Any successful GDPR compliance programme must address both data privacy and security. The two terms are often used interchangeably, but in practice, they’re quite different. Data privacy governs how your customers’ data is collected, shared and used. Security focuses on protecting that data from theft and breaches. Put simply, data can’t be private if it’s not secure. On the flip side, there’s no point securing data if you lose your right to it because you’ve lost your customers’ trust or breached privacy laws.
We recently spoke with three industry experts to get their take on how New Zealand companies are balancing these twin imperatives.
ON THE PANEL
Jason Wild, Information Security Consultant at Origin Security
Anthony Naulls, Head of Technology at Les Mills International
Guy Smith, Commercial and Technology Associate at Duncan Cotterill
There has been a massive amount of media coverage of GDPR in the eighteen months leading up to the 25th of May. Many of the headlines have been around the potentially massive fines for non-compliance in the face of a breach, so it’s not surprising that companies around the world have been scrambling to get their houses in order. New Zealand is no exception. We’ve been having conversations with a number of our clients around what GDPR means for them, to what extent they need to comply, and how they might go about doing this.
What’s it all about?
GDPR is aimed at putting control of personal data back in the hands of the individual; at ensuring that companies only hold data that they have a genuine business need to hold; and that they do the best they can to keep this data secure. This focus on individuals’ rights is apparent in the scope of the regulation – it applies to any company that holds or handles European citizens’ data, regardless of where that company, or the individual, is based. I’m a British citizen who resides in New Zealand, so if you think about it, any New Zealand company that holds any of my information is subject to GDPR – at least until Brexit happens! So as a business owner, director or other stakeholder within a firm, the first thing you should do when you start considering what GDPR means to you, is to seek legal advice around how it applies and what the legal implications to your business are.
Where to start?
So, assuming that you’ve spoken to your legal counsel and have determined that GDPR is something that you need to be concerned about, where do you start in your efforts to become GDPR compliant? This probably seems like a daunting question, so my advice would be to take a step back and consider this from two perspectives. Firstly, think about what data you store or handle, and for what purpose – this is the privacy perspective. Then think about how you protect this data – the security perspective. It’s important that you approach it in this order, otherwise you run the risk of putting a lot of effort into securing data you don’t need, or missing data that you didn’t realise you had.
Know what you’ve got (and why you’ve got it)
It may seem a bit strange to suggest that companies may not know what data they hold or for what purpose, but you may be surprised at how many have exactly this problem. Part of the issue is that very few have ‘one source of the truth’ – information is typically held in multiple systems, and different departments will have different reasons for maintaining that data. Some of this may be for genuine business reasons, whereas some may be the result of legacy requirements or old systems, or it may simply be that data was collected ‘just in case’, or was intended to be transient, but was never deleted or cleaned. Given that GDPR is all about what you hold and why, your first step should be to audit what you have, understand why you have it and then get rid of anything that you don’t have a genuine business need for. This will help in two ways – you’ll reduce your exposure in terms of the data you hold, and you’ll reduce the scope of data that you have to protect. It will also help you to design business processes that will allow you to respond to data disclosure requests and to delete data, should someone invoke their ‘right to be forgotten’.
Keep it safe
Once you understand what you’ve got, you need to take reasonable steps to keep it safe. ‘Reasonable steps’ will vary from business to business, depending on a number of things including: the type of data you hold, where the data is held, how much money and resource you can invest in security, risk assessments, and your corporate appetite for risk. My advice would be to begin with the basics – theCERT NZ’s critical controls 2018, or theAustralian Signals Directorate Essential 8 are a good place to start. And remember, focus your efforts around the data you really need to keep safe - if you have information that is already in the public domain, or is not sensitive, why spend time and money trying to secure it?
Don’t be afraid to get help
In New Zealand, the main challenges around security are lack of investment, lack of skilled resource, and lack of awareness. This last point is starting to change, but there are still too many people out there who think that geographic isolation offers some protection (it doesn’t) or that ‘she’ll be right’ (she won’t). If you don’t have the luxury of in-house information security expertise, there are a growing number of consultancies and service providers who can help. This is still a maturing market in New Zealand, but there are several providers who are well established with good credentials, covering firms of all sizes, from small to medium to enterprise organisations.
On the face of it, GDPR seems scary, but if you approach it in a systematic way it becomes easier to identify what work you need to do in order to become compliant. And even if you’re not subject to GDPR, the steps I’ve outlined above can help ensure that you’re following best practice when it comes to handling personal data and make it easier to comply with local privacy regulations.
GDPR boils down to your duty to protect personal information. When we began our journey towards GDPR readiness at Les Mills, our initial assessment was that our cyber security posture was already strong, but that we needed to make some changes to how we handled customer data.
