Data Protection: How to Prepare for GDPR by Creating a Culture of Stewardship
It seems to be a weekly occurrence that an organisation suffers some form of hack or data breach. A government survey published in May 2016 revealed that two-thirds of large UK businesses had been hit by a cyber breach or attack in the previous 12 months. Regular penetration testing, bug bounty systems, and getting to know your local “white hat” ethical hacker can all help, but one of the best defences is, I believe, to develop a culture of stewardship across your organisation.
To prepare for the forthcoming GDPR (I’ve written more about the GDPR’s impact separately) I’ve become my company’s data protection officer (DPO). Part of this role involves training in data protection and passing on this training to colleagues. Our team has found this training useful so I’m sharing the main points below in the hope you will find it useful too.
As I mentioned in the GDPR article I believe a product person is the best placed to help a business implement a strong data protection policy – as you’ll have an understanding of how the data is used, and you’ll need to make sure any new features you roll out are compliant.
If you’re in any doubt about the importance of all of this then ask yourself: could my company survive the loss of credibility and reputation if I lost all my customer data and then this data was leaked online? Could my company afford to pay fines of up to 4% of global turnover? Could anyone in my team afford a personal fine for a “deliberate” loss of data?
Understanding Data Protection
For data protection purposes, there are three types of data: data subjects, controllers and processors.
A data subject is the individual whom particular personal data is about. Put another way, the data subject may contain variables made up of personal data. These variables may include data like name and address, or sensitive variables like sexual orientation or political beliefs. These data subjects could be customers, partners, and employees.
- Personal data is any information relating to a living person (the data subject) which could be used to identify them. While it includes obvious information like names, addresses, and phone numbers, physical descriptions and CCTV video clips where individuals can be easily recognised are also personal data. And Rob Pomeroy, information security officer for Sykes Cottages, who has helped me with this post, points out that the “GDPR specifically mentions cookies, IP addresses and RFID tags as types of personal data.”
- Less direct information like a unique reference number or personal salary information could be used to identify someone – so this should be treated as personal data too.
- You must be extra careful with certain sensitive data, namely information regarding race or ethnic origin, political opinions, religious or other beliefs, trade union membership, criminal proceedings or convictions, physical or mental health and sexual orientation. If you store any of this data in your systems it should be encrypted as leaks of criminal convictions or mental health issues could be very damaging to all concerned. Ask your team if you really need to store this kind of data?
A data controller is likely to be you. If you ask a customer to sign up to your service then you become the data controller. The data controller can be a person or an organisation, they determine how personal data is captured, stored and processed.
A third-party tool like Mailchimp is a data processor. It sends emails to your customers – but it is not the data controller, so you still have responsibility for the data. You will need to implement effective measures for data control and be able to demonstrate the compliance of the processor’s activities – i.e. are they going to adhere to GDPR guidelines.
Rob Pomeroy adds: “A processor is any person or organisation who handles data on behalf of a controller. The controller remains ultimately responsible for the data and for the actions of the processor. Therefore the contract with the processor should include adequate guarantees from the processor that the processor will abide by GDPR/DPA and take full responsibility for any breach or neglect on the part of the processor.”
So first of all you should work out what type of entity you are – a data controller or a data processor. A data controller would be Tesla or Apple – when you buy a product from them they then control your data. A data processor would be someone like Amazon AWS or Mailchimp – so the controller owns the data and the processor processes it on their behalf. A data subject would be any users on your website – and of course you are also a data subject, as the company you work for will hold data about you (salary information, address details etc).
Earlier I mentioned personal fines for deliberate data breaches. The “deliberate” wording in the current UK legislation is ambiguous, as the following example shows. A lawyer was recently fined £1,000 for a data breach. Her husband had access to her machine and backed up some files in the cloud while he ran software updates. These files, which related to 250 people, including court cases relating to vulnerable adults and children, were then indexed by a search engine. Not a great set of data to be indexed and found online.
As a product person you surely have a duty to create a culture of stewardship across the company to help protect customer and client data. The above example clearly shows how a simple mistake can have serious consequences. If you were to look at your work machine and run a search for xls files – would you find that any of these files contain email addresses and customer addresses? What about your marketing team – do they have any exports of mailing lists on their desktops? They really shouldn’t. As a rule, if you must have these types of files available I recommend storing them on Google Drive behind two-factor authentication. Then if your laptop or phone gets stolen you can log in to a new machine and use the “sign out of all other web sessions” link in Gmail. Encrypting the data on your hard drive is also a good solution. Even adding a password to the file as a basic step helps.
