GDPR: UK Privacy Regulator Open to Self-CertificationFocus on Continuous Compliance and Breach Response, Experts Say
Organizations in Europe may eventually be able to self-certify that they are compliant with the EU's General Data Protection Regulation, an official at the U.K.'s independent privacy watchdog said.
But for now, "if anyone tries to tell you they're GDPR-certified - they're lying," Nigel Houlden, head of technology policy for the U.K. Information Commissioner's Office, said on Wednesday at the Infosecurity Europe conference in London during a panel discussion on GDPR (see 10 Hot Sessions: Infosecurity Europe in London).
"There is no such thing as GDPR certification; there is only compliance that you can work toward," Houlden said. But he noted that the ICO is exploring how organizations might eventually be able to self-certify compliance with a list of GDPR requirements to help prove that they have been trying to comply with GDPR, especially if they should later suffer a breach or be reported to the ICO for some reason.
The panel discussion, moderated by Brian Honan, head of Dublin-based BH Consulting, focused on how organizations can maintain compliance with GDPR, which became EU law in 2016. But many organizations appear to have been left scrambling to attempt to do something about GDPR since May 25, which is when each EU member state's privacy watchdog began enforcing GDPR compliance (see GDPR Enforcement Deadline: If You Blew It, What's Next?).
Houlden emphasized that May 25 wasn't a hard and fast deadline like Y2K, when systems that rendered dates as two digits needed to be updated to work with four digits or otherwise mitigated. With GDPR, "you need to keep this up now, it's a continuous process," Houlden said. "You have to keep on top of your security policies, your education, your security training."
GDPR requires organizations to be transparent and accountable with how they handle European residents' personal data. Larger organizations must have a designated data protection officer. And among other requirements, the law mandates that any organization that suffers a breach must alert relevant authorities within 72 hours. All of that is backed by strong new enforcement powers, which give privacy regulators the ability to impose fines of up to £17 million ($23 million) or 4 percent of an organization's annual revenue - whichever is greater.
Fellow panelists talked about how they have been putting those requirements into practice, and a constant theme was the need to make GDPR compliance constant.
"The phrase we've coined in my organization is, privacy is the new normal," said Vivienne Artz, chief privacy officer of Thomson Reuters, a Toronto-based multinational mass media and information firm. She said GDPR had given her firm "the opportunity now to streamline what's been a very manual process" when it came to handling customer data. "Going forward ... it needs to be much more automated."
Maintaining compliance won't necessarily be easy.
"We have very dynamic environments in which to try and maintain these privacy objectives," said Johnnie Konstantas, senior director of the enterprise cybersecurity group at Microsoft.
Privacy by Design
One of the tenants of GDPR is that organizations must practice "privacy by design." Artz likened this to using feng shui to organize one's house - finding color harmony and orienting all furniture in a prescribed manner. Of course, environments evolve, but the underlying approach - seeking harmony by imposing order on one's environment - must continue.
"You don't just bring in a pink couch," she said.
Any organization that isn't yet complying with GDPR, despite the May 25 enforcement deadline, needs to get moving, because compliance isn't a one-step process, said panelist Mieke Kooji, security director of Trainline, an independent digital rail platform based in London,.
"It really is about understanding what you've got," she said. "You need to know what data you've got and why you've got it before you start checking if the right security controls are in place."
Mielke said that for ensuring that the various parts of her organization are complying with GDPR, she's looking for more than just assurances.
"I've very big on 'show me,'" she said.
The ICO's Houlden said that in the event of a breach - which under GDPR is a broad term that refers to any loss of control of data - ICO investigators will want to know what data the breached organization was storing and why.
"You really need a good legal basis as to why you've got that data," he said, "because if there is a breach ... one of the first questions we're going to ask you is: 'Under what legal basis do you have that data?'"
Houlden said the ICO had hired 60 new recruits in recent months and plans to hire another 170 in upcoming months to help with investigations. He emphasized, however, that the ICO does not have a "target list" of organizations that it has been planning to investigate once its GDPR enforcement powers came into effect.
Mandatory Data Breach Notifications
Previously, Europe has not had a broad, mandatory data breach notification rule. With GDPR, however, security experts expect to see data breach reports - and Europe's collective awareness of how common breaches are - skyrocket (see Europe: Data Breach Problem Unknown).
"We now have 72 hours of being aware of a breach before reporting," said Honan, who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency.
For all organizations that must comply with GDPR, "if you don't have a breach notification policy, you're fried," said Artz of Thomson Reuters. She recommends that all organizations not only create such a policy, but regularly run fake scenarios to practice and ensure it works.
"It's really important to have a practice, because the theory is lovely, but the reality is really quite scary when it does happen," she said.
"We now have 72 hours of being aware of a breach before reporting," says Europol adviser Brian Honan.
Houlden said that in the event of a breach, the ICO's first role is to assist.
"Notifying us within 72 hours isn't so we can come after you with a big stick; it's so we can help," he said. For example, after reviewing the situation, the ICO might recommend that the breached organization work with the U.K. National Cyber Security Center, which is the government's public-facing incident response center. Or the ICO might recommend that the breached business issue a public breach notification to help victims protect themselves.
"It's talking to experts who can help you as quickly as possible, it's not a case of going to the teacher to snitch," he said.
Houlden also recommended that organizations not obsess over the maximum fine the ICO can now impose. Instead, he noted that the ICO has the ability to revoke an organization's right to process - or handle - Europeans' personal information.
"Forget the £17 million fine," he said. "If we can stop you processing, that's pretty much the end of your company."
Post-Brexit GDPR in the UK
At the end of the panel discussion, an audience member asked what would likely happen with GDPR in Britain, given the results of the country's 2016 "Brexit" referendum, in which a majority of voters said that the country should exit the EU (see Data Privacy After Brexit: Keep Calm and GDPR On).
Artz noted that she hoped that whatever the U.K. requires will meet the adequacy requirements of GDPR, meaning that what the U.K. mandates will be equivalent to or better than what GDPR requires.
But she and Houlden noted that such discussions are the responsibility of U.K. and EU negotiators who are trying to hammer out what the U.K.'s post-Brexit relationship with the EU looks like.
"We're an independent regulator; we'll see what deal the government get and run with that," the ICO's Houlden said.
All photos: Mathew Schwartz