- Security TWENTY
- Women in Security
Author Alan Calder
ISBN No 9781849288316
Review date 24/06/2019
No of pages 89
Publisher IT Governance
Publisher URL http://www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx
Year of publication 16/12/2016
The EU General Data Protection Regulation will unify data protection law to ease flow of personal data across the EU when it comes into force in May 2018, superseding national data protection laws like the UK’s Data Protection Act 1998 (DPA).
At the very start, let us leave politics, Brexit, out of this - for one thing because, whether you voted leave or remain in June 2016 (or indeed whether you did not vote at all), if you do business with the European Union, from May 2018 you will have to work to the European Union's General Data Protection Regulation (GDPR). We will have to wait and see what the UK does about its law in this field, which dates from 1998, the Data Protection Act. Given the vast changes in technology since then ('cookies', for instance, on websites), it was due a revision, which indeed was the reason the European Union brought in (eventually) the GDPR.
Not for the first time the author in particular and his publishing arm in general have explained an IT security or related subject - what can so often be dry and forbidding - concisely and authoritatively (and the two do not easily go together).
Alan Calder opens with a few pages of history - you can never go wrong by doing that - then sensibly takes us through definitions and terms, before going through the nuts and bolts of the regulation. Some of the parts we may have come across in the mainstream media already, such as 'the right to be forgotten' - strictly speaking, the right to erasure of your data. Other parts we may be on nodding terms with from complying with data protection already, such as processing and retention of data, the rights of the data subject, and the data controller. Having done that, he takes us to the part businesses and indeed anyone handling data needs to know about; complying with the regulation.
Calder notes that after the dismantling of the 'Safe Harbor Framework' between the EU and the United States in 2015, we are in 'something of a vacuum', as the new agreement between those blocs, the EU-US Privacy Shield, has not come into effect yet.
Remember, the author points out, that you must be compliant by the time the regulation comes into force, in May 2018; as he puts it, it would be a real shame if you were one of the first organisations hit with an 'administrative penalty' under the regulation; and that fine could be up to 20 million euros, or 4pc of your global annual turnover, whichever is greater. Understand your obligations and exposure, the guide advises; and if you have concerns, consult a legal expert. Nor should you forget PCI DSS about data security for credit card information, if you are a retailer or otherwise handling such data.
You should understand for instance what constitutes personal data - photographs, if they can identify someone, are personal data. And where is that data, physically? You may say, the cloud, but where is your cloud supplier based? As the book advises, review contracts with third parties; your procurement, and outsourcing. To leave the book for a moment, Professional Security in its January 2017 print issue featured Microsoft, which is hosting through its Azure service body camera data from the Metropolitan Police, by the thousands of body cams, in UK data centres; the IT firm is making much of its UK bases, no doubt with this upcoming regulation in mind.
To return to the book. It reminds you that 'the regulation requires quite a bit of documentation'; as so often, it's one thing to comply, it's another to show that you comply (and not having the records, or rather not being able to find them, has led at least one UK organisation to come a cropper big time with the UK's data protection regulator, the ICO). Calder suggests that an information security management system on the ISO 27001 lines should be the starting point; a risk-based approach. Identify risk, implement appropriate controls (whether technical, physical, or in the set-up of your organisation). The point there is that 27001 like related ISO standards is a process, that you test, and review; which is handy as the risks and cyber-threats evolve; so can you assess, and evolve too, to keep on complying.
About the author
Alan Calder, the founder and executive chairman of IT Governance Ltd, is an author of many books on information security and IT governance issues. For example, he co-wrote the compliance guide IT Governance: An International Guide to Data Security and ISO27001/ISO27002, which is the basis for the Open University’s postgraduate course on information security.