What internal auditors need to know ahead of new EU data protection rules.
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
Setting the scene
PwC reported in its 2015 Information Security Breaches Survey that 90% of large companies have suffered a data breach over the last year with 74% of SMEs suffering the same fate. In addition IBM and Ponemon Institute recorded in their 2015 Cost of Data Breach Study the average loss of a data breach was $3.79m. The Online Trust Alliance discovered that 90% of data breaches could have been prevented using critical security best practices as 29% were the result of employee error (intentional or accidental) due to a deficiency in internal controls.
The rapid pace of technological change and globalisation have profoundly transformed the scale and way personal data is collected, accessed, used and transferred. Social networks, data sharing websites, cloud computing and new portable devices (including tablets and smart phones) pose new challenges not only for data controllers but internal auditors as we leave digital traces with every move we make. With more and more individuals worrying about their own personal data in light of recent data breach headlines there has never been a better time to introduce new controls and procedures to protect our data.
Reform is coming and after more than three years the EU data protection framework has finally been agreed with May 2018 being quoted as the implementation date. Despite being two years away there is no time for complacency as there are so many areas an organisation should start thinking about including a review of their obligations under the current DPA.
Overview of DPA
The Data Protection Act 1998 (DPA) defines UK law on the processing of data on identifiable living people and brought the UK into line with the EU Data Protection Directive of 1995.
The purpose of the DPA is to protect an individual's right to privacy with respect to the processing of personal data and includes the legal right for individuals to control information about themselves. The DPA applies to firms holding information about individuals in electronic format and on paper and requires that they follow the eight DPA principles of good information handling as follows:
- fairly and lawfully processed
- processed for specified purposes
- adequate, relevant and not excessive
- accurate and, where necessary, kept up to date
- not kept for longer than is necessary
- processed in line with the rights of the individual
- kept secure
- not transferred to countries outside the European Economic Area unless the information is adequately protected.
The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Anyone holding personal data for other domestic use is legally obliged to notify the ICO, unless they are exempt. Failure to notify is a criminal offence and the ICO can issue fines of up to £500,000 for serious breaches of the DPA. For full details of the DPA principles refer to the ICO website.
Future changes - the GDPR
"The EU data protection reforms promise to be the biggest shake up for consumers data protection rights for three decades."Christopher Graham, ICO
Vivian Redding, vice-president of the European Commission, introduced a Draft General Data Protection Regulation (the ‘Draft Regulation’) on 25 January 2012 which will now replace Directive 95/46/EC (the ‘Data Protection Directive’). Political agreement has now been reached via the trialogue discussions between representatives of the European Commission, Council and Parliament with a date of May 2018 having been set. The GDPR will apply to any organisation that holds or uses personal data of EU citizens. Companies are now directly responsible for data protection compliance wherever they are based (and not just their EU based offices) if they are processing EU citizen personal data.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR. However, there are new elements that need to be addressed and many have commented on how best to prepare for the new GDPR. The following observations come from the ICO who recently produced a comprehensive guide called Preparing for the General Data Protection Regulation (GDPR) and looks at key steps organisations should take now.
What internal auditors need to know
Document what personal data is held by the organisation, where it came from and who you share it with. The ICO suggest that you may need to organise an information audit across the organisation, or within particular business areas. This will assist in compliance and the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
Review current privacy notices and ensure you are transparent with the data subjects. The new regulation will require you to additionally explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the regulator (ICO) if they think there is a problem with the way their data is being handled. The GDPR requires the information to be provided in a concise, easy to understand and clear language.
Data subjects must give consent (freely given, specific, informed and unambiguous) to allow for the processing of their personal data. Consent must be ‘explicit’ for sensitive data thus requiring the data controller to be able to demonstrate that consent was given. Internal auditors should review the systems the organisation has for recording consent to ensure they have an effective audit trail. In addition the GPDR will bring systems in place to verify individuals’ ages and to gather parental or guardian consent for the data to be processed of anyone under the age of 16.
