What Every Board Member Should Know about Cybersecurity and the GDPR (But Are Afraid to Ask)

Cyber Security and the General Data Protection Regulation

Directors are specifically mandated to manage data protection risk, under the General Data Protection Regulation (Regulation EU 2016/679)  which takes hold in the UK and throughout the EU on May 25, 2018 – Brexit will not change this. Boards must ensure that risk assessment is complete for the entire organisation, and that appropriate security is provided for each type of data under use.  The Data Protection Officer, a board-level position required by the regulation, must also see that the correct technology for data security is in place.


 Background on Cyber Security in the UK

The first UK Cyber Security Strategy was produced by the government in June 2009. It stressed the need for “a coherent approach to cyber security”, with the government, industry, the public and international partners sharing responsibility. Two new bodies were formed with responsibility for developing a coordinated approach to tackling cyber security: The Office of Cyber Security was formed in 2009 and became the Office of Cyber Security and Information Assurance (OCSIA) in 2010. OCSIA is located in the Cabinet Office and coordinates cyber security programmes run by the UK government including allocation of the National Cyber Security Programme funding. The Cyber Security Operations Centre was created in 2009; housed with Government Communications Headquarters, it is responsible for providing analysis and overarching situational awareness of cyber threats.

Between 2011 and 2016, the Government funded a National Cyber Security Programme of £860 million to deliver the 2011 National Cyber Security Strategy. The Programme aimed to make the UK one of the most secure places in the world to do business online. Its objectives included: • Tackling cybercrime by making the UK more resilient to cyber-attack and better able to protect its interests in cyberspace. • Help shape an open, vibrant and stable cyberspace that supports open societies and • Build the UK’s cyber security knowledge, skills and capability.

But the government cyber security programmes did not address data protection, which was taken up in the 1998 Data Protection Act and amendments.

GDPR addresses data security

The GDPR, on the other hand, is focused on the protection of personal data, and defense against breach. Complying with the protection mandate requires a sweeping reorganisation led by the board, and a higher degree of proactive effort by organisations that control or process personal data.

There are three key terms in the GDPR that have a direct reference to its view on security: Data subjects, data controllers, and data processors. For example, a company is a data controller with respect to the customers or employees about whom it has personal information. The customers and employees are the data subjects in this context: Real people, whose personal data is being processed by the data controller. An example of a data processor would be a company to whom payroll operations are outsourced by the employer in its capacity as a data controller.

Section 83 of the GDPR puts responsibility on the controller or processor to take measures to reduce the risk of data breach. Pseudonymisation and encryption are specifically recommended as the means to render data useless if it is taken in a breach.

The GDPR effectively mandates the use of encryption by data controllers and processors, as it reduces the potential impacts of a data breach, because the data is rendered useless – meaning that data subjects cannot be identified – without the encryption key. For complete protection in all use cases, encryption should protect data at rest and while being used in applications to ensure that if a breach occurs on any system, the information remains confidential and does not trigger the GDPR penalties.

Then the GDPR introduces a new concept in European data protection law – “pseudonymisation” – for a process rendering data neither anonymous nor directly identifying. Pseudonymisation is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.  To pseudonymise a data set, the “additional information” must be kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.

“Pseudonymisation, therefore, may significantly reduce the risks associated with data processing, while also maintaining the data’s utility. For this reason, the GDPR encourages controllers to pseudonymise the data that they collect.”

Risk assessment is also mandated by the GDPR. The regulation clearly states the risks that need to be considered.

“In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”

The regulation makes a distinction for what it calls “high risk” data. These are processing activities that rely on new technologies and are “likely to result in a high risk for the rights and freedoms of individuals,” according to the regulation. There is an obligation for the Data Protection Officer to notify the UK Information Commissioner’s Office if high risk technology is being used for with personal data.

A similar duty of notification exists for security breaches. The Data Protection Officer again must notify the Information Commissioner’s Offices within 72 hours of a breach occurring – in fact, as soon as that executive learns of the security issue. The Data Protection Officer must also communicate to the data subject a personal data breach, “without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.”

To ease the considerable burden that GDPR places on the board and the Data Protection Officer in particular, the regulation endorses the use of codes of conduct and certifications to provide guidance on the GDPR’s requirements, signal to data subjects and regulators that an organization is in compliance with the regulation, and offer third-party oversight as another check on controllers’ and processors’ data handling practices.

For companies that are likely to be involved with cross-border data transfers, i.e. those that are outside the EU but that are using data from the region or taking it to different geographies, codes of conduct and certifications will help to provide a basis to manage the risk of audit. Should they prove effective, moreover, they may become a standard part of global data transfer mechanisms – consistent with systems already used in the U.S. and under the Asia Pacific Economic Cooperative.

Featured Blog