We’re now 18 months into the brave new world of GDPR. Like many data protection professionals, I found the new legislation acted as a magic word with executives. It helped open up the resources to review information management practices that had not been looked at in many years, if ever.
While progress has been made across industry both in the run up to and after 25th May 2018, the question being increasingly asked is “How do I keep data protection on the Board’s agenda and get them asking me the right questions about it?”
Last spring saw the National Cyber Security Centre (NCSC) publish its Cyber Security Board Toolkit. While the tool is designed with cyber security in mind, it also provides a handy framework for starting meaningful conversations with your board across the wider Information Assurance and Data Protection piece.
The toolkit acknowledges that board members will not be expected to be experts in all aspects of security. However, they will need to have a base of knowledge to make risk decisions on behalf of the business and provide leadership.
“We all make security decisions every day (whether to put the alarm on, for example) without necessarily knowing how the alarm works. Boards regularly make financial or risk decisions without needing to know the details of every account or invoice.”
The below steps help the experts in the business provide insight so that the Board can make informed decisions. Let’s have a look at how the actions the NCSC highlight can also be used in the context of data protection compliance.
1. Embedding data protection into your culture and objectives
When done well, good practice in data protection should be adding value to the organisation rather than hindering progress.
- Data protection impacts all areas of the business that have any involvement with personal data. It should therefore be integrated into organisational risk management and decision making
- Article 32 of GDPR obliges organisations to “Implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.” It is only by assessing the risks that processing activities involve, that an informed decision on measures can be made. Steps 4, 5 and 6 below provide further details on how this can be done.
- A good place to start is to consider communication between experts and members of the Board. If you have a Data Protection Officer, it is vital that this individual is of a grade within the business that their guidance will be taken seriously. The communication does require effort from both sides
- Boards need a good enough understanding of Data Protection that they can understand how it supports their overall organisational objectives
- The DPO needs to appreciate that communication of data protection risk is a core component of their job, and ensure they understand their role in contributing to the organisation's objectives
2. Growing data protection expertise
The NCSC toolkit highlights the shortage of cyber security professionals available, with a predicted shortfall of 350,000 individuals across Europe by 2022. A similar situation can be seen within the area of data protection, where many companies have scrambled to get the right people in post over the last 18 months.
As mentioned above, the DPO is key to ensuring that risks can be communicated to the Board. However, in larger organisations they will often need the support of a whole team of individuals. With a shortfall of expertise, where should these people be coming from?
- Build your best workforce: Equal, diverse, inclusive. Companies should be imaginative when designing job roles and ideal candidate profiles. Are there broader skill sets within the business that could be transferred to data protection? Businesses that already work in regulated environments are likely to have individuals experienced in audit and compliance who could move into data protection roles. Communicating the importance of data protection also requires soft skills, are there roles or individuals in the business that have proven themselves adept at doing this in another context. This is an area that has always fascinated me, as I was a Learning and Development professional before moving into data protection.
- Training existing staff. There are plenty of training packages available to help skilled staff transition into a data protection role. It can also be helpful to get an external data protection expert in for a short period who can help people learn the ropes. In terms of Board engagement, it’s beneficial to bring in a non-executive director who has experience in the area and can aid discussions and decision making.
3. Developing a positive data protection culture
The emphasis here is on the Board being able to lead by example. If senior leaders are seen to bypass controls or expect “special treatment” then it gives the impression to the rest of the company that such behaviour is acceptable. The principle of Accountability in GDPR emphasises that it is not enough to simply have policies and processes in place, they need to be demonstrably followed by everybody.
Putting people at the heart of data protection. A common trope for many years has been to refer to a company’s staff as being the “weak link” in data protection. However, this isn’t a helpful way of communicating and switches off the very people you need to engage in order to implement data protection measures. Identify if staff are using insecure work arounds to bypass processes you’ve put in place. It could be that it’s the process that needs changing rather than the staff.
A well-trained workforce should also act as an early warning system for non-compliance. For example, identifying where retention standards are not in place, new data processors are being engaged without appropriate oversight or areas where breaches aren’t being properly reported. Staff should be encouraged to speak up and report concerns, assigning blame or taking disciplinary action should be avoided in all but cases of extreme negligence. This allows staff to focus on bringing the most benefit to the organisation rather than focusing on protecting themselves.
4. Establishing your baseline and identifying what you care about most
This section of the toolkit is very much approached from the point of view of business continuity and identifying components critical to organisational objectives. If the Board were to look at this from the point of view of data protection, then it is about identifying the processing activities that carry the highest risk should a breach of GDPR occur.
- Identify your crown jewels. Where is the business processing large amounts of personal data? Where is Special Category data being used? What innovative uses of technology is the business employing that may carry higher risk?
- All organisations of over 250 staff are required to produce a Record of Processing, covering all the activities where the business handles personal data. While not mandatory for all organisations, this record is invaluable in identifying where those crown jewels might be. The first step is to create this record, documenting the processes as they currently are. This will then allow you to identify activities that need to be escalated to the top of the company for decisions around risk controls, as we will see in the next step.
