Rights and responsibilities of managers under new legislation

The rights and responsibilities of individuals, employers and employees when the  new General Data Protection Regulation (GDPR)  comes into effect on May 25  next and the costs of getting it wrong, were spelled out by Mr. Urban Schrott, IT security and Cybercrime Analyst, ESET Ireland, at a meeting of the HMI Dublin/Mid Leinster in Dublin Dental University Hospital.  Maureen Browne reports.

Urban Schrott
Urban Schrott

The General Data Protection Regulation is a new single data protection law concerning all businesses processing personal data of Europeans.
Mr. Schrott said that basically GDPR applied to anyone that handled any sort of ‘personally identifiable data.’  A name, phone number and address were considered ‘personally identifiable data.’ Current fines for breaches of the GDPR were up to €100,000 depending on the member state involved.
More than half of Irish companies said that they had suffered a data breach in the previous 12 months, according to the National Data Protcection Survey as reported by The Society for Chartered IT Professionals in Ireland.   The results also showed that data breaches, hacking attacks and employee negligence had all risen in the last year in Irish organisations.   External attacks had also increased.
In July of this year, the Irish Independent reported that a total of 55 per cent of Irish orgnaisations said they had seen company data stolen, hacked or otherwise compromised over the last year, largely due to “negligent employees.”
In May 2017 the Irish Times reported that according to the HSE one Irish hospital had fended off 5,000 cyber attacks.

In May 2017 the Irish Times reported that according to the HSE one Irish hospital had fended off 5,000 cyber attacks.

Mr. Schrott said the 2017 Ponemon Institute study in the United States revealed that there were at least 5,000 confirmed breaches, exposing  close to 900 million records, 59% of corporate workers surveyed stated they would have no qualms leaving with sensitive company data upon layoff or departure, 79% of these respondents admitted their company did not permit them to leave with company data and approximately and 68% were planning to use email lists, customer contact lists and employee records for their own business.

Fines under GDPR were up to €10 million or two per cent of annual turnover in the preceding financial year for violations of internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default. Up to €20 million or 4% of annual turnover in the preceding financial year applied for violations relating to breaches of the data protection principles, conditions for consent, customers’ or employees’ rights and international data transfers.

The GDPR provided that National Data Protection Authorities would be able to impose fines, carry out audits, require businesses to provide information and obtain access to company premises.

Before May 2018. ordinary consent was necessary for non-sensitive personal data and explicit consent for sensitive personal data.

Mr. Schrott said the burden of proof was with businesses. Data subjects must be able to withdraw consent easily at any time and business could not require consent in exchange for their service.  He said appropriate measures which companies could take to protect themselves included minimisation of data processing, encrypting or pseudonymisingdata and transparency enabling data subjects to monitor handling of their data.

A privacy impact assessment was necessary prior to any data processing and for any systematic and extensive evaluation by automated processing with legal effects concerning data subjects –such as profiling.

He said data processors were required to be GDPR compliant, keep records of categories of activities they carried out on behalf of data controllers. A review of contracts with data controllers might be needed, since they were subject to fines under GDPR.   Businesses needed to create a data breach response plan, designate specific roles and responsibilities within the company, train employees and prepare notification templates.

A name, phone number and address were considered ‘personally identifiable data.’

If personal data was unintelligible, data subjects did not need to be notified about a breach and encryption was named by GDPR as an appropriate means to achieve this goal.  Encryption was powerful, widely available and relatively low costs.  It was embraced even by national authorities.

The regulations provided new rights for individuals.  These included the right to be forgotten – if data was no longer necessary or the subject withdrew consent.  There was also the right to object to profiling, to object to personal data being processes and to obtain a copy of personal data from the controlling company. Businesses must reply within one month from the date of receipt of the request and provide more information than was required by the regulations previous to GDPR.

Mr. Schrott said an organisation could protect its data by using data classification, implementing a data loss prevention solution data encryption, defining data responsibility in contracts, organising regular awareness training, motivating and appreciating employees and doing detailed background checks of jobseekers.

The “good” news about GDPR was that it provided one common set of rules, there were less national variations and the National Data Protection Authority was a one-stop shop.

The “bad” news was the need for new technical and organisational measures, more responsibility on the shoulders of organisations, a possible need to redesign systems and renegotiate contracts and higher fines.

ESET, which was established in 1987, could help.  Its antimalware now protected over100 million users worldwide, including endpoints, servers, networks, mobile devices, email and services.