Even the best intentions and clear strategy won’t give organisations peace of mind on GDPR compliance without the means to identify and repair system breaches.
For those of us whose business owes its existence to the digital age and the proliferation of shared data, I think there’s overwhelming acceptance of the need to update the previous regulation, the DPD (Data Protection Directive). This was introduced into European Union legislation in 1995, followed by the Data Protection Act 1998, not even a generation away in human terms but so far as digital technology and the onset of the internet era is concerned we’re talking about aeons!
The two-year lead-in period we’ve had seems to me to be about right but as always when we’re given an end date that’s not even in the current year, never mind next week or next month, there’s a tendency to kick the preparation can down the street. What’s really needed, however, is a clear route to compliance together with an opportunity to go beyond agreed procedures into methods and implementation.
Many businesses won’t need reminding that the best-laid plans can come apart at the seams when theory turns into practice. Systems failures and hardware shortcomings may be avoided by judicious testing and trialling but nothing accurately replicates full implementation, where volumes of work, staff absences and the need to accommodate additional unplanned tasks can all affect outcomes.
In the business of digital forensics, the UK is among the world’s very top performers both in the development and the application of the latest techniques. From those security issues connected with individuals up to matters of state, the UK notched up some £4.3 billion of trade in 2016.
So when you’re investigating systems, training and equipment to help with compliance under the new GDPR legislation, by all means shop around but there’s little need to ‘travel’ beyond these shores.
Just to review what main responsibilities GDPR will impose
- Anyone that you hold information on must give their consent for their data to be retained
- People also have more power to withdraw their consent – the ‘right to be forgotten’
- You should appoint a Data Protection Officer to ensure compliance.
What’s more, businesses are being threatened by cyber-attacks and data theft more than ever before. This is especially true in areas of work that involve need to gather sensitive data covering health, sexual orientation, race, gender and so on. Indeed evidence gathered via the dark web suggests that personal information like this – such as a stolen care record – is now more valuable for cybercriminals than financial information like credit card details.
Clearly then this is not only about compliance, it is about the whole area of accountability and the public good. For someone like myself, whose business is based around the science of digital forensics and its applications, the magic word is ‘evidence’.
Using an inexpensive and application-friendly forensic intelligence solution enables frontline staff to probe for breaches in the resilience of your data security. Crucially it will help them identify the source or sources of such a data leak, will enable them to verify that data has been properly cleansed (‘forgotten’) and can be used to produce evidence quality material should negligent or illegal activity be identified.
In the former type of event, involving negligence, this might be the result of something as simple as a user connecting a mobile phone to a computer to charge it. This is a proven route for malware to enter the system and perhaps perform a back-up of all the data and images. Accidental transfer of information into the system means potential damage to all files and this is a threat to the resilience of your GDPR protocols. Put simply, if you can’t be sure that you know what data is going where, you have little hope of guaranteeing compliance.
Adding digital forensics tools into your incident response ‘grab bag’ offer you a means of auditing such activities with instant results. Speed is of the essence as any organisation is obliged to notify a breach to their supervisory authority – in the case of the UK, the ICO (Information Commissions Office) within 72 hours of discovery. Organisations which intentionally or negligently fail to observe the law may be liable to a fine up to €20million or 4% of turnover, whichever is the greater.
Faced with such sanctions, it makes good sense to exercise the maximum control over the personal data you hold and this control can only be delivered by effective monitoring, audit and reporting – in other words, by knowledge.
Some systems are readily available as a complete kit or a bootable USB stick or Mac expansion card, which means their deployment can be highly flexible. In the case of a loss of data, it is imperative that the source is found and that you can identify if personal data has been stolen or lost. A sensible option is to agree a proper response plan that includes appropriate tools. Not only will this help you deal with incidents in a responsible effective manner, it will create a more confident operating environment. With the right digital forensics tools and just minimal training, non-specialist staff can find out rapidly what has happened and who is responsible. Such evidence gathering capability is a powerful weapon against wilful breaches and provides the intelligence to help you prevent re-occurrence. As the Information Commission rightly observed, we need “innovative and technically agile ways of protecting privacy” to drive the government’s strategy forward. Digital Forensics offer organisations exactly that option.
Andrew Sheldon, CTO Evidence Talks