Insider threat management company, ObserveIT, recently carried out a survey to gauge the understanding of privacy laws among 1000 US and UK employees. The results come a year after the launch of GDPR, which affects EU nations and global companies with EU customers. The findings are revealing.
According to the poll, 35% of UK employees are handling data the same way they did before GDPR. As GDPR made companies far more accountable for the way they manage data, this doesn’t bode well for a third of UK companies.
Of note, are 38% of British employees who felt their organisation wasn’t doing enough to protect personal data. This figure seems to align with the third who experienced no change. Maybe that’s a coincidence.
The UK versus the US
The only solace for the UK is that things are even worse in the US. That’s unsurprising, given that the States is outside the GDPR epicentre. Still, it’s alarming that 15% of US employees don’t know what GDPR is when you think that 58% of them handle sensitive data every day.
Two-thirds of UK workers felt they had received enough training in protecting customer data to comply with regulations, while less than half of their US equals felt the same. Encouragingly, 84% of the British say they know their data compliance obligations at work.
Only 55% of US employees and 62% of UK employees felt their own personal data was being adequately protected by their employer. This, too, is worrying for firms and organisations. Employees have the same legal privacy rights as everyone else.
These numbers from either side of the North Atlantic confirm what we already know. Many companies are either unready or unable to comply with GDPR or today’s privacy laws. The US will toughen up on data handling, too; not least with the California Consumer Privacy Act due in 2020.
So, what must UK companies do to fall in line with GDPR?
To comply with GDPR, you must know what sensitive data is. In essence, it’s data which might harm the data subject if leaked. Examples are as follows:
- Racial or ethnic origin
- Political opinions or allegiances
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data
- Health records
- Sexual activity or orientation
The above is all personal data which should be classified as sensitive. Under GDPR, the purpose of data processing must be taken into account, together with the impact it is likely to have on the subject. Risk assessment is an inherent part of collecting and storing data.
Data classification is part of the data mapping process; hence, the need to understand data and its possible consequences. By locating and classifying all stored data, it can be managed effectively. The classification should make data easy to find, protect and retrieve.
One way small to mid-sized companies can map and manage their data is through GDPR compliance software. This often makes businesses compliant within weeks. It also enables them to prove their effort toward compliance quickly. That’s important to GDPR enforcers such as the ICO (Information Commissioner’s Office).
A basic three-level data classification model, which sorts data according to sensitivity, looks like this:
- Restricted data; sensitive data which, if leaked, would harm the organisation or individual to whom it relates. This type of data should be accessible on a need-to-know basis. Examples include data of a personal nature, payroll details or financial records.
- Medium sensitivity; this type of data could be accessed internally or departmentally. It includes emails, letters or documents that have been sent or created privately but contain no harmful or confidential information.
- Public; this is low-sensitivity data that might include content created for public consumption. Examples include press releases or marketing materials. Such data would be openly accessible and not controlled or encrypted.
Data classification must suit each company’s needs, so there’s no single solution. However, data discovery and classification are vital elements of any attempt at GDPR compliance. Companies must be able to identify sensitive data and create protocols for handling it. They must take technical steps to secure it (e.g. encryption). Staff should know what not to do when handling data.
Data Security and the Cloud
An essential area where some companies fail lies in their lack of data protection. They haven’t taken measures to ensure data is secure. An example of this is storing data in the cloud.
Under GDPR, a cloud provider is usually a data processor or sub-processor. The company owner using that service is the data controller. The latter carries a more significant burden of responsibility under the law. Before sending data to the cloud, anything sensitive should be encrypted. This gives it an extra layer of security on top of any affected by the provider.
Sensitive data should always be safe before it reaches any exposure point. No-one should share it over unsecured networks or by email without encryption.
Endpoint security encompasses data classification, loss prevention and encryption, data access control, insider threat protection and more. It is a system which ensures end-user devices such as phones, laptops, desktop PCs and servers are secure. You can think of it as “tying up loose ends”.
All the above is achievable by processes such as monitoring traffic in real-time, monitoring user activity (e.g. cut, copy, paste, print, print screen actions), applying security policies to data-handling activities and limiting data access to privileged users. It’s done through endpoint security software.
Bringing it all Together
What can we learn from the ObserveIT survey, and how can more than one-third of British companies comply with GDPR? Here are some salient points:
- Map data through a process of discovery and classification using GDPR compliance software to help if you’re an SMB.
- Understand data and recognise its sensitivity. Perform a Data Protection Impact Assessment (DPIA) just before processing data which might cause harm to subjects. Perform a DPIA when embarking on any significant project involving personal data.
- Ensure data is secure where it rests and in transit. Use protective layers of encryption, SSL and hashed passwords. There are several types of encryption. They include the Advanced Encryption Standard (AES), 3DES, RSA, Blowfish and Twofish.
- Be aware of all vulnerabilities and points of attack. Social engineering, insider threats, lack of staff training, inadequate security software, network security risks and uncontrolled endpoints are all areas of concern.
If your company is trusting to luck as far as GDPR compliance goes, now’s the time to act!