The EU General Data Protection Regulations (GDPR) – From the General to the Particular

Why should anyone be concerned with the EU GDPR that comes into force on May 25, 2018? In brief, failure to do so could be a costly and career limiting mistake.

Organisations proven guilty of a data breach can face fines of up to €20 million or 4% of the annual worldwide turnover – whichever is greater. Non-compliance risks fines of up to €10 million and 2% of global turnover. And, individuals can sue for compensation.

The GDPR is replacing the EU Data Protection Directive 1995, drafted when data was stored at on-site servers in physically secured facilities, and now showing its age. Facebook or online social networking didn’t exist. There was no online banking or online shopping. Hacking was in its infancy. Another reason for change is that the number of data breaches are growing – and the number of ‘victims’ increasing. Stories of data breaches are all too common.

2000 – UK bank Morgan Grenfell Asset Management hard disk containing banking data of Beatle Sir Paul McCartney and dozens of other customers was sold at a computer parts stall in London.1
2007 – UK Nationwide Building Society laptop with details of 11 million customers accessible on the unencrypted laptop was stolen by a burglar. The company was fined nearly $2 million.2
2013 – US retailer Target had credit card details of more than 70 million customers stolen in a hack.3
2016 – YAHOO, the internet service provider, was hacked and lost personal data of more than one billion people.4

Costs of remedying a data breach have been estimated at an average of $4 million per breach in 2016. The research is publically available at the IBM Ponemon 2016 annual cost of remedying a data breach research.

A victim of data breaches writes … my personal experience
In 2007, I received an unexpected and unwelcome letter from the Nationwide Building Society that held a mortgage on my family home advising me to change passwords on my accounts due to a data breach. In 2015, my broadband provider, Talk Talk, had customer records hacked – more than once. I am now regularly contacted by callers using withheld telephone numbers purporting to be from Talk Talk asking me to give them remote access to my computer, claiming a need to check router problems. I’m not gullible enough to allow access to people who may counterfeit my identity, access my bank details or link my PC to a Botnet. Sadly, not everyone is alert to such scams.

GDPR – What’s New
1. One Law for Europe – EU Regulations are proscriptive legislation applicable in all member states with no national variation, whereas an EU Directive is umbrella legislation that member states adopt in their own way.
2. One Stop Shop for businesses – registration with a Data Protection Authority in any EU member state covers all.
3. Data Protection by Design and Default – The high financial costs of failure are an incentive to design data protection into systems, forcing business and government to take data protection very seriously.
4. Right To Be Forgotten – EU citizens can ask to have their data erased once its purpose has been served.
5. Parental Consent for Children before data can be collected.
6. Joint Liability – Whereas the Data Protection Directive applies to those organisations that create data, the GDPR expands liability to any organisations that handle, store and treat data on EU residents and businesses.
7. Global Protection – Compliance will be required of any organisation that stores data of EU citizens not just within the EU but also anywhere in the world.

How to Securely Treat Data for the GDPR
The GDPR states that whether security measures are appropriate in each instance, will depend on “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” This clause provides flexibility allowing for changes in technology and data policies and allowance for smaller businesses to avoid undue costs of compliance.

Downstream recycling
This is recommended to track all data bearing media transferred for secure recycling to third party recyclers. For example, in 2006 the BBC Real Story current affairs television program bought data bearing hard disk drives from a ‘Computer Supermarket’ in Lagos, Nigeria. The BBC paid premium prices for drives known to contain data – data free drives were cheaper!5

How Can You Securely Destroy Data?
In the absence of clear guidance in the GDPR, I recommend using the policies and procedures such as those adopted by Arrow to comply with US and other government security agencies on what “secure destruction” of data requires. The following are options for the secure destruction of data.

Data Sanitization
Software overwriting of every byte of data held on computer data media can be achieved – or failure notices are produced if a technical fault prevents sanitization of the whole drive. National security services have standards against which sanitizing software can be tested and approved, such as the US NIST SP 800-88 and the UK confidential standard, CESG IAS 5.

