Implication of GDPR on data processors

Steve Mellings, COO of Data Protection Governance and founder of Asset Disposal and Information Security Alliance (ADISA), looks at the implications of Brexit on data protection in the UK, and what local authorities should be aware of, in terms of legislation and how it affects them

There can be no doubt that we are living through very challenging times, leading to calls for increased monitoring from the security services but being met with equally compelling arguments for increased privacy from intrusion. In this environment, the way in which we as individuals happily share data is at an unprecedented level and, conversely, the appetite for businesses to capture and use data is critical for competitive advantage.

The question of how to regulate this increasingly complex situation is challenging and is one which the European Union has sought to resolve through the EU General Data Protection Regulation 2016/679. This law was passed in May 2016 with an objective to give far greater protection to the individual in terms of their rights about how to control what happens to their data. With each member state being obligated to enshrine this into their own regulatory framework by 25 May 2018, those with a data remit are now fully aware that this new piece of regulation is on its way. The challenge of what to do has seen a marketing frenzy with social media forums awash with ‘GDPR compliance tool kits’ and suppliers who claim to be able to help you comply with the regulation without understanding your business or the law itself.

So, what is different about this?
The first point to note is that when the current data protection act was introduced such elements as cloud computing and social media were not considerations and how business was done was not as varied and dynamic as today. So not only is this re-write of law necessary, it should be welcomed to reflect the different business environment in which we operate. GDPR (all 99 articles of it), is a very reasonable document. Given that you’re meant to be compliant with DPA 1998, many of the requirements are carried through to the new law but are enhanced to reflect the aforementioned changes. A fundamental change however, is to provide the data subject with far greater controls over their data and, in return, requiring the data controllers to be able to evidence how their processing activities meet these controls.

There are many who still think that Brexit will mean that they no longer must comply with any European Directives but that’s not the case with this one. As the UK will still legally be a member of the EU at the time of the deadline, we have no choice but to follow this regulation, as confirmed by Karen Bradley, Secretary of State for Culture, Media and Sport, and Elizabeth Denham, Information Commissioner.

Those peddling FUD (fear, uncertainty and doubt) about GDPR focus on ‘four per cent of global turnover’ record fines and ‘mandatory breach notification’ as being the key changes. Whilst these are headline grabbers, I’m unconvinced that it is the right tone to take. I think most practitioners will acknowledge that for many organisations data protection has not had the right level of focus. Security countermeasures are often seen as business inhibitors and with historic fines relatively small, many have viewed the risk as being acceptable. So, whilst the FUD may not be helpful it may at least help to start to build the business case to change.

Where do companies go?
A good starting place is to undertake a root and branches exercise like the DPG Pathfinder which provides a holistic assessment of operational and technical vulnerabilities and GDPR requirements across your business. Failing that you should start breaking down the requirements into smaller projects and focus on each.

One such area is that of data processors, a company which performs a set of operations on (sets of) personal data on behalf of a data controller. For this article, I’m going to focus on one type of data processing and suggest a path of remediation which shows how simply moving from a non-compliant position to a compliant one can be - ICT asset disposal.

This is the process whereby organisations release old, broken or in some other way retired IT infrastructure into an industry which provides data sanitisation services and then brokerage/recycling. This may seem a relatively benign process but under existing legislation government entities have already been fined over £500,000 by the ICO for data breach as a result. More still, freedom of information projects undertaken by ADISA showed that over 66 per cent of police forces are breaking the current DPA and members continue to feedback transactional difficulties which mean they are not able to meet the requirements of their certification due to customer inaction or inappropriate action.

At ADISA, we’ve performed over 500 audits of this process and can easily see why companies get this wrong leading to exposure to data breach but also, obvious non-conformance to current and incoming regulation. Due to restriction of article length, I can only propose two simple steps for you to take before GDPR is enshrined into law to help you within the process of ICT Asset Disposal.

Internal Control
Before we look downstream we must look internally. Currently assets which are marked for disposal become very low priority. Too much attention is placed on the physical asset (often an old or damage device) and not enough on the data which still resides on the media within such devices. ITAM must continue to own the chain of custody after decommissioning and into the downstream. Under GDPR it will be critical to have accurate inventory control at point of release into your downstream. Unless this is the case such release might be considered as breach and requiring notification to the regulator.

Vendor Selection and Management
There is an entire Chapter (4) on the relationship between the controller and processor which indicates the structured approach which the appointment of data processors will have to follow. For asset disposal, you will no longer be able to just have a man in a van arrive and remove your equipment without having a formal assessment process in place wrapped up in a formal contract. Already under Data Protection Act 1998 there is a requirement for data controllers to have a contract in place with Data Processors but ADISA members frequently claim customers don’t want contracts and just want ‘us to collect their stuff’.

A moot point here is that of notification. Should an asset disposal collection take place without a contract in place then that would be breaking the law. If this is the case then under Article 4 – definitions a ‘data breach’ will have taken place. As per Article 33, this will then require you by law to notify the supervisory body within 72 hours of being made aware.

Do you really want to self-inform every time you dispose of ICT equipment?
Within this small part of GDPR the good news is that to move from a non-compliant or unsure position to a compliant position is relatively straight forward as the ADISA Standard and certification programme has been amended to reflect the changes in law. (And will be amended as required as each member state enshrines it into their own regulatory framework).

This means that ADISA members who offer data processing services to you, are well versed in what is coming down the line. Simple things such as the need for a proper contract to be in place are clear within module 3.1. Inventory management from point of collection through to point of data safe are included within both module 2 and 3 within the Standard. Furthermore, some of the additional services offered to you such as copies of the Audit Summary Reports and free monitoring service are all ways which you can comply with Articles 24 and 28.

Of course, I’m biased so I should point out that there is no mandate to use an ADISA certified company, just that we feel there is a significant business benefit in you doing so and as the Standard is formally recognised by DIPCOG and listed on the NCSC website as a certification scheme - the question should really be why not!

If you’re still unsure, read our white paper or contact your ADISA Certified company and ask how they can help.