The Evolution of Data Protection
Data protection has been around for a long time – the initial laws on data protection, were implemented just after WW2 to support human rights. These initial regulations were updated in the 50s to include the concept of Privacy and then further amended in the 80s to ensure the safety of trans boarder data flows.
Personal data protection was then addressed in 1981 which caused member states to create their own laws focussed on personal data, which were again updated in the 90s to include the rights of individuals. This was when organisations started to see the real impact the way they had to operate, especially considering the online boom and risks associated with the security of data.
Moving swiftly forward to 1998, Article 8 coming in to play and the “right to privacy” protecting the interests of the person who’s data was collected. This is now further developed to where we are now GDPR!
General Data Protection Regulation (GDPR)
GDPR does not overwrite the laws currently in place – it coincides with them and works with them to ensure that the subject of the data being processed is protected. This is a Regulation that will impact all companies to some degree, but aims to work in the public’s interest.
There are some organisations that this will impact more than others. For example, where an organisation transfers data between companies, particularly when transfers are made between different countries, there needs to be appropriate controls in place to ensure that the rights of the data subject are protected. Organisations with insufficient data protection controls, or those located within certain countries, may find themselves in serious risk of being unable to process data from the EU.
It also changes where the responsibility of the data being protected lies. Previously it was the company acquiring and using the data that would be accountable. Now, any third parties holding or processing the data on the parent companies behalf also have to be compliant. This has introduced organisational roles to differentiate between them, being the following:
Data Controller – the company responsible for the data being acquired or used.
Data Processor – the company internal or external that manages the processing of that data for the controller.
Each role has clear and distinct responsibilities – there are many sources out there to distinguish between them, however I have found the key things to distinguish between them are:
Does the company initiate the collection of personal data? In which case this organisation would be considered a Controller
Does the company carry out analysis or provide a solution used by an organisation to obtain personal data? In which case the organisation will be a Processor.
More information with regards to the detail for this come directly from the ICOs office at the following link: https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf
So, to that end EVERYONE is now having to think about the whereabouts of their data and how it is protected – it is not only from a business perspective, but from a supplier, along with the customer and user.
GDPR and IT
Thinking about the security of our data is not a new concept in IT . The risk of exposure is generally high on our list of priorities to support the organisation as much as possible. With GDPR coming in to force imminently, it should be potentially our highest priority! Not only does IT have to ensure the protection of the data being obtained or processed, we now need to prove that this is so, whilst ensuring and maintaining the easy navigation of the data in repositories.
Think of a library with no automation – there is a reason that Google is the most popular search engine, why Amazon is bigger than the high street – it is the organisation of the product and automation of the contents. It is as EASY to take something off the shelf, sell and send as it is to return and prove that this has been done. This is what IT needs to ensure happens with peoples data.
The business has a responsibility to be compliant – they need to ensure that:
- The user knows their rights
- The organisation knows the timescales of a response to a complaint and what resultant action may ensue
- Knows how to protect themselves and remove / withhold their data
IT MUST accommodate and work to this. They need to ensure that Personal data is properly categorised so that it is easy to find, highlight and if necessary remove as and when needed. This also has to have a backed auditable up trail of proof this is happening.
IT also needs to consider all third parties associated and the security settings needed to ensure that data is not vulnerable. One way to address this is to model your services against ISO27001. This standard is the basis of the security requirements needed to pass an audit surrounding GDPR. Work can then be done to consider the utilisation of solutions in place or new solutions needed to aid organisations in navigation and in some cases deletion of information.
Like any initiative, this is not something to be taken lightly, the above is a snapshot of considerations, however if you are looking to creating touchpoints during your implementation please do contact us for advice, resource options, or stay tuned for my upcoming GDPR Webinar and GDPR Masterclass next Month!
By Helen Windle