Five essential steps to GDPR compliance
7 April 2017 | 0
Compliance with the upcoming General Data Protection Regulations (GDPR) can be broken down into a cycle of five key, ongoing steps, according to Simon Nixon, director, product management, information intelligence, Veritas.
Speaking at the first in a series of TechFire events on the subject, Nixon said the cycle elements of Locate, Search, Minimise, Protect and Monitor, were key to understanding, protecting and deriving value from data, as well as becoming compliant with the regulations.
“Classification, flexible retention and GDPR-compliant policy engines allow confident deletion of non-relevant information providing a cornerstone of GDPR compliance,” Simon Nixon, Veritas
The minimisation aspect was one that drew further questioning at the panel. Nixon explained that this was a dual strategy. Firstly, under GDPR there are strict guidelines about explaining why data is being gathered and the purposes to which it will be put. For many organisations, Nixon said, this will have the effect of reducing the amount of data collected. This reduction will mean less data to be stored and managed, and therefore reduced risk and effort in doing so.
“Classification, flexible retention and GDPR-compliant policy engines allow confident deletion of non-relevant information providing a cornerstone of GDPR compliance,” said Nixon.
“Don’t be afraid of outsourcing some or all services to third parties,” in data processing, said Sarah Armstrong-Miller, engineer and management consultant, Fujitsu. In such circumstances under GDPR, this means that data controllers and data processors, even third party ones, are equally culpable for data protection and regulation adherence, so they a vested interest. Armstrong-Smith said this should allow tighter supply chain controls that will facilitate outsourcing without ambiguities about responsibilities, “moving further towards supply chain resilience”.
After giving a broad overview of GDPR from the legal perspective, Anne-Marie Bohan, partner, Matheson highlighted that there was a broader context to the regulations, of which organisations need to be aware. Bohan listed the likes of the Proposal for ePrivacy Regulation, PSD2 (Revised Payment Service Directive), the Network Information Security Directive and eIDAS regulation (electronic identification and trust services regulation for the payments industry), as other systems that will affect the implementation and operation of GDPR. The NIS Directive in particular, will be of interest as it has now been given the same implementation date, 25 May 2018, as GDPR.
There was great interest from the floor for the panel of speakers, and the first question was on a common theme, asking if GPDR will improve cloud security and information security in general. The broad response from the panel was yes, it would. However, one of the end user speakers, David Prendergast, information security officer, DEPFA Bank, said it well be the other way around. He said that cloud security efforts had improved information security overall and GDPR would likely build upon that.
Another question from the floor was on the subject of recorded telephone calls to a company. Bohan of Mathesons confirmed that such a medium would indeed fall under GDPR, as would CCTV material and offline back-ups, added Prendergast.
The subject of the new fines in GDPR were also raised, with the headline figures of 4% of global turnover in the previous year or €20 million discussed. It was asked if there might be a sliding scale for such penalties, based on the magnitude of the breach. Bohan said in her opinion, it would likely fall to the individual Data Protection Commissioners and local law first, and that many may follow the lead of Irish DPC Helen Dixon, taking such instances to the courts, where the judge would set a fine.
Commenting more broadly, Bohan said that many aspects of the regulation may require test cases or examples to define how such provisions will work in practice.
Another question was in relation to requests for personal information on workers who may be going into sensitive sites, such as medical facilities, residential or educational institutions. It was suggested that contractors and service providers might be asked for more than was appropriate in such instances, and often got little reassurance when querying how such data was stored and used by the data gatherer.
End user speaker Owen Harrison, head of systems and principal officer, Office of the Government CIO, said that Garda vetting could be a better route in this instance, where the data controls and protections are well established, it being a “well-oiled system”.
Overall, the audience seemed to be broadly aware of the heads of the regulation, but the questions and queries from the floor revealed that difficulties seemed to lie in the details of how specific elements of the regulation would apply to them.
A show of hands revealed that more than a third of the audience were actively engaged in an assessment process to understand the scope of how the regulation applied to them.
The parting piece of advice from Prendergast was to make friends with your legal team or solicitors, as their advice would be invaluable in making these determinations. However, he warned not to leave such consultations too late, as the closer the deadline looms, the more such skills will be in demand.