GDPR: How Prepared Are You for EU’s New Privacy Laws?

The competing timetables between Brexit and the General Data Protection Regulation (GDPR), and current intent by the UK Government to repatriate the EU’s Laws en-bloc mean that the EU’s GDPR will become law in the UK irrespective of the route that Brexit takes.

Blogs

Our views and opinions on technologies that matter in the financial services sector.

GDPR: How Prepared Are You for EU’s New Privacy Laws?

The competing timetables[1] between Brexit and the General Data Protection Regulation (GDPR), and current intent by the UK Government to repatriate the EU’s Laws en-bloc mean that the EU’s GDPR will become law in the UK irrespective of the route that Brexit takes. In addition, it will become law in the European Union and has extra-territorial reach, and so across the world, those companies that want to trade with citizens of the EU, or locate in the EU, will need to plan their compliance. What changes in practice will be required?

Consent

First, the need to only process personal information with the consent of the individual concerned, for the purposes consented, for the duration of the purposes consented remain in place; they were a requirement of the laws mandated by the previous EU directive[2]. It is also a duty of data controllers and data processors to ensure that personal data is accurate. These principles are the building blocks on which the new duties are built. I believe that many of the more excitingly named new duties, such as the right to erasure are restatements and clarifications of the need to obtain consent before using personal data. Personally, I am unclear if the right to complain about the use of algorithms is new or a restatement of the need for consent but I have been arguing for a while that public judicial or quasi-judicial information systems must be capable of the technology equivalent of cross-examination. Now the law says that in the case of private sector processing, people have a right to be judged by people, even if only through a complaints or appeal process.

Private by Design

Applications and Business systems now need to have their privacy protection and functionality built in by design. This may require a review of the requirements management process to ensure that compliance with the GDPR is considered and planned for. Personal identifying information needs to be documented in the data models[3]. Data models would now seem to be mandatory because the capture of the jurisdiction controlling the data captured is needed to prove compliance. Data subject consents need to be captured and stored. Functionality delivering access to basic personal rights -some of which are old, some of which are new – need to be available, so building functions fulfilling subject matter access requests, amending & deleting data, creating audit trails for complaint handling and permitting people to take their data away in machine readable, convenient form will all need to be engineered. Since 1995, Europe’s Data Protection Authorities, including the UK’s Information Commissioner’s Office have been working on “Privacy Impact Analyses”, a tool for assessing Privacy Risk, and ensuring that information systems deliver personal privacy for customers and staff. Now that companies need to show that they meet the “private by design” requirements of the GDPR, the private sector is going to have to engage with these tools.

The most difficult part of compliance is likely to be proving that one’s data protection and privacy controls are comprehensive, e.g. all fields containing ‘personal data’ are known, all uses are documented and consents exist. Proving what you’ve done will be relatively easy, proving that it’s been done everywhere required will be harder. The law proposes national certification systems (Article 42) which may make things easier for some medium-sized firms. Certification will be seen as a statement that the firm’s systems are appropriate, but obtaining these certificates will be an additional regulatory burden. Larger companies may find their certification and control systems are good enough, but small firms will find even 3rd party certification schemes expensive; they will have to rely on their Data Protection Officer.

Adequate Technical Protection

The new law repeats the requirement to implement appropriate technical and organisational measures to protect personal data. It is my view that it is likely that various international standards such as ISO 27001 will also be used to define good or best practice in designing and implementing technical systems and COBIT for designing organisational responses. Some of this is well understood in the IT Security world; policies and protection against cyber security, information integrity, physical access and user access management risks need to continue to be built and deployed. These solutions are currently generally seen as belonging to Chief Information Security Officer (CISO) organisations. The principles of “least privilege” and “need to know” must be the principal non-functional design rule. This requires the definition of roles and privilege, the elimination of toxic combinations of duties and the implementation of comprehensive information entitlements definitions. These should ensure that access to personal data is appropriate, necessary and approved. Standard technology tools such as encryption should be used to implement protection against confidentiality and integrity threats. Some of this will need to be part of the applications procurement or engineering process and it should create the opportunity for increased product functionality in the CRM and HR software packages market. Financial services solutions architectures have been refactoring towards customer file orientated systems as opposed to the previous generation of product orientated systems for many years, although the work is far from complete in the largest of organisations. A consolidation of customer and employee systems functionality would make building and maintaining the privacy management systems easier and cheaper.

Public Accountability

There are a new duty and deadline for reporting confidentiality breaches. The detection and breach response processes and management/legal involvement must be reviewed to ensure that the processes meet the new law’s requirements.

Enforcement will be delegated to the member states data protection authorities, the ICO in the UK, and the maximum fines for non-compliance are going to be high, up to 4% of global turnover or €20m.

The way in which many firms manage their Data Protection compliance will need to change. Firms subject to the law will need a Data Protection Officer, who will be accountable to the company at the highest level, and need to be professionally accountable in a similar way that accountants and CFOs are. The DPO will have a duty to the public as well as the company.

Getting all this right is important; as stated above, the fines for non-compliance are high.

We may even protect people’s private data more effectively.

 

—————-

[1] The UK Government plans to give notice to quit the European Union in March 2017, this sets a two year deadline for negotiations about the terms of departure, ending in March 2019. The GDPR became law in May 2016 and there is a two year delay to allow businesses and national regulators to prepare for compliance. Compliance processes and enforcement procedures must be in place by May 2018.

[2] Data Protection Directive 95/46/EC

[3] A Data Model is an abstract model that organizes elements of data and standardizes how they relate to one another and to properties of the real world entities. Source: https://en.wikipedia.org/wiki/Data_model

Author

Dave Levy

Dave Levy

Associate Partner, London

Dave has over thirty-five years’ IT experience. Since joining Citihub from Sun Microsystems, he has solved IT problems by conducting assignments concerned with Security Architecture, Availability Engineering and Architecture, Predictive Risk Analysis and IT Security Consulting.