Accountability and privacy by design
The GDPR places accountability obligations on the data controller to demonstrate compliance. Internal auditors should therefore ensure that certain documentation is maintained, conducting a Privacy Impact Assessment (ensure that lists are kept of what is caught) and continue privacy by design (minimise the risks).
Data breach notification
Data controllers will be required to report data breaches to the ICO (note not all breaches need to be reported). This must be done without delay and where feasible within 72 hours. The threshold for notification to data subjects is that ‘there is likely to be high risk’ to their rights and freedoms. Internal auditors should start now to make sure they have the right procedures in place to detect, report and investigate a personal data breach.
Subject access requests
The GDPR has forced a change to the current SAR. Existing principles permitting access to personal data are largely retained but the time period for dealing with subject access requests has (from a UK perspective) been reduced to one month from 40 days and there is no longer the ability to charge a fee. Internal auditors should therefore review and update current procedures and plan how data controllers will handle requests within the new timescales and provide any additional information.
Data protection officers
In certain circumstances there will be the requirement to appoint a data protection officer or a person responsible for data protection compliance. The data protection officer should have sufficient knowledge, support and authority to carry out this role.
The above points provide some of the keys areas that need to be addressed by those responsible. In addition attention should be given to areas including; the legal basis for processing data, the rights of the data subject (including the ‘right to be forgotten’), training and awareness and the international transfer of data.
To conclude it is fair to say that the changes centre on the fundamental principles of data protection in a more technologically advanced world which for most are already embedded into existing systems and controls. Whilst 2018 seems a way off, organisations need to take action now and review or implement the changes required to ensure compliance By acting now and carrying out an audit of practices, for example, and reviewing policies will keep you on the right track and ensure you don’t panic come 2018.
The new sanctions - which worst case scenario the regulator could impose a penalty payment of up to 4% of annual turnover or €20m - will certainly attract the attention of board level executives and ensure they support and promote good data protection governance within the organisation.
Dr Stephen Hill - director, Snowdrop Consulting Ltd (now part of Absolute Partnership)
Additional information to assist internal audit
Principle seven - kept secure (internal audit focus)
The DPA requires that ‘appropriate technical and organisational measures’ are taken against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. The ICO considers that the level of security should be appropriate to the level of damage which would be caused by any misuse or loss of the data. Failures to keep personal data secure are well publicised and have an adverse effect upon an organisation’s reputation. Some examples of high profile incidents and ICO penalties are:
As can be seen the failure to keep personal data safe primarily arises as result of human error combined with:
- poor physical security
- social engineering and web 2.0 exploitation (social networks)
- loss or theft of laptops, tablets, USB, portable hard drive, DVD/CD
- hardware or password abuse (internet and email)
- remote access (wireless) or cloud exposure
- poor internal controls.
When considering the measures that can be put in place to prevent security breaches or limit the damage it is important to first establish what level of security is right for your business and also understand all of the processes involved as you collect, store, use and dispose of personal data. Whilst no single product can provide a 100% guarantee the most effective security is created through a layered approach, combining a number of different tools and techniques.
In an office environment we can take measures to protect personal data such as ensuring computer screens are not visible to visitors, closing down unattended computer systems, securing paper records out of hours and placing waste paper in secure bins prior to secure disposal. When working remotely and/or undertaking site inspections there is a need to take greater care by: not leaving papers on view (either at home, in a vehicle or on public transport), working in a dedicated (and if possible secure) area and shredding all documentation prior to secure disposal. Be vigilant about protecting any portable devices, do not allow access to other people and adhere to IT security policies.
You can reduce the effects by ensuring that personal data is only transferred to mobile devices if you actually need it and removing it when you have finished. Encryption is a means of ensuring that data can only be accessed by authorised users with a password:
- full disk encryption means that all the data on the computer is encrypted
- file encryption means that individual files can be encrypted.
Anti-virus or anti-malware products regularly scan your network to prevent or detect threats. Make sure they are kept up-to-date. Restrict access to your system to users and sources you trust. Each user must have their own username and password. A brute force password attack is a common method of attack when trying to access Wi-Fi so use strong passwords, limit the number of failed login attempts and make regular password changes.