A business-wide steering group
With the fine for non-compliance set at 4% of total global profit, or 20 million Euros (whichever is highest), GDPR compliance was treated as a priority business risk. Our first step was to set up a GDPR steering group including all departments, from legal, IT, marketing and people and culture. This is critical for any organisation doing business in Europe. Should the worst happen and your customers’ data is compromised, the governing bodies considering potential fines will want to see that there is at the very least oversight of data policies and processes.
Choose a master
It’s critical to have shared responsibility and buy-in across all functions, but in our business, marketing has the most touchpoints with our customers. That’s why we chose our marketing platform as the master for customer contact preferences, and mapped our systems and processes around it. We looked closely at how data was being passed, how we were managing permissions and unsubscribes, requests for information, and how we were managing the deletion of records at an appropriate time of inactivity. We did this at both a local and a global level.
A global preference centre
Our analysis led us to conclude we needed a single view ‘preference centre’ to centralise and manage our data at a global level. If people say ‘give me all the data you have on me’, there has to be an easy way to action their request. We ended up deciding to begin custom-building our preference centre to manage contact lists that suited our suite of applications and products. While we’d love to have one overarching application and marketing platform, the reality is that no such thing exists - so it’s important to centralise the management of opt in and outs for different products.
One rule to rule them all
When making decisions on data rules we took a pragmatic approach to keep it simple. For example, any record that has had no activity or a valid business reason to retain it for two years is to be disposed of - no exceptions. Rather then have varying classifications of personal data, we opted to treat all data as sensitive, as the risk of complacency is very high. One rule means one set of procedures and policy, removing potential confusion or following the wrong process for a certain set of data.
Continuing the focus on security
No matter how well you collect and handle data, it’s pointless if you’re not doing everything you can to protect it from being stolen. We’ve always treated information security as a business risk, not just an ‘IT issue’, so our security posture was already strong. However, with GDPR approaching, we doubled down on our commitment. We reviewed our security governance framework and created additional policies to fill gaps under the new laws. We implemented user awareness security training and stepped up our email phishing testing programme. And finally, we reviewed our file sharing policy. We ended the use of free and non-centralised, uncontrolled applications, so that we now have certainty around where files with customer data are stored and what they contain.
It’s an ongoing programme of work
There will never be a date that we can just stop and say ‘we’re compliant now’. GDPR and security compliance is an ongoing programme of work that requires consistent training and education. We’ve run many webinars in the past few months to educate our global markets on policy and process for passing of data, and will continue to do so. It’s all about awareness, education and process.
Be smart about how you resource
Though we have an information security specialist in-house, we opted to outsource our security policy creation. This is a no-brainer: starting from scratch makes no sense when we can tap into experts who live and breathe it. We can then use our in-house specialist to adjust outsourced policies to our unique environment on an ongoing basis. We also outsource security testing services for applications and external infrastructure penetration testing to keep us on top of our cyber security measures. Our efforts can then stay focused on getting data privacy processes right and making the business decisions that allow us to deliver on our security roadmap.
For Kiwi businesses, there’s no need to go bananas, but it is still an opportune time to consider the GDPR and what it’s telling you about the way that privacy law, as a reflection of society’s privacy expectations, is trending.
If there was a big flashing neon sign summarising the GDPR and the trend in privacy law worldwide it would say something about clear disclosure and informed decision making. For businesses, that means actually knowin what data you’re collecting about people, how you’re using it, how you’re sharing it, and with whom. It means taking a customer-first look at those things. Because the GDPR wants you to understand your own handling of data, tell your customers about it clearly, and give them more control. The days of privacy policies in broad brush strokes are numbered.
Also numbered are the days of sweeping poor privacy practice under the carpet. We’ve seen the fallout of this in spectacular fashion, with Facebook being hauled in front of Congress and $35bn shaved off their share price (which, it has to be noted, they’ve now recovered). Both the GDPR and the Privacy Bill here in New Zealand contain mandatory breach notification provisions. If I was a consumer-facing privacy officer without my house in order I’d be much more worried about having to announce my own company’s bad privacy behaviour than I would be the huge monetary penalties looming in Europe. Public shame, and the damage to reputation, should be a powerful motivator.
More of the same?
Back to the “don’t panic” point. If your business is doing a good job of complying with the Privacy Act 1993, you’re probably well on your way to complying with the GDPR. If you’re a privacy officer or CTO you should understand how your business collects, stores, uses and discloses information about individuals. Remember, if you get that information aggregated, it doesn’t mean it’s anonymised. If you have clocked that personal information doesn’t have to contain directly identifying details but just be capable of identifying someone, then you’re in good shape.
There are relatively few new elements in the GDPR and all signs are that European regulators are nowhere near ready to enforce the GDPR domestically, let alone abroad. The Privacy Bill which is currently in front of our Parliament is far from a step change either. I suspect that it will swing toward the GDPR before it is enacted, but even if it does it’s unlikely to get all the way there.
The message to take away is that society’s expectations of you as the holder of information about its citizens are becoming more rigorous. Keep on top of your information management and security practices, be transparent, and take a consumer-first viewpoint and you won’t go far wrong.