It’s Data Privacy Day on Jan 28th and there’s never been a better time to think about how to keep your company data safe. Ken Holmes, CertiKit’s managing director and a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E) accreditation gives you ten tips that will give you better protection and help you to comply with privacy laws in the countries in which you operate.
The EU GDPR (General Data Protection Regulation) has had a lot of press over the last few years and quite rightly. But it’s not the only privacy game in town. Many other countries have their own privacy laws and if you target their consumers with your goods and services, you’ll need to be compliant. So the first step is to understand which countries’ laws you need to keep in step with. Now that Brexit has happened, the UK’s privacy laws are (theoretically at least) different to those of the EU; Canada has had a law called PIPEDA for many years and the USA is gradually moving towards a federal law, state by state (starting with California’s CCPA). Even China now has one and the list just gets longer as time goes on. To save time, use the free resources available from some of the more established international law firms – see DLA Piper as a very respectable example.
Once you have your list, try to get familiar with the main points. As a general rule of thumb, the EU GDPR is the strongest of the laws around, so if you need to comply with that (or the UK version which is virtually the same) then your efforts should be sufficient for most others too.
It can be very tempting to collect lots of information about people just in case you might need it someday. The trouble is, all that unnecessary information represents a much bigger risk to your compliance (not to mention the data subject) if it gets compromised. So avoid trouble in the future by being prudent today and sticking to the point of the processing.
If you’re not sure what data you’re collecting, you can’t say you’re complying with the legislation. In every business area, whether it’s employee details, customer information or some other type of personal data, you need to know what’s needed and how it is processed. This means following the trail of how the data is collected, where it is stored, what it is used for and when and how it is deleted.
Following the letter of the law can be hard. Studying the finer details of legislation is few people’s idea of fun, so a lot of time can be saved by embracing the general principles of privacy and acting accordingly. By doing this, you may find that you are automatically staying compliant without the effort of doing things just because the law says so. For example, the GDPR has a long list of information that must be provided to a data subject at the point of collection of personal data. By thinking “what would I want to know if it were my personal data” you can get pretty close to that list without reading the relevant article.
If you’ve ever had a data subject access request you’ll know that they can be pretty time-consuming. Tracking down every reference to the person involved is often not a trivial task. So putting some thought into how you may be able to give the data subject direct access to their data (perhaps via a portal or online account) is a worthwhile way to spend your time. Similarly, the process of obtaining and potentially withdrawing consent for some processing can be onerous if it’s not been thought through. Making this feature available online or through an app can save the organization a heap of admin time.
Cloud computing’s great. In ten minutes, I can sign up to a service and upload all my data and start processing immediately. But is it legal? Without conducting at least a minimum of due diligence (i.e. asking the right questions) you really have no way to know. Where is the data stored? How well will it be protected? Does the contract include the necessary clauses to satisfy the applicable laws? Do some checks (and make sure you keep records) or you may face the consequences later.
If there’s one thing that laws like the GDPR are pretty clear about, it’s the fact that contracts between controllers and processors (and other relationships too) must contain the right terms, otherwise you’re just not legal. Checking now may save a lot of embarrassment later on. Fortunately, for the GDPR at least, the EU can help. They have published some standard contractual clauses (SCCs) that anyone can use. Particularly if you’re a controller agreeing terms with a processor, these will save you time.
And so we get to the techie side of the tips. There’s obviously a lot you should do to keep your personal data safe, but for me, two items stand out. The first is the thorny problem of passwords. People are generally terrible at them, and this is a boon for the bad guys. The classic mistakes of too-simple passwords and using the same password over and over again still cause more problems than ever, and this is sad because it’s so easily resolved. Use a password manager and all these problems (mostly) go away. And while you’re at it, enable MFA (MultiFactor Authentication) everywhere you can too.
The worst has happened; one of your senior managers has left her laptop on the train (before the Pandemic, when we used to use trains). It’s full of personal data about millions of people. Surely we will need to tell the regulators about this and hang our collective heads in shame? Well, maybe not if the laptop was encrypted (as long as the encryption key wasn’t written on a sticky note attached to the screen). If the data is unreadable then its loss may not represent “a risk to the rights and freedoms of the data subject” (GDPR-speak for “bad”) and so there may be no need to tell anyone. Effective encryption protects your data like nothing else. Use it wherever it’s available (including cloud systems) and guard the keys with your life.
If something does happen that means that personal data has been compromised then by law you must do the decent thing and tell the relevant authority (for example the Information Commissioner’s Office in the UK). The clock starts ticking as soon as you become aware of the issue so don’t delay; tell them what you know as soon as you know it. The details can be fleshed out as the situation unfolds. Be open and honest with any resulting investigation and fix the issues found in good faith. A read through the details of the prosecutions made under privacy legislation will show you that trying to hide things and then not doing anything about the problem is a recipe for a much bigger fine.
Privacy is a serious business and needn’t be hard if the right attitude is taken. Hopefully these ten tips will help you to stay compliant and avoid becoming tomorrow’s breach story.
CertiKit is a provider of document toolkits and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on complying to the EU GDPR, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.