data protection

 The most essential requirement is that the DPO must be allowed to  perform their tasks in an independent manner. They need to report to the  highest management level in the organization and cannot be dismissed or  penalized for doing their job (i.e. giving advice). This will require a  robust governance reporting structure for the DPO to function and  evidence that advice has been accepted or rejected.

GDPR Article 38 requires the organization to support its DPO by  ‘providing resources necessary to carry out [their] tasks and access to  personal data and processing operations, and to maintain his or her  expert knowledge’[A2]. The WP29 Guidance adds that, depending on the  nature of the processing operations and the activities and size of the  organization, the following resources should be provided to the DPO:

• Active support of the DPO’s function by senior management (such as at board level).
• Sufficient time for DPOs to fulfil their duties.
• Adequate support
• Official communication of the designation of the DPO to all staff
• Necessary access to other services
• Continuous training

Given the size and structure of the organization, it may be  necessary to set up a DPO team (a DPO and his/her staff). Similarly,  when the function of the DPO is exercised by an external service  provider, a team of individuals working for that entity may effectively  carry out the tasks of a DPO as a team, under the responsibility of a  designated lead contact for the client. [10]

Failure to appoint a DPO where required can lead to significant  ramifications. Administrative fines can be as high as the equivalent of  €10m (almost £9m at time of writing) or 2% of the organization’s  turnover, whichever is higher. The appointment of a DPO is not only a  legal requirement, it must also be seen as an efficient way to ensure  Data Protection compliance, something that is especially true when it  comes to sophisticated Data Processing activities and cross-border data  flows.

GDPR was a tsunami for businesses across the globe. And now that it  has crashed upon the shore, the search to locate and secure personal  data has become paramount. Since many businesses are not quite up to the  task, here are eight strategies that can assist in the identification  of personal data:

1) Looking For documentation.  This might seem intuitive, and you would be right. The problem comes  when considering that only the most basic of systems will be able to use  this to find consumers’ personal data.

2) Manual Investigation. Again, smaller systems will be able to do this;  however, the larger the system, the more labor-intensive this becomes.

3) Turning to Application or Technical Specialists. Since the  application and underlying data model are no doubt more technical than a  manual investigation would allow, seeking out a specialist is the right  move.

4) Hiring External Consultants. Similar to technical specialists, you  are outsourcing expertise. However, there can a drawback: often, there  is a cost associated with a consultant getting up to speed on your  particular data landscape.

5) Metadata-Driven  Software Approach. An intriguing approach is to use analytics to find  the metadata associated with the personal data in order to locate it.  This approach is often much quicker than others.

6) Intranet or Internal System Search. Performing basic searches using existing tools in applications that house customer/consumer data.

7) Best Guess and Hypothesis Testing. While it sounds like statistical  testing, this approach is predicated on observations and insights, and  is frequently inaccurate as a result.

8) Turning to Software Vendors. Using new GDPR and privacy compliance tools for data mapping and data inventorying.Having a big sale, on-site celebrity, or other event? Be sure to announce it so everybody knows and gets excited about it.

One of the quick wins that an Information Governance (IG) program can bring to an organization is the implementation of a Security Awareness Training program.  Information  Governance programs are implemented to reduce risk and maximize  information value. Security Awareness Training programs are an excellent  way to reduce risk and they are easy to implement.  Employees have many  bad habits that
can leave a company vulnerable to data breach scenarios.

In response to the ever-increasing cybersecurity threat faced by business, a new sub-segment of the Information Security  market has emerged and matured in the last five years. The Security  Awareness Training market grew 54% from 2015 to 2017.  Projected  revenues for 2018 top $400 million dollars.

Cybersecurity threats are constantly evolving.  One of the important  things to understand when evaluating Security Awareness Training  programs is the vendor’s cycle for new content development and  deployment in the training platform.  Some of the features to look for  and evaluate when selecting a Security Awareness Training product are:

• Interactive content in varied formats designed to keep learners engaged
• Training designed to teach resistance to multiple forms of social engineering
• Optimization for smart phone and
  tablet usage
• Gamification and other methods to engage employees and increase participation
• Pre-structured campaigns for different types/levels of employees
• Role-based training with optional customization based on corporate environment

The European Union General Data  Protection Regulation (GDPR) is being subsumed into British domestic  legislation, and is now the basis for a new Data Protection Act,  replacing the old 1998 Act, itself based on a 1995 EU Directive. For  this reason, until the new Act receives Royal Assent, this piece  continues to refer to the GDPR. The pending legislation is, overall,  causing much generalised debate regarding its implications and where  Data Protection practice in the UK is destined.

There has been substantial specific debate and concern about who  should be appointed as the Data Protection Officer (DPO) under the GDPR  within healthcare organizations. In this section we will attempt to  inject some order into the confusion. This has concentrated on the GDPR  itself, along with guidance from the Article 29 Working Group (WP29),  the UK Information Commissioner’s Office’s (ICO), and significant discussion between the authors, both interpersonally and online with Information Governance (IG) and Data Protection professionals.

The perspective here is mostly applicable to Acute trusts within the  National Health Service (NHS), although its message is likely to be  applicable more broadly across the UK healthcare sector.