It is worth taking a risk-based approach and categorising your data into high, medium and low risk, because it will help to inform the type of protection and control you place around the data. So if you’re working on internal products such as CRMs, CMS systems or other business operations, I would include such a classification structure. If you need to capture date or birth or card details and have already tagged them as high risk, them you can make sure these fields are obfuscated in your CMS unless the admin has sufficient rights to view the content.
Additionally Rob Pomeroy suggests “categorising all data according to sensitivity. For example. proprietary, confidential, sensitive, personal, public. Use whatever categories suit you.”
Any data you think may be high or medium risk should not be taken out of the office without being password protected or encrypted. That means you, developers – those people who take home a dump of the user table without cleansing all the email and address fields. And it means you, account managers – with an export of your Pipedrive CRM list stored on your machines. And you, managing directors, with your sensitive share-offer contracts on your laptops.
Examples of high-risk data could be:
- A data set containing more than 1,000 identifiable individuals (i.e. a mailing list, an export of last week’s user signups).
- A fuller data set containing records of more than 50 individuals which could be used for fraud or identity theft. This could include things like bank account or credit card details, date of birth, and salary.
- A data set containing health information, disability, ethnicity, sexual orientation, political or religious affiliations or criminal records. The guidance I’ve seen is that this data set should be classified as high risk if it has over 10 people – but it would be serious even one of these data sets was leaked. Are your HR people storing this information on employees securely?
- If your office has a door access code this is obviously a high-risk item. Is the door code changed when a staff member leaves the company? Network passwords and wifi passwords should also be classed as high risk.
- Contracts with partners and clients. This isn’t so much of an issue with GDPR (which focuses on personal data) but if a contract showing how much a client has paid you for a job got leaked this would be embarrassing to both parties – these contracts should be securely stored.
Medium-risk items would be things like a tender for a new contract (before the work is awarded), company restructure proposals affecting more than 10 people, or a smaller data set of personally identifiable data.
Low-risk items would be things like PSD files relating to designs that are already live or copy decks for work already in the public domain. It’s anything that doesn’t contain sensitive data, and was going to be released publicly anyway (or is already public).
If you need more examples, then universities are generally very strong on data protection. Stanford University has some excellent guidance.
Simple Steps to Keep Your Data Safe
To help keep your data safe I would add something like the following into all employee contracts (or at least get employees to reply via via email, saying they comply with these basic steps):
- Use a password lock screen on your laptop after it has been idle for longer than 5 mins. Also, lock your screen when not at your desk. (In order to enforce this rule, if I see an unlocked machine in the office I log on and add strange pictures as desktop backgrounds. Very immature, I know, but it gets the point across).
- Use Enpass (or similar) to securely store passwords.
- Don’t send sensitive URLs via email (i.e. URLs of your CMS). If you send them via Slack or Skype then delete them afterwards.
- Use http://passwordsgenerator.net/ (or similar) to generate passwords for sensitive websites and email accounts.
- Use Google Authenticator to access any CMS or any payment gateways (if applicable).
- Make sure not to log in to any sensitive systems on public wifi.
- Use a virus checker on your laptop (for example Avast or Avira) and ensure you manually run a full scan every month at a minimum.
- Set up two-step authentication on your email accounts, set them to require re-authentication every 30 days.
- Don’t keep sensitive high-risk data on your laptop (or at least add password protection or encryption if you really need to store files).
- Keep a clean desk policy in the office (i.e. no client contracts sitting in view, have a safe or secure locker to store these instead).
- Make sure you’ve got a good firewall in the office. We have the Watchguard system installed – it’s linked to a central database taking feeds from all the other Watchguard systems around the world. When the Wannacry virus was detected on a Watchguard system all the other Watchguard systems were able to block it. If you’re on a Mac then make sure the inbuilt firewall is switched on so you are protected at home. If you’re on a PC then Windows has an inbuilt firewall, and there are free tools like Zonealarm which can give you basic protection.
It’s also worth making sure any USB-enabled devices have “autorun” turned off (you don’t want a Stuxnet situation). Ideally you shouldn’t let people have free rein to install software on their machines either.
