The old cliche runs that failing to prepare is preparing to fail. While many businesses may feel comfortable with their level of data protection compliance more than a year after GDPR, the reality is far more nuanced.
Different parts of the regulation are designed to work together like cogs in a machine that keep data patterns concise, secure and relevant. Two of the most interlinked aspects of GDPR are Article 30 and Article 32: records of processing and security of processing respectively. A firm grasp of how these two sections of the legislation compliment each other will help business owners manage risks related to processing data within their companies.
It may be the case that only one subset of data, biometric information for example, requires investing in added security, such as 256-bit encryption, while the rest of the information collected need only be password protected.
Or by understanding exactly what data is being collected pursuant to Article 30, a small business can, in some cases, dispense with unnecessary overheards completely.
Under Article 30, businesses acting as data controllers who are processing the personal information of any EU individual must document the following:
- The name and contact details of your organisation.
- If applicable, the name and address of your data protection officer.
- If applicable, the name and contact details of any joint controllers.
- If you are based outside of the EU and if applicable, the name and contact details of your representative inside the Union.
- The purposes of your processing.
- The categories of individuals, whether that’s customers, employees or organisation members.
- The categories of personal data you process, which may include financial information or health data.
- The categories of recipients of personal data, which means anyone you share the information with, such as a credit agency or insurance company.
- If applicable, the name of any third countries or international organisations outside the EU you share data with.
- If applicable, the safeguards in place for these external transfers listed above.
- If possible, retention schedules for different categories of the data.
- If possible, a general description of your technical and organisational security measures – basically, the safeguards you have in place.
Keeping the above points (which will still apply after Brexit as per the UK’s DPA 2018) in mind, Article 32 requires your business to consider: “The state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
Stakeholders need to apply the first half of that statement to the business’ current situation and the second half to the relevant Article 30 points listed above. From there, they can “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Once you understand which data you hold, where it’s stored, how it’s processed and where it goes, you can determine how much risk there is to each stage and deploy the relevant technical and non-technical information security measures.
For example, you may be processing different financial data for employees as you are for customers. The former is collected when you create an employee record while the latter is created when you receive a sign-up for a loyalty scheme. What if staff in both Finance and HR have access to those two differing sets of data? A security configuration can be installed to make Finance only privy to the customer data and HR only privy to the employee data. That is a relatively affordable technical security measure that will instantly reduce a potential security risk of cross-contamination.
In the above situation, by applying Article 30 and Article 32 together, a business owner can manage risk in their organisation and cut down on both the chance of a data breach or an imposing fine from the Information Commissioner’s Office (ICO) for not employing relevant organisational measures.
One of the key features in the Flowz product is that once you’ve created and defined the data asset (e.g. bank records for employees) the software adds the facility to give attributes risk indicator values so the information risk can be clearly identified and proportional controls can be added.
These aren’t just box-ticking exercises either. Having a clearly mapped record of data and the appropriate security applied in each case will make the aforementioned cogs run significantly smoother. In August 2019, the Belgian data protection watchdog began investigating Mastercard’s European unit for a data breach detected on August 19. It believes several thousand customers signed up to Mastercard’s loyalty programme have had their data leaked onto the internet after it was captured from an unsecure database.
Because a “significant portion” of the affected customers are believed to be German, the German data protection authority is also getting involved.
Early media reports suggest that as many as 90,000 customers may have had personal information including names, payment card numbers, e-mail addresses, home addresses, phone numbers, gender, and dates of birth available on the internet “for a certain period of time.”
David Stevens, the chairman of the Belgian Data Protection Authority said: “We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely.”
Mastercard responded with a statement that the incident has “no connection to Mastercard’s payment transaction network” and that “there was an event involving the Specials loyalty platform in Germany managed by a third-party vendor, which resulted in the unauthorized distribution of certain information.”
It remains to be seen what the outcome of the investigation will be and if any fines will be levelled against the company for not applying Article 32 to a sufficient degree. But it stands as a contemporaneous example of how failing to prepare sufficient risk strategies against a properly mapped data flow can lead to financial consequences.
Mastercard is, of course, a gigantic financial powerhouse and the repercussions will take that into account. Nevertheless, smaller businesses are still held to account when it comes to managing risk and making sure they have an interlocked approach to compliance with Articles 30 and 32.
References:
- GDPR, Article 30: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679#d1e3033-1-1
- Dataprotectionauthority.be, 23rd August 2019: https://www.dataprotectionauthority.be/news/belgian-and-german-data-protection-authorities-collaborate-mastercard-data-breach
- MasterCard: https://newsroom.mastercard.com/eu/de/press-releases/statement-priceless-specials-plattform/
Written by David Stone, Flowz