GDPR Article 37 states that a DPO is needed in any case where:

• The processing is carried out by a public authority or body, except for courts; or
• The core activities of the Data Controller or the Data Processor  consist of processing operations which, by virtue of their nature, their  scope and / or their purposes, require regular and systematic  monitoring of data subjects on a large scale; or
• The core activities of the Data Controller or the Data Processor  consist of processing large volumes of Special Categories of Data or  information about criminal convictions and offences.[1]

Whereas it is common understanding that the NHS is a public  body, the term “public authority or body” is, rather unhelpfully, not  defined in the GDPR. For sake of clarity, however, it is apparent by  extrapolation from the definition in Schedule 1 of the Freedom of Information Act 2000, that the NHS is indeed included.

It is perfectly acceptable for public bodies to appoint a single DPO  to be shared between authorities.[2] It may be beneficial that the DPO  is shared between healthcare organizations working in close partnership  with each other, or perhaps across several organizations within a  localized partnership.

GDPR Article 38 is clear about the position of the DPO, in that the Data Controller and Data Processor shall:

• Ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
• Support the DPO in performing their tasks by providing resources  necessary to carry out those tasks and access to personal data and  processing operations, and to maintain their expert knowledge.
• Ensure that the DPO does not receive any instructions regarding the  exercise of those tasks. He or she shall not be dismissed or penalized  by the Data Controller or the Data Processor for performing his tasks.  The DPO shall report to the highest management level. [3]

The DPO shall be bound by secrecy or confidentiality concerning the  performance of his or her tasks. The Data Controller or Data Processor  shall ensure that any such tasks and duties do not result in a conflict  of interests.[4]

With regard to the last point, WP29 clarifies that:
As a rule  of thumb, conflicting positions within the organization [A1] may include  senior management positions (such as chief executive, chief operating,  chief financial, chief medical officer, head of marketing department,  head of Human Resources or head of IT  departments) but also other roles lower down in the organisational  structure if such positions or roles lead to the determination of  purposes and means of processing. In addition, a conflict of interests  may also arise for example if an external DPO is asked to represent the  controller or processor before the Courts in cases involving data  protection issues. [5]

DPOs do not have to be lawyers, but need expert knowledge of Data  Protection law and practices. From a practical perspective, they must  also have an excellent understanding of the organization’s governance  structure and be familiar with its IT infrastructure and technology.

The DPO role may be employed (“internal DPO”), or there may be  circumstances where they may act under a service contract (“external  DPO”). In both cases, they must be given the necessary resources to  fulfill the relevant job functions and be granted a certain level of  independence, to be able to act in the necessary “independent manner.”

The DPO does not have to be a standalone role, and may have other  tasks within the organization, so long as they do not interfere with the  DPO role. WP29 has made it clear that the DPO “cannot hold a position  within the organization that leads him or her to determine the purposes  and the means of the processing of personal data.”[6]

Many healthcare organizations already have staff in place who  oversees most issues relating to Data Protection. These roles generally  have titles such as Head of IG, IG Lead, IG Manager or Privacy Officer.  It is anticipated that it is these roles that will be most appropriate  to undertaking the DPO role within healthcare organizations with mature  IG models.

GDPR Article 37 does not absolutely define the credentials for a DPO  beyond “expert knowledge of data protection law and practices.”[7] The  GDPR’s Recitals add that this should be “determined in particular  according to the data processing operations carried out and the  protection required for the personal data processed by the controller or  the processor.”[8]

Realistically, this is a member of staff with detailed expert  knowledge and experience of applying IG and Data Protection principles  within a healthcare environment.

The WP29 guidance clarifies this further:
Although  Article 37(5) does not specify the professional qualities that should  be considered when designating the DPO, it is a relevant element that  DPOs should have expertise in national and European data protection laws  and practices and an in-depth understanding of the GDPR. It is also  helpful if the supervisory authorities promote adequate and regular  training for DPOs.

Knowledge of the business sector and of the organization of the  controller is useful. The DPO should also have sufficient understanding  of the processing operations carried out, as well as the information  systems, and data security and data protection needs of the controller.  In the case of a public authority or body, the DPO should also have a  sound knowledge of the administrative rules and procedures of the  organization.[9]

PCI-DSS  is a term used in circles where personal and customer data is stored as  a part of the business process. The acronym PCI-DSS abbreviates quite a  mouthful: Payment Card Industry Data  Security Standard. Developed by the PCI Security Standards Council, it  was intended to assist in decreasing fraud in the payments industry.  While it is a global standard, it is by no means law here in the United  States; each state has its own regulations in regards to cardholder data  and associated fines for non-compliance. Compliance is performed by a:

• Qualified security assessor (QSA)
• Internal security assessor (ISA)
• Self-assessment questionnaire (SAQ)

Compliance is of vital importance to any organization that  stores cardholder data or personal data, as these items are susceptible  to theft and fraud. With the regularity of data breaches and  cyber-attacks, being compliant means protecting yourself from the loss  of customer trust, revenue, reputation, and customers.

Achieving compliance is an involved process that should be undertaken  by an individual in the organization who understands everything  involved. At its core, this “standard requires merchants and member  service providers (MSPs) involved with storing, processing, or  transmitting cardholder data to”:

• Build and maintain a secure IT network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• And maintain an information security policy.

Twelve additional requirements better address what an organization needs to do in order to be compliant:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data. This includes all policies, procedures, and processes used in the storage of data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs. Since new  malware is being used all the time for system attacks, protecting  systems means regularly updating anti-virus programs to reflect new  threats.
6. Develop and maintain secure systems and applications. Software updates help to safeguard against latest vulnerabilities.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes. Penetration testing  is integral to security; it should be carried out in regular intervals  and after changes to the network.
12. Maintain a policy that addresses information security for employees  and contractors. This policy should be reviewed and updated based on new  risks to your organization..