Data Purge – Degaussing
This addresses the degaussing of data held on magnetic media by a powerful electromagnetic current. This method is used for tape media, floppy discs and magnetic hard disc drives (HDDs) but not Solid State Drives (SDDs), which are a non-magnetic technology. See the US National Security Agency approved equipment list.

Data Destruction
Drilling / Punching / Folding – For HDDs, data may be recoverable using specialist tools so this should be regarded as an interim, disabling measure pending further destruction.
Shredding – The term used to fragmentize devices to prevent access to data and facilitate materials separation and recycling. However, fragment sizes are of concern as data may be recoverable using electron microscopes. Hence, the following standards set fragment sizes:
EN15713 European Information Destruction Standard for data bearing media including HDDs, etc.
Centre for the Protection of the National Infrastructure CPNI – a UK Government agency recommends 20mm maximum fragment size shredding in any one direction for data bearing media containing commercially sensitive material; 6mm for security protectively marked material.
Incineration – incineration to ash is the simple definition used to describe this method.

Looking for Help to Erase or Destroy Data?
Businesses and public sector organizations can engage with IT asset disposition service providers who utilize approved technology to erase and destroy data. Look for a service provider who is certified by accredited standards bodies to international standards for security (ISO 27001), environmental (ISO 14001), and safety management (OHSAS 18001). Achievement of certification requires the demonstration of compliance with all applicable laws and regulations, including the GDPR! And, they have documented management systems and procedures that you can audit and request to see in action.

Preparing For the EU GDPR – A Checklist of What You Need to Do
1. Awareness Check if your management is aware of and has started making plans to comply with GDPR.
2. Appoint a Data Protection Officer Required for organisations with >250 employees and process >5,000 records a year; DPO is responsible for data security policies, procedures and practices.
3. Identify what data you use What data is collected? How is it processed? How is it stored? Any sensitive data? What measures are in place to prevent loss or disclosure? To permit access? Is encryption used?
4. Internationally Check any data processing of EU citizens done by your organisation anywhere in the world.
5. Communicate Privacy Information Do you have a Privacy Notice identifying who your organisation is and how the data will be used?
6. Individual
Rights Give individuals access to their data, correct inaccuracies, erase information at end of agreed time, prevent direct marketing, offer portability of data – the right to transfer to other service providers.
7. Subject Access Update procedures and processes to handle requests for access to personal data within one month, at no charge (with provision to charge for excessive requests),
8. Legal Basis Review the legal basis for holding data – What is the data? Any sensitive data? Does the data affect children? How long to be held and then disposed? Who has access? Transfer to third parties?
9. Consent Must be freely given for the specific, named and unambiguous purposes stated for collection. You may need to re-engage with all data subjects to renew consent!
10. Children Parental consent must be recorded for persons under 16 or 13 (country variance permitted) and any Privacy Notice must be written in language children can understand.
11. Data Breach Plan Prepare a contingency plan on how to report any data breach within 72 hours to your Data Protection Authority and plans to remedy the effects of the breach.
12. Data Protection
by Design Proactively design hardware and systems to protect data – conduct Privacy Impact Assessments for high risk situations – check the UK ICO guidance.

Sources:
1 http://www.futureintelligence.co.uk/2000/02/paul-mccartneys-bank-account-details-on-hard-drive/
2 http://news.bbc.co.uk/2/hi/business/6360715.stm
3 https://www.washingtonpost.com/business/economy/target-says-70-million-customers-were-hit-by-dec-data-breach-more-than-first-reported/2014/01/10/0ada1026-79fe-11e3-8963-b4b654bcc9b2_story.html?utm_term=.2e0dbabfa5e1
4 https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html?_r=0
5 http://news.bbc.co.uk/1/hi/business/4790293.stm

About Gary Griffiths

Gary Griffiths is the Global Compliance Manager for Arrow Electronics