Skip to main content
EU Map & Logo

Ready for GDPR? 5 Simple Steps!

According to Kroll Ontrack & Blancco, 4 in 5 IT managers are unaware of the upcoming changes to Data Protection regulations, The EU General Data Protection Regulation (GDPR).  This certainly means they can’t be preparing for it either… and unlike the Data Protection Act 1998 which it will supersede the penalties can be huge – 5% of global turnover or €100,000,000 (whichever is greater!).

What is GDPR?

The GDPR will be a common set of data protection rules across the European Union. Technically it will be an EU Regulation which will be implemented in law in all member states – the purpose being to harmonise data protection across the EU and (potentially) centralise policing for international companies.

At the moment it is still in draft form, but expectation is that although some changes have been made over its course through the European Parliament, it will be adopted in late 2014 or early 2015 and come into force in 2017 – allowing at least 2 years for companies to transition.

What’s different?

There are 5 main differences to the Data Protection Act in the UK

  1. Three New Rights For Data Subjects:  The Right To Be Forgotten, The Right To Data Portability, and The Right To Data Erasure.
  2. Mandatory Breach Notification. It becomes mandatory to report data breaches to the regulator within 72 hours, and data subjects must be notified if harm will occur.
  3. Explicit Consent. You must obtain explicit consent to hold the data from the data subject – opting in will become the norm.
  4. Penalties. As mentioned, the penalties rise significantly for negligent data breaches – rising to 5% of global turnover €100m for more serious breaches.
  5. The Data Protection Officer.  Public sector bodies and organisations processing over 5000 subjects data in 12 months must appoint a Data Protection Officer whose responsibility it will be to conduct risk assessments, analysis and to safeguard the data.

Don’t Panic – We’ve Got 2 Years!

Don’t Wait Either.

With such huge changes proposed there are the usual elements of the IT industry who either professing impending doom or who are suggesting that it won’t happen.  Neither seem likely to me – GDPR will happen in some form, likely to be close to the current drafts; and there is no impending doom.

There is at least two years until you have to be compliant, so there is plenty of time to start to integrate the new principles now so the change can be almost seamless by the time it becomes mandatory.  Data Security is becoming a large differentiating factor for consumers, so make sure you’re ahead of the game – I’ve got 5 simple steps you can start with now to make sure you’re ready come 2017:

5 Simple Steps to GDPR Compliance.

1.  Understand Where You Are.

Before you can start to think about how you’ll comply with GDPR you need to know what data you have now, where it is and how it is protected.  Undertake an audit of what you hold today, and what you’re likely to take on in the next few years.  Once you have this, assess how relevant it is – do you need to keep it?  Does it have value?   Of course you should be destroying data when it becomes unneeded under the DPA’s Principle 5… but check and delete.  If you don’t have it, you can’t lose it!

2.  Obtain Consent & Engage.

Now you know whose data you’ve got, remember that you’ll need to have their consent to hold it in a post-GDPR world.  You can use the next two years to obtain that consent when customers and data subjects contact you naturally.  Develop the processes for obtaining consent now – a simple ‘Do you mind if we hold your details?’ in a contact centre conversation will suffice.  Don’t try and obtain in surreptitiously, in small print or otherwise, people won’t take kindly and it’s not in the spirit of the regulations:  would you want your data held like this?

If you start asking now, by 2017 a huge proportion of the relevant data you hold (remember to destroy ageing data!) will be opted in and you won’t be one of the organisations embarrassingly seeking retrospective consent.

3.  Update Your Policies.

As the GDPR will enshrine a right for data subjects to see your privacy policy, this is a great opportunity to update it and make it obviously available – put it on your website.  You can use the results of your audit from step 1 to make sure it’s accurate too.  Ensure it is written in plain English and is easy to understand.

Update your Breach Policy & Detection.  With stiff penalties for failing to report breaches in a much shorter time scale than you might be used to working, it’s important that your process internally means that any breach, no matter how small, gets to your Data Protection Officer (or equivalent for smaller companies) promptly and you have a plan on how to react.  Ensure that everyone in the business knows the importance of reporting data loss promptly – include it in your recurrent data protection training from now onwards.

4.  Identify Responsible Person.

If you’re a public body, or process data on more than 5,000 subjects then you’ll need someone to fulfil the mandatory role of ‘Data Protection Officer,’ but even if you’re smaller you’ll want to identify one person in your organisation who can ensure you’re compliant.  Someone with experience of data protection principles and a good view of the company will be ideally place.  Resist the temptation to appoint someone from Finance or Legal teams unless they’ve genuinely got a good understanding of the data identified in point 1.

Use the time between now and implementation to make sure that they have conducted relevant Data Risk Assessments and mitigated risk wherever possible.

Then, importantly, empower this person – get senior management or the board involved to ensure that everyone knows about the changes and the importance of them (there’s €100m at stake here!).

