This article was first published on Lexis®PSL Public Law on 27 January 2016.
What are the new security rules?
One of the significant changes introduced by the GDPR is an emphasis on two fundamental concepts of data security—‘privacy by design’ and ‘privacy by default’. These in essence mean that security must be at the centre of planning for data storage, not something that is bolted on afterwards, and not merely a shell wrapped around the outside of the data repository. By way of example, it is unlikely under the new regime that utilisation of a firewall, however sophisticated, will in itself amount to the taking of appropriate technological and organisational measures to safeguard the data. The GDPR encourages organisations to adopt a variety of techniques in relation to the data itself, such as encryption of the data at rest, anonymisation of the data whenever it is not necessary for personal information to be retained with it, and pseudonymisation (ie associating the data with a unique identifier, rather than with a real world name, e-mail address or National Insurance Number) wherever practical.
What are the new rules on breach notification?
The key change here is that for the first time it will become mandatory for a data processor to notify a data subject whenever there has been a ‘high risk’ data breach. Although the definition of high risk will undoubtedly evolve, it seems clear that more or less any breach which represents a possibility of ID theft or misappropriation of funds will be included. In addition, where the breach puts individuals at risk, the principle data authority (ie the Information Commissioner’s Office (ICO) in this country) must be notified. For public sector bodies, that may be most likely to be engaged in relation to their work with vulnerable service users, ie those who are children, or with mental health issues, but there may be any number of other circumstances where this obligation could arise.
How does this differ from the current regime?
While the ICO has always encouraged significant breaches to be notified to data subjects as part of the process of remediation following a breach, the rules in this regard will become significantly more stringent. The timelines and the positive obligation to notify referred to above, are both departures from the existing position and will have practical implications for how organisations respond to breaches in the early days following discovery. It will also undoubtedly start to have a bearing on the cyber insurance market, as there is better information about the scale of such breaches across the market generally, but also about a specific organisation’s own history of breaches.
What impact will these new rules have on public sector organisations?
As can be seen, these changes are going to have a very dramatic effect on all organisations, and this will be equally true of the public as the private sector. Indeed, public sector bodies, which can potentially be the repositories of very substantial amounts of highly sensitive data about vulnerable data subjects, are likely to be particularly affected by the new breach reporting requirements, since more or less any breach in this area would tend to give rise to notification obligations. In addition, like every other organisation of any scale, public sector bodies will need to reconsider their arrangements for data storage and security from the ground up, with the concepts of privacy by design and by default at the core of the measures they put in place. This applies to the data held on their own personnel, just as much as it does to the data held on service users and stakeholders. Combine these considerations with the significantly enhanced levels of potential fines which may be levied for significant breaches and it can be seen that the impact is going to be dramatic.
What steps should public sector organisations take now?
There is a two year window from the formal adoption of the GDPR before it comes into direct effect. Public sector organisations should be using those two years to review their existing systems, and to put in place the range of measures referred to above which will enable them to discharge the new duties which will fall on them under the regulation when it comes into effect. In particular they may need to examine measures to ensure the anonymisation/pseudonymisation of the data they hold, which still enables them to discharge their statutory duties to service users quickly and effectively, and to update their systems to enable data to be held at rest in an encrypted form while still allowing it to be processed by their systems. These are going to be substantial challenges for some organisations and, in that context, two years does not afford a great deal of time to put all such arrangements in place.