It’s only a few short months till May 25th when the European Union’s GDPR (General Data Protection Regulations) become law. After many years of bureaucratic deliberation, the official text of the General Data Protection Regulations was finally published in May 2016. Although the entire document is 261 pages long, the principle subject of the GDPR is stated clearly on the front page. It is for
…the protection of natural persons with regard to the processing of personal data…
In that opening sentence are two key points. First point is that it is for the protection of natural persons. The phrase ‘natural persons’ makes it clear that this regulation is not for the protection of companies or organisations, but for protection of people, or data subjects in the jargon of the GDPR. The second point is that it is about the ‘processing of personal data’. Each of these words needs to be carefully defined, which is essentially what the remaining 260 pages of the document attempts to do.
The reason new regulations have become necessary is because the landscape of data processing has changed dramatically since the Data Protection Directive (95/46/EC) was introduced back in 1995. In those days data storage was too expensive to store anything but essential data, and the internet was mostly just a few academic or special interest websites. Then the corporate world woke up to the potential value of piping advertising and shopping direct into people’s homes and the internet has exploded into a vast shopping centre and ocean of general knowledge. Behind all that surfing is also an ocean of data about what people like and dislike, their health, what they eat, their habits, what they spend and where they are doing that spending. That data, your data, is gold dust for corporations who are trying to predict how to persuade you to spend more, but it is also invaluable for fraudsters or criminals looking for ways to steal your identity, your money, or do you harm. That is why European regulators are now trying to put a stop to the rapidly escalating problem of data breaches by threatening extremely high penalties for companies that have data breaches. For the worst offender’s fines of up €20 mn or 4% global annual turnover can be imposed. There is no doubt that a great many companies and government agencies are extremely poor at data protection, but the GDPR tries to make it clear what all organisations need to do to become compliant. Compliance comes from following what are known as the 7 Principles relating to the processing of personal data, which I’ve paraphrased below : –
- Only process personal data for a lawful and fair purpose
- Only collect and process data for an explicitly specified purpose
- Ensure personal data is relevant and necessary for the specified purpose
- Ensure personal data is kept accurate
- Keep data in a form that allows for identification of individuals for no longer than is necessary
- Keep personal data hidden in a secure environment
- Keep track of everything, and be prepared to show regulators what steps have been taken to protect personal data
To do this companies should first perform an audit to know what personal data they hold, where it comes from, where it’s stored, who can see it and how it’s disposed of.
The main challenge is really in deciding how to keep data hidden, and how to secure the environment. Ideally all personal data should be encrypted in a data store which is completely isolated from the internet, or from physical intrusion. Access to the data should be tightly controlled and only given to authorised individuals where necessary. All access to those systems which can display personal data should be logged and the logs reviewed on a regular basis. From an organisational stand point all the processes for storing, handling and disposing of personal data should be documented and audited on a regular basis.
GDPR is intended to protect all of us from misuse of our data. We at Subex are dedicated to helping operators to comply with these new regulations which will ultimately lead to safer and more secure future for us all.
Watch out this space for more updates.
Mark Jenkins has worked in the IT industry for over 15 years as a BI and Analytics consultant, and more recently as ROC Product Manager for Subex Ltd. He has designed and deployed solutions for global companies in many sectors including Insurance, utilities and telecommunications. Mark holds a BSc Hons in Computer Science from Manchester University (UK).