions concerning personal data processing. This is fundamental to the new concepts of privacy by design and default, and privacy impact assessment.
Indeed, the emphasis throughout is on reducing risk to both data subjects and controllers or processors – an approach with a strong engineering appeal. Here are ten key risk reducing actions, in no particular order, which organisations should take to be ready for GDPR.
Ten risk-reducing actions
Risk Reduction 1
Awareness is crucial. Ignorance will not be a defence if things go wrong. Get educated and become certified. Obtain a working familiarity with the rules of data protection:
- Data must be obtained fairly;
- The purpose of the data must be clearly specified;
- The data must be kept safe and secure;
- The data obtained must be adequate, relevant and not excessive;
- The data must be kept accurate and up to date;
- Data must not be kept longer that is necessary;
- Data subjects have certain rights of access and rectification.
Risk Reduction 2
To be effective in data protection, you need to know what personal data you’ve got, what categories it belongs to, where it is stored and who has access to it. Know your data – conduct a personal data audit of your organisation.
Risk Reduction 3
Know your data ‘Part 2’ – know what happens to it. Where does personal data come in to the organisation? How is it gathered? Where does it go? What happens to it? What happens when it comes to the end of its useful life?
Risk Reduction 4
Policies are there to inform appropriate behaviour and to reduce the likelihood of things going amiss; but they can become stale. Regular review is essential: are they still relevant to the current needs of the organisation? Are they still being followed by staff? Evidence of proactive policy review is an important element in the GDPR.
Risk Reduction 5
Be pro-active in using risk management techniques to reduce data protection risk. Risk is a significant theme throughout the GDPR, with the aim of encouraging data controllers to have a systematic approach to personal data processing. A number of specific mechanisms are incorporated with this in mind, including the concepts of privacy by default and privacy by design, and the requirement to conduct privacy impact assessments before the implementation of new personal data processing systems.
Risk Reduction 6
Current legislation already requires that any contracts involving exchange of personal data must ensure that appropriate safeguards are in place. The GDPR takes this a stage further in directly prohibiting processing in the absence of authorisation, and also by imposing data controller obligations on data processors in certain circumstances. Review your contracts for compliance in plenty of time.
Risk Reduction 7
There must be a legal basis for processing. For many organisations, that basis will be consent. The GDPR has tightened the definition of consent, and has extended data controllers’ obligations on what types of information must be provided to data subjects when obtaining consent.
Risk Reduction 8
The next 500 days will be a period of change. Like all change, it will work better, be more successful, and involve considerably less pain if the whole organisation is working together, and especially if it is being lead from the top. Get management buy in. Preferably the sort that wants to engage in good data stewardship, but the sort that wants to avoid 2-4% of global turnover in fines will do.
Risk Reduction 9
As mentioned earlier, the GDPR expects data protection to be undertaken pro-actively, rather than passively. The GDPR specifies various things that the organisation should record. Introduce appropriate practices to ensure that appropriate recording is a normal part of personal data processing.
Risk Reduction 10
‘Wait and see’ is very unlikely to be a successful strategy with respect to the European General Data Protection Regulation. While the timeline is challenging, appropriate timely planning now will deliver the major compliance items in good time.
The Data Protection Commissioner has recently published a short guide on the European General Data Protection Regulation and its impact, including a 12-point checklist on specific GDPR elements for compliance. Click here to read it.
Declan Brady is an IT professional of more than 30 years’ standing. He is a computer-science graduate of the Dublin Institute of Technology and has MScs from both Dublin City University (computer applications) and Maynooth University (IT management). His career has spanned many roles and responsibilities, including software development, solution architecture, database management, IT services and chief technology officer.
Brady is president of the Irish Computer Society. He is a member of the Board at CEPIS where he is chair of the IT Professional Ethics Network.
He is a Fellow of the Irish Computer Society, a member of the Association of Data Protection Officers, and a chartered IT professional. He is currently principal consultant at SQS working in IT capability improvement, and a specialist in personal data privacy.