Data Protection by Design – Protecting privacy in each step
The General Data Protection Regulation (GDPR) places a great deal of emphasis on protecting the data you hold about your customers, members and supporters. For the lifetime of the data you hold, you need to carefully consider the risks associated with processing it.
Article 5 of the GDPR, “Principles relating to processing of personal data”, specifically discusses security, appropriate measures, robust procedures to prevent loss and damage, and restricted access to data and the equipment used to process it. However, there are many other sections that emphasise the need for a thorough and granular review of security.
The dictionary definition of protection is: “A legal or other formal measure intended to preserve civil liberties and rights.”
Your security policies should include the means to prevent attempted cyber-attacks on your data, but, just as importantly, you need to review how you protect data accessed by staff and shared with your data processors. Human error accounts for most breaches of data security. For example, more than 50% of all instances published by the Information Commissioner’s Office (ICO) are ‘Disclosure Errors’, or sharing data with an unauthorised third party. On top of this, we humans do like to break the rules; ignoring procedures and finding ways around corporate guidelines are so common they can become indistinguishable from the actual rules themselves and part of the office culture.
This isn’t the staff’s fault. This is a management issue and, most likely, the tip of the iceberg. Regular minor data breaches are often an indication of a far greater underlying issue. It is essential to make sure the GDPR compliance policies enable full operational functionality, are best practice and essentially preventative, not remedial.
The GDPR recommends using pseudonyms as a way of encrypting data and enhancing security. This is a process that ensures personal data cannot be attributed to a specific data subject; it effectively fictionalises any subject identifiers and reduces concerns for data sharing that are in breach. Only the data controller has the necessary ‘Key’ to re-identify people.
When sharing data with a processor or third party, the GDPR recommends clear processes, contractual agreements and a well-thought-out procedure. Remember, you need to make sure that processors have a data protection policy equivalent in scale to yours. This will include data processor agreements which explain the mutual understanding of the security measures required, and the responsibilities and liabilities if things go wrong. Importantly, this also includes who might have access to the data, the way it will be transferred and how it will be deleted once the task is complete. The recommendation is to audit every data processor regularly to ensure compliance. It isn’t only the loss of data that might constitute a breach, it could be the accidental alteration or destruction too. Therefore, your processors will play a vital role in the down-stream data processing journey.
Staff will also need to be regularly reminded why data security is so important to the organisation and to the data that is held. GDPR awareness training is vital to ensure policies, procedures and guidelines are fully understood. There is no point in having a well-thought-out policy framework if the staff do not know what it means and how to apply it; without training the organisation is probably already in breach of data protection and the GDPR.
Another key issue is remote out-of-office working arrangements and use of personal devices. The chance of data being shared inappropriately or lost during this time clearly has a heightened level of risk. If you aren’t issuing corporate equipment, including phones and laptops, you’ll need to have procedures that are rock solid and written into user agreements or contracts of employment. Encryption of these devices will be paramount. You’ll need a password policy to ensure staff aren’t, for example, using the same login as their Facebook account; your vulnerability to a data breach is greatest at the weakest link.
There is always risk when storing and processing data, but especially so when a new project is undertaken. This could be the implementation of a new CRM system, the launch of a new product or service that involves the collection of data, or the processing of data for a new purpose. In all of these examples you should undertake a risk assessment or, as the GDPR explains it, a Privacy Impact Assessment (PIA). This will effectively be an interrogation of current processes, the procedures used, how people access the data, the impact on potential data subjects and the likelihood of failure. This really is an essential exercise that will reveal potential threats and the vulnerability of your organisation and the risks it may face. Importantly, it isn’t just about data protection. This assessment should also seek to measure risk to privacy in general – this is about common sense. As well as upholding the rules, we need to carefully consider the privacy of data subjects and how our project impacts on their lives.
In 2014, the Samaritans launched an App called Samaritans Radar. It was a project to help identify individuals who might be vulnerable or potentially suicidal by allowing other people to register them without their knowledge. The system allowed the third party to monitor tweets that might indicate a heightened level of depression or desperation. The App was taken down after just one week because many people had complained. The intrusion and breach of privacy, with the benefit of hindsight, was so very clear. If a thorough PIA had been completed, if the project had been considered from all points of view and common sense had been applied, the App would never have seen the light of day. This is a good example of where a risk assessment is of enormous value.
The GDPR would also like organisations to identify particular individuals to ensure security is upheld. A Senior Information Rights Owner (SIRO) will assume responsibility for security at the highest level. This person is usually a member of the Senior Management Team or a Trustee of the charity. Having a focal point for risk will help to develop a culture of protecting data, ensuring it’s always on the agenda and guaranteeing that incidents are properly investigated to improve security in the future. The SIRO will have full knowledge and oversight of the Information Asset Register, which is a comprehensive inventory of all data assets processed by the organisation. The SIRO will have appointed one or more Information Access Owners (IAO) to assist them in protecting each asset. The IAO is the champion for that particular asset, keeping it up-to-date and sharing it with care. This hierarchy helps to ensure that data protection has a foothold in every department and throughout the fabric of the organisation.
These appointments and the development of proper processes will help organisations to fully implement Data Protection by Design. To achieve this, you will need to unravel every process involving data and install appropriate technical and organisational. Aside from secure handling, processing and transfer of data, this will also include making sure the processing is always fair and transparent, limited to what is necessary, accurate and appropriate. Ensuring data protection is by design and default ultimately means the organisation will uphold the rights and freedoms of every data subject.