The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.
For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the “whole of business” issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance
The GDPR contains various provisions which impact on cyber security, including:
- obligations to notify the regulator and potentially affected individuals in the event of a data breach;
- obligations to implement data protection by design and default; and
- obligations to have appropriate technical and organisational security measures in place to protect personal data.
Like the Data Protection Directive before it, the GDPR is not prescriptive as to what security an organisation needs to implement. Best practice is for an organisation to undertake a risk assessment of their current data security practices and adopt appropriate security measures to mitigate any risks identified. Organisations should consider in particular the four things mentioned in article 32, though this is by no means exhaustive:
- how is the data stored? Is it encrypted so that a decryption key is required to access information within the raw file? Are passwords salted and hashed (as distinct from encrypted) to prevent reverse engineering should they fall into malicious hands? Has pseudonymisation been implemented – a process by which identifying fields within a data record have been replaced by one or more unique identifiers that optionally can point to data stored elsewhere. If there is a data set with additional information about the data subject it can be stored separately to the actual identifying information of the data subject – so if only the former is lost the data cannot then be linked to the person involved;
- hardening/redundancy – making sure that the systems have proper security controls, are resilient and have proper redundancy so if one instance goes down another can be brought up to take its place;
- disaster recovery – ensure you have a plan to recover from a major incident – ensure your systems have the ability to backup and to roll back – if there is a cyber attack and data is encrypted by ransomware for example, it helps to neutralise those issues because it is possible to roll-back to a recent backup;
- penetration testing – are you actually testing the security measures to make sure they are adequate – this involves both technical testing and organisational testing and might include, for example, sending employees phishing emails and running education programmes for any that click on the links.
Another useful suggestion is for an organisation to put appropriate IT and security policies in place and ensure that employees understand the importance of handling personal data and adhering to cyber security best practices through education programmes.
Finally, it is vital to develop a plan for dealing with cyber incidents when they occur. This should cover off the technical and organisational response while also considering what the legal team will need to do if there is a cyber incident. For example:
- does the ICO need to be notified?
- what about notifications to any data subjects?
- who else might you need to notify (regulators, insurers, contractual counterparties)?
- how will you decide on what to tell the press?
- what sorts of liabilities could the organisation now face and how can they be mitigated?
- do we need to preserve evidence?
- should any investigation consider trying to preserve legal privilege?
- should we get external legal counsel involved?