Data Protection

Achieving data protection by design – better late than never!

By Andy Bridges, Data Quality & Governance Manager, REaD Group 

More than 18 months after GDPR came into effect, “52% of businesses are not fully compliant with the regulation,” according to a recent survey of UK GDPR decision-makers, GDPR Compliance Survey 2010[1].

Is GDPR still on the agenda?

The greatest focus on GDPR compliance was in the run up to May 2018, and since then, it appears that it has fallen down the priority list. But companies are still being caught out: more than 10,000 data breaches have been reported in UK since May 2018 (DLA Piper, 2019). And according to research commissioned by IBM, the average cost of a data breach to a large UK business is estimated to be £2.7 million (IBM Data Breach Calculator, 2019[2]).

It is assumed that breaches are largely the result of orchestrated attacks by criminal masterminds, however the reality is far less dramatic and preventable: they are frequently the result of human error. According to ICO data[3], over 70% of security-related personal data breach incidents in the first six months of 2019 were caused by human error such as misplacing hard drives, bad password management, careless file sharing or lack of vigilance to increasingly prevalent phishing emails. All of these can be prevented.

What is data protection by design?

Although it has not had the same level of coverage and furore as other elements of the GDPR, one of the most important principles at the heart of the regulation is data protection by design and default, previously known as privacy by design.

Data protection by design and default requires companies to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. It means that businesses must consider and ‘bake in’ privacy at the initial design stages and throughout the development of any new products, processes or services that involve processing personal data. It also ensures the principles relating to the processing of personal data are aligned and data is processed in a fair, transparent and lawful manner.

The purpose of data protection by design is to embed responsible data management and information security into day-to-day business practice and also to mitigate the risks of damaging data breaches. The criteria, type, scope, circumstances and purpose of the processing must always be considered.

To reduce the risk of costly and damaging breaches, businesses must apply data protection by design principles and incorporate responsible data management and accountability for information security into office culture. Protecting the information held by businesses is no longer the sole responsibility of IT and compliance teams: data security is a company-wide responsibility. The four ways in which to ensure this level of responsibility are: auditing, education, vigilance and impact assessment.

Audit

In order to better protect their information estate, companies need to understand what information they have, setting out the processing activities, categories of information and the purpose of the processing they are conducting. As well as ensuring that data is clean, accurate and that all relevant permissions are held and that the processing of the data is lawful, organisations must also ensure that the appropriate data protection and information security practices are in place.

It is necessary to implement appropriate technical and organisational measures (sometimes  known as TOM) to ensure that only personal data necessary for each specific purpose is processed and set out before processing begins. This applies to the type of personal data collected, the extent of processing, the period of storage, retention and accessibility. Data collection techniques should also be reviewed and revised to avoid excessive data collection.

Education

Businesses should create educational programmes so all staff understand the importance and principles, and reinforce that the privacy obligations and accountability sit with ALL employees, not just the IT or compliance teams.

As a first step, staff should be trained on a regular basis to ensure that everyone is aware of and understands how to apply best practice. Company policies should also be written to reflect the fact that every individual has a responsibility for protecting the information held by the business.

Vigilance and self-policing

Employees should be on the lookout for potential threats to information security, such as leaving computer screens unlocked and leaving confidential paperwork unattended, as well as the online threat of phishing emails which increase in sophistication on a daily basis.

Implementing a clean desk policy is an achievable and very visible first step towards safeguarding confidential information. Literature such as information and security handbooks and visual reminders, such as wall posters, around the office can be used.

One approach that can help to reinforce adherence is to encourage self-policing and ensure that all incidents, however minor they might seem, are recorded. In turn, this allows organisations to retrospectively analyse recurring threats and to align future training around those threats. Confiscating laptops or paperwork that have been left unattended and demanding a (non-monetary) ransom can also work wonders.

Impact assessment

Conduct a Privacy Impact Assessment (PIA). A PIA is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained within the organisation. It is a tool for identifying and assessing privacy risks and that those practices comply with legal and regulatory compliance requirements.

The best practice is to create a PIA template which can then be filled in for each new system or product/service. The ICO have provided a sample PIA template here which can be used or adapted.

Creating actionable guidelines

Ultimately, the goal should be to have a set of practical, actionable guidelines in place that will achieve certain results, including:

  • Data protection issues are an integral part of the design and implementation of systems, services, products and business practices and their core functionality
  • Only personal data needed in relation to the business’s purpose(s) is processed
  • Personal data is protected automatically by the company’s IT system, service, product and/or business practice
  • A ‘plain language’ privacy policy for public documents so individuals can understand what information a business is collecting, why it’s collecting the information, how it intends to process the information, the lawful basis used to process the information and how permission can be revoked, protecting the fundamental right of individuals’ personal information
  • Strong privacy defaults, user-friendly options and controls and respect for user preferences.

One company that is currently setting a good example in this area is Apple who, after a bumpy start to the year, has launched a new, fully disclosed opt-in grading process for Siri as part of iOS 13.2, as well as a new privacy website and whitepapers.

These set out, in plain language, what Apple is doing across its software and services products to make privacy noticeable. It includes new measures such as a new ‘Sign in with Apple’ platform which allows users to be contacted by third parties without sharing their personal details.

These are all positive steps forward and one which we hope to see replicated across organisations of all sizes, from the tech behemoths and large enterprises who hold our personal data to the mid-size and smaller companies who are also responsible for ensuring data privacy by design IS the default, not an option.

[1] Egress GDPR Compliance Survey 2019, https://www.egress.com/news/gdpr-compliance-survey-2019

[2] IBM Security, Cost of a data breach report, https://databreachcalculator.mybluemix.net/

[3] ICO, Data security incident trends, https://ico.org.uk/action-weve-taken/data-security-incident-trends/

About the author

Andy Bridges joined REaD Group as Data Quality and Governance Manager in 2016 and has over 20 years’ experience within the data arena having started his career at leading data driven analytics company, Loyalty Management Group (now AIMIA) as Data Quality Manager.

A key part of Andy’s remit is ensuring REaD Group remains at the forefront of the EU regulatory landscape. Andy also holds the position of Vice-Chair of the DMA Privacy Working Group, is a Governance Board Member for the Data Protection Network and is a member of the DMA Third Party Data Data Working Group and DMA GDPR Taskforce.