Principles of Personal Data
In 2016 UK telecoms company TalkTalk was fined a record £400,000 for breaching the fifth and seventh principles of the current UK Data Protection Act. I say current, as when taken the upcoming GDPR it will strengthen some of the rights of individuals and creates some new rights for individuals too. At the moment the principles are:
- Data should be processed fairly and lawfully – with consent given, the user should be informed how and why data is being used
- The data should be used only for one purpose
- The data should be adequate
- The data should kept up to date and accurate
- The data should not be kept for longer than needed. Bookkeeping records must be kept for six years. There is no minimum or maximum time for holding data
- Personal data must be processed in accordance with the rights of the individual
- The data must be kept secure
- The data should not be transferred outside Europe unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects
In TalkTalk’s case it had purchased Tiscali, a company whose infrastructure included old web pages that were still available online. This also gave access to a database containing over 150,000 names and the bank details of over 15,000 people. This database was out of date and had not been patched with security updates (and had been hacked into multiple times). So you can see why TalkTalk was in breach of two of the principles. The data was kept longer than was needed and was not kept secure.
As for the eighth point, in a non-EU company, or one where data moves around outside the EU, the data processor (i.e. the company moving the data around) must have a strong policy. Online payment provider Stripe, for example, has an excellent policy which covers this.
With the upcoming GDPR these eight rules will change to the following six rules:
1. Lawful, fair and transparent
You need to have legitimate grounds for collecting the data, and it must not have a negative effect on the individual or be used in a way that they would not expect. So for example, rather than just saying “subscribe to our newsletter”, consider a more transparent statement like “From time to time we would like to send you special offers relating to your purchase, you can opt out of these emails at any time”.
2. Limited for its purpose
You should collect the data for a specified and explicit purpose, and not use it in a way the individual would not expect. So this would include capturing someone’s email address and then giving this data to other similar companies who will to market their goods to that individual.
3. Adequate and necessary
It has to be clear why you are collecting the data and what you are going to do with it. You should not collect any unnecessary data or information without a clear purpose. For example if you are selling clothes online do you really need to capture someone’s date of birth?
You should take reasonable steps to keep the information up to date and change it if the data is inaccurate. For example letting individuals change their name or address themselves.
5. Not kept longer than needed
You should not keep the data for longer than needed, and when it is no longer used or out of date you should properly destroy the data. A lot of companies are now reaching out to their databases and asking them if they still want to be sent marketing materials.
6. Integrity and confidentiality
You should make sure data is processed in a way that ensures appropriate security. So this would make sure the data is kept safe and secure – including protection against any unauthorised or unlawful processing, loss, damage or destruction.
You may have noticed that these six principles do not include individuals’ rights or overseas transfers, these are covered but elsewhere in the GDPR (I cover the new rights of the individual here). Again with GDPR you need to show how you comply with these principles, and not just that you have policies stored on an Intranet.
If you are transferring data in the EU then with the upcoming GDPR you may need to show you have the right policies and procedures in place – and how you enforce them. I recommend that you:
- Write an internal data protection policy
- Write a policy for taking data out of the office
- Have a written policy for dealing with a data breach
- Define your High, Medium and Low data risks – then write a risk register and a ‘Data Protection Impact Assessment’ using the GDPR best practise
- Give data protection training to your whole team
- Appoint a data protection officer in your company
If you Lose Personal Data
First you should review what data was breached and lost. If it was high-risk data you should inform the customers whose data was lost (without undue delay), in inform the appropriate regulator in your territory. With GDPR, Rob Pomeroy points out: “It’s not a case of whether the data is high, medium or low risk. If there’s ANY risk that someone’s rights will be infringed, you need to tell the ICO.”
You should also be prepared with a strategy for what your company would do if it had a data breach. The strategy should consist of:
- A recovery plan, including damage limitation
- A reassessment of the risks related to the breach (i.e. could it happen again)
- You should inform the appropriate people and organisations to which the breach has occurred. In the UK this would be the ICO for example. Under the new GDPR ruling you have 72 hours from when the breach is first noticed to notify serious breaches to the regulators
- You should perform a review of your response and add an update to your information security policies
The ICO website has some great guidance on this matter if you want to read more.
Faced with the above, I would take the following next steps:
- If your country has a government-backed cyber security assessment or accreditation, then take it.
- Carry out a risk assessment to minimise the risk of a data breach. Make sure your management team has a formal incident response plan, knows how to deal with a data breach and has disseminated this information to their teams.
- Make sure your data protection policies are up to date and in line with GDPR.
- Have key members of your team carry out anti-money laundering, anti-bribery and full data protection training. I would have customer support and finance teams do this training as a minimum.
- Make sure everyone in your company is following the basic security steps I mention above (using Enpass, two-step authentication on email/CMS access etc)
Thanks for your time, I hope this guidance has proved useful. If there is appetite I’ll add some sample policies and risk registers to the Mind the Product Slack channels.
A special mention to Rob Pomeroy (@robpomeroy) for his advice and guidance in creating this article.