5. ‘Change-In’ The GDPR now.

Come 2017, most companies won’t be operating exactly the same systems, in the same state, as they are today. This means the natural business changes which keep driving them forward can be used to ensure you’re designing in GDPR principles from today onwards.  Simple ideas and some best practice:

  • Select a data protection framework now (COBIT, NIST or ISO) and judge all new changes against it.
  • Build in monitoring and reporting tools which report loss.
  • Obfuscate and encrypt data wherever possible, especially on test systems.
  • Adopt ‘Opt In,’ ‘Data Portability’ and ‘Data Erasure’ functions in new software, now.
  • Audit your systems – consider getting external auditors to both probe your defences and your processes.

A series of small changes over the next two-to-three years will mean you’re ready for GDPR when it becomes law.

If you’re in doubt at any point, ask yourself:

Would I want my data held and processed like this?  Does this seem fair?

Internet Of Things Word Cloud

Manufacturing, The Internet Of Things, and Security.

During the SAP Radio ‘Future Of Business’ podcast this week a healthy debate emerged on how manufacturing is, will and should adopt Internet Of Things technologies.  The conclusion seems to have been drawn that European & North American Manufacturers aren’t ready for this leap, but that consumer adoption will drive it.  Computer Weekly best summarises the podcast in its article ‘Manufacturing Industry ‘Not ready for IoT’ says SAP’.

I agree – manufacturing isn’t ready for The Internet Of Things.

But not for the reasons highlighted in the podcast or the article – and I agree that the benefits of IoT adoption for manufacturers (especially larger scale) are potentially enormous, perhaps nothing short of a second industrial revolution if implemented properly.

Age of Plant.

The article and podcast highlight that the average age of industrial machinery has increased lately to the highest since 1938 (in itself a scary statistic), and with investment only running at 3% per annum it will take considerable time to replace this ageing kit.  The problem with this is predicated on older equipment not being compatible with the IoT – something which isn’t always true.

Older plant and machinery can generally be retrofitted with interfaces to allow it to be part of the IoT, and a good industrial integrator will do this relatively cheaply; so while old plant makes it more complicated it’s not the biggest barrier to manufacturing adoption of IoT, proving both benefit and security are.

Benefit.

Manufacturers, by virtue of what they do, tend to work in a very pragmatic, demonstrable way: they measure everything they can to look for improvements. Quick, easy, big wins are rare in manufacturing these days – it’s minor, incremental (often CI or Lean driven) changes which, when repeated, make gains for manufacturers.  Plant Managers want to see real benefit for deploying a technology, and plant maintenance teams are often skeptical of ‘high brow’ IT concepts; it’s simply not a world they operate comfortably in.

Talking about “the  interconnection of uniquely identifiable embedded computing devices within the existing internet infrastructure is likely to garner an awful lot of blank faces with manufacturing managers… but if you talk about the ability to monitor, control and report on plant from anywhere on the planet, then they are interested.  If you can talk of predicting plant failure by combining data from two devices across a plant, or of automatically or remotely controlling equipment based on trends and analysis then you’re demonstrating benefit. It comes down to money.

As an IT industry we need to stop talking our own language, and talk that of the target audience if we want to ‘sell’ our vision and allow business to benefit from the huge possibilities the IoT offers.

Security.

The biggest problem though will be similar to that faced by the now almost ubiquitous ‘cloud computing’ in its infancy: Security.  The cloud had to overcome both security and privacy concerns to gain trust before people would start allowing their data to be held and processed on servers they didn’t own and couldn’t physically touch. In many regards there is a similarity here to how SAP see IoT being driven into manufacturing: consumers did cloud first!

Manufacturers guard their plant as valuably as they do personal data.  It’s their bread and butter… without it nothing leaves the door and cash doesn’t come through the front door.  Worse still, if the production lines stop then you have mounting costs of a stagnant workforce and supply chain problems further down the line.  This is why manufacturers protect their plant (and probably a reason a lot of it is old – it works and the risks are known!).

I know of major manufacturers who separate all plant floor manufacturing equipment entirely, some physically and some logically, from their main office LAN to ensure that production continues, having been bitten by IT problems stopping production before. Convincing them to allow devices to talk directly to the internet is going to be a tough ask, especially with the recent vulnerability exploits in SCADA fresh in their minds.

What happens if an IoT connected PLC or device loses connectivity?
How do we ensure only authorised access to the data and control of an IoT-enabled plant?
Can we ‘pull the plug’ and continue operating if something bad happens?
Where is the redundancy?

These are all questions manufacturers will ask before they allow IoT devices into their day to day world, and as an industry we need to have convincing answers to all of them.

We’ll have to demonstrate that those devices are safe, secure and will deliver real benefit… we should concentrate on finding a way of doing this (perhaps something like the Cloud Security Alliance?) rather than berate the age of the kit manufacturers are using to make their living, because the benefits to manufacturing are huge.