5. Understand the threats
In the context of GDPR compliance, this is about having a good understanding of the activities your organisation undertakes and understanding where risks of breaches could arise.
- A gap analysis such as the RADAR assessment will give the business a good overall view of where it currently stands with GDPR compliance. This can be used to produce a dashboard for the Board to monitor progress against.
- Where “crown jewels” have been identified a more in-depth Data Protection Impact Assessment (DPIA) should be undertaken. This will allow you to identify not only the level of likelihood of a breach occurring, but also the impact it would have on the organisation and the data subjects were an incident to occur. Identifying where these assessments need to take place can be a good way of determining which decisions need to be escalated to ensure an appropriate level of accountability. The European Data Protection Board have drawn up screening questions that can be used to determine where a DPIA may be required.
6. Manage the risks
Once the board are aware of their “crown jewels” and the potential risks associated with them, they are in a much better position to discuss what their risk appetite is and what controls may need to be put in place. All activities will carry an element of risk, and the aim of this step is not to remove risk entirely. If a breach occurs and the ICO investigate, they will want to see that the risks involved in an activity were considered and an informed decision about them was made based on compliance with GDPR.
- Data protection risk should be integrated within the wider organisational approach to risk management. Many organisational risks will be linked back to personal data processing and so have data protection element to them. The role of data protection professionals is to support the business in identifying areas of non-compliance and ways in which practices could be changed to stay within the regulations without slowing things down unnecessarily.
- With GDPR still in its early stages, it can sometimes be difficult to determine exactly what the impact of certain types of breaches could be. Keeping up to date with rulings and guidance from supervisory authorities such as the ICO will help inform you whether risk metrics need to be updated.
- Alongside developments from the supervisory authorities, it is important that the Board make informed decisions on developments in technology that can improve an organisation’s data protection.
“A good example of this is cloud security. The NCSC see many organisations hesitant to use cloud services because they intuitively assume it is high risk, informed mainly by the belief that storing something valuable with a third party is more risky. In reality, the third party may have better security measures within their data centres than your own on-site storage. So the overall risk may actually be lower. A decision to adopt recent technologies - like cloud storage - would need to be based on a comprehensive understanding of all the risks, rather than an intuitive assessment.”
Which brings us nicely on to…
7. Collaborating with partners and suppliers
The big difference here between the guidance from the NCSC and requirements under GDPR is that GDPR clearly defines what needs to be in place before a business engages with a data processor. All existing contracts with suppliers need to be updated to provide assurances that the processor can meet Article 28. In the future data protection should be built into every supply chain decision and a process should be put in place to ensure that agreements with processors are GDPR compliant.
- Identify your full range of processors and communicate what you require from them clearly. In many cases, larger suppliers will have had this discussion with many of their customers and will have GDPR compliant contracts that can be used. Risks will often arise where a processor is a smaller organisation or where your business are their only customer. In these cases, more dialogue will be needed to ensure that they can meet the legal requirements to process your data.
- Boards should be informed where this supplier is processing “crown jewel” data. The data protection experts will need to be able to keep them sufficiently informed to allow the Board to decide if a supplier can meet their obligations, and where not recommend ending the relationship and reviewing alternative suppliers.
8. Planning your response to incidents
While avoiding data breaches should always be the goal, it has to be accepted that incidents are likely to occur from time to time. By preparing for these beforehand, the business can have a robust process in place for managing them rather than trying to develop a response in a live situation.
- Have a consistent reporting mechanism. Set up a standard process for staff to report a data breach and make sure that they are aware of what this is. If this is done well, then you may see a spike in breaches being reported after the mechanism is implemented. This shows that you’re picking up breaches that you weren’t seeing previously.
- Create a severity index. Decide what constitutes different levels of severity for a breach and what level the response needs to be escalated to. Make sure that the Board are aware at what stage they may need to be involved in a breach
- Communications. In severe incidents or those that are likely to draw media attention, ensure that Board members have been nominated who would be expected to provide a response. Make sure they know who to go to in the business for a more in-depth briefing should it be required.
- Test exercises. Thankfully very severe breaches are comparatively rare. However, this means that it is worthwhile to run an exercise with senior managers and the Board to go through what would happen. This way they are more prepared should one occur.
- Build a dashboard. Lower level breaches should always be recorded and tracked. These can be summarised to show breach trends within the business to the Board and identify areas where additional controls may need to be implemented.
Boards will always play a key role in making risk decisions within any organisation. The ICO and the NCSC work closely together to make the UK a safer place to do business and ensure individuals data is handled responsibly by organisations. The discussion points and good practice highlighted in the NCSC Board Toolkit are also valuable for raising board awareness of data protection requirements. Using them can help start conversations and equip the Board with the required knowledge to ensure they can meet their accountability obligations under GDPR.