2016 saw many high profile data breaches; from Yahoo to Tesco Bank. Are companies taking data protection seriously enough? Data Protection Day is tasked with raising awareness of the subject, but also promoting best practices. 49 countries observe DPD and some of the world’s largest organisations, such as Intel and Microsoft, have been involved in supporting the initiative.
With the aforementioned data breaches and the upcoming changes to the EU data protection laws, the subject has never been more relevant. Over half a billion personal information records were stolen or lost in 2015, with a number of organisations not even reporting the full extent of data breaches. It’s estimated that 46 records are stolen every second! But how can we make sure that we aren’t exposed to a data breach or failing to comply with EU data protection law?
The key areas of Data Protection Act are:
Data collection – Ensuring you either have unambiguous consent or your need to data meets one of the acceptable criteria (legal, contract, legal, protecting interest etc).
Data use – there must be no secret or creeping purposes, the data cannot be abused. It can only be used for its intended purpose which was disclosed. Organisations must be held to account on their usage of the data.
Protection practices – data must be processed fairly and lawfully, including obtainment, managing and processing.
The new General Data Protection Regulation law changes include:
The General Data Protection Regulation has been in place for 8 months, luckily there is a two-year transition period. If you’re not adhering to these new rules by 25 Ma 2018, you’ll be liable for a large fine! These are the new rules you need to be aware of:
- You can’t use Brexit as an excuse! If your data contains individuals with the EU, then you have to adhere to this law, regardless of where you are based.
- A single set of rules will apply to all EU member states to ensure laws are adhered to properly and minimise confusion.
- Responsibility and accountability: privacy settings must be set as high by default, data protection is designed into business processes, automated individual decision-making is made contestable.
- Public authorities and private sector companies that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law should be involved ith the process to ensure internal compliance with this regulation, referred to as a Data Protection Officer.
- The Data Protection Officer is under a legal obligation to notify the Supervisory Authority of data breaches.
- The following sanctions:
- A warning in writing in cases of first and non-intentional non-compliance
- Regular periodic data protection audits
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- The ‘right to erasure’ provides the data subject with the right to erasure of personal data related to them.
- A person shall be able to transfer their personal data from one electronic processing system to another.
To minimise the risk of a data breach, implement the following steps:
- Encrypt the data – whether physical data or located in cloud storages, encryption will protect sensitive data (since 2013, only 4% of breaches had encrypted their data).
- Store and manage keys – securely manage and store encryption keys (away from the encrypted data), this should have limited access and ideally rotated.
- Control user access – Ensure that access is given to the appropriate people with a strong authentication process.
You can find more information on Data Protection here.