69
have to have Cyber Essentials certification and come July this year those assurance requirements would be increasing with the introduction of the MOD’s Cyber Security Model.”
“What will happen in our hyper-connected world, with its ever-increasing concern about risk within supply chains, is that SMEs and MMBs will be required to provide some level of independent assurance to their data security posture through a recognised body.”
The necessary data protection changes will be contractually implemented downwards through supply chains, and the onus will be on those smaller companies to show they remain competitive within supply tenders by being compliant.
And, if anyone wants redress they can go to the supervisory body, the data controller or processor, or go through the courts, added Hickley.
What about free and publicly available data put onto sites such as LinkedIn or Facebook etc, by the data subject, questioned Morrin. “What’s the data protection risk there?”
Hickley: “It’s all about how much damage can be done in terms of GDPR fines, but the real question is if a person puts their data on a site like LinkedIn, are they expecting a business to mine their data and then contact them for a commercial business reason? Is that contact deemed ‘a legitimate interest’?
“Under the GDPR, article 14, it explicitly states that if you don’t obtain data direct from the data subject, you have to write to them within a month, explain with a Data Protection Notice what you are going to use the data for, and how long you plan to store it, before you can actually process it.”
And, for those accessing and processing any EU data without GDPR compliance, from anywhere globally, Hickley warned: “You will be caught.”
Martin Hickley
Evans suggested placing that onus on small suppliers, who would have to bear the cost of GDPR compliance, would lead to them putting up prices or cutting corners inappropriately. “How will you monitor all these small companies who may be taking on more risk?”
Hickley pointed out that the GDPR penalties covered data processors as ‘jointly and severally liable’ so all the links in a supply chain needed to be demonstrably compliant.
“Procurement departments may have to change and audit their contracts in order to manage the risks of outsourced data, and therefore may need to learn new skills.”
Who ‘owns’ the data protection risk?
Ian Morrin of Clarify queried the use of shared data, where the data was clearly owned by one party that specified how it was to be used, but worked upon by a third party. “Who holds that risk, who is liable?
Brett confirmed that under GDPR they will both have a direct statutory obligation, one as data controller and the other as data processor. This is different to the current regime where only the data controller has had those direct statutory responsibilities.
THE BUSINESS MAGAZINE – THAMES VALLEY – JUNE 2016 Debbie Brett
Evans suggested compiling a privacy impact assessment of data that a company intends to use, and verifying the PIA through the ICO before usage. “Demonstrate that you have attempted to identify the risks, have mitigated them and will be screening the data properly.”
Simon Pasco of Thomas International wondered how big CRM businesses such as
Salesforce.com or MINT, and their contracted cloud business users, would be impacted by GDPR. “People pay an
Brett: “The GDPR is designed to catch screen-scraping of data, even from a publicly available website.” Data that is obtained in this indirect way will still trigger requirements for you to provide information to the data subject about how you intend to use their data. Certain websites (in particular social media sites) may have to change their terms and conditions of use, she added.
Simon Pasco
awful lot of money to these third parties to hold data that businesses input for them to process. What happens if they don’t comply?”
Hickley suggested a quick check of the business contract between the parties concerned, thinking about how data consent is currently collected by your business and then amending operations while adopting GDPR compliant procedures, and talking everything through with the CRM provider.
Clarke noted that these public cloud organisations and platforms were already aware of GDPR and its threat to their business operations, so would be eager to comply. “They will being doing an awful lot to toe the line, so put your initial question back to them and find out what they are currently doing.”
He exampled how Amazon Web Services had steadily enhanced and proved its compliance and security to levels at which government departments were now happy to employ their cloud computing services. “They have moved a long way to provide the levels of security assurance to the Crown that they are looking for in relation to the personally identifiable information (PII) that they hold.”
There was a pause as Roundtable participants wondered how certain business sectors orientated towards online-focused research or consumer marketing might be impacted by the new GDPR measures. Where personal data is processed for direct marketing, for example, the data subject will now have a right to object.
“So, how does anyone do any business ever again?” said one Roundtabler half-jokingly.
Continued overleaf ...
businessmag.co.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76