Telephone +44(0)1524 64544
Email: info(at)shadowcat.co.uk

Introduction

Tue Nov 21 13:45:20 2017

The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

In this article I am going to focus on the notion of Cyber Essentials and why it is time to start looking at how you look after the data and services that you provide.

The Legislation

The GDPR takes the existing framework for security legislation that is available under EU law and significantly adds to it. The most important change is that it sets standards for how we process, store, manage and protect an individual’s data. It takes into account not just the collection of the data, but the storage of the data, the security of the machine, the age of software and the analysing of threats and monitoring of systems.

What this means is that companies will be solely responsible for protecting the data from all sides of this process. The actual legislation is summarised here:

“the GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism”(1)

What you need to do

This puts the responsibility on you, so that you will have to provide:

  • A secure method of collection;
  • A secure method of storing data, including the use of encryption and anonymisation(2);
  • A method by which an individual can view, change or remove data you have stored about them;
  • A way to analyse connections to your network:
  • Monitoring inbound and out-bound connections;
  • Analytics of who connected and when and what they accessed;
  • Rules to control access and retrieval;
  • A firewall and/or private network access;
  • Up-to-date virus and malware software;
  • Up-to-date operating system and programs - patched with the latest versions;

Failure to provide these will be expensive and the existing mechanisms for costs and fines are already being used for those people in breach.(3)

There are a number of immediate steps that you can take to help with your compliance to the changes in legislation. In the UK you can consider using the Government’s Cyber Essentials Scheme which will likely act as a Code of Conduct for implementation as defined in Article 42 of the Regulations. But there are other bodies and you should check your regional local government.

A quick list to start with would look like the following. Remember, dependent on the size of your organisation, network and how much data you store, will depend on how relevant each item and your response:

  • Turn on firewall and any disk backup software in your OS;
  • Turn on any security to its highest level;
  • Install good virus checking software and malware removal software and run frequently;
  • Make sure all your software is up to date and patched;
  • Install network monitoring tools (or purchase support);
  • Install analytical software - often comes with monitoring tools;
  • Ensure your disks are encrypted and login to systems are complex and secure;
  • Try removing unnecessary identifiable data about people;
  • Encrypt data that is stored that identifies people;

You might want to consider using high level encryption and login using secure key access. (Over on his Blog, Tom Bloor is discussing how this is done on Windows.) We will be looking at consent and how we store personal data in a future blog, it is the next great step after securing the data for you to consider.

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]


Notes

(1): There are very thorough wrtings on this site to cover the GDPR: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-data-security-and-breach-notification/

(2): You must use anonymisation of data to protect individuals. The easiest rule of thumb is ‘do you need to know?’ if not then don’t store it. So if you have collected age, height, weight, home address, etc. for their buying preferences perhaps, but a part of the system just needs them to log in and pay a bill then the other data is not needed then it shouldn’t associate with it. You can also consider whether it is right to store it and whether it should be removed or deleted, we will cover consent and storing data at a later point. Don’t store data unencrypted or easy to identify data, such as biometric data, next to real names. The use of strings as key values will work to help anonymise data.

(3): ICO fines Sun Alliance: https://www.itgovernance.co.uk/blog/eu-gdpr-security-of-personal-data/