This webinar today, just to quickly cover that, we’ll be recording this and at the end of this session, we’ll be sending that out. So, if you lose audio or anything like that, we will offer another way that you’d be able to get that. So, let’s just talk about who we are, CIPHR. We are a UK-based HR software company that creates, delivers and implements cost-effective HR systems that help to attract, retain and engage their workforce more effectively.
This webinar today, we will be covering the General Data Protection Regulation and talking about how does it affect you and your business, what CIPHR has done internally to ready itself for GDPR and also just looking at what CIPHR has been working on with its products and services that it’s going to be offering to its current and future customers.
So, just a bit before that about CIPHR and the customers that we have here. So, we have a number of government bodies such as the Ministry of Justice and also the Equality and Human Rights Commission. We have a number of charities such as Crisis and Age UK and a few other big names like Volkswagen UK, NHS 24 and a load of other ones that you can see on the screen there.
So, back to the matter at hand, what is the GDPR? So, it’s a common data protection law for all of the countries in Europe. It’s been designed to help tackle data protection challenges of the 21st century and give individuals greater power over their personal details. So, I’m just going to very briefly cover some data protection history.
So, in 1995, the EU produced the Data Protection Directive, so nothing to do with the GDPR that’s happening next year. This is something that happened back then and then shortly afterwards the Data Protection Act was brought out by the UK. So, the directive was brought out. And the difference between a directive and a regulation is that a directive is a law that requires a particular result, but it doesn’t dictate to each member state how they have to achieve it as long as they get there, and they draft their own laws and can achieve that goal. A regulation is a complete written law that must be complied with exactly. So, it’s already been written by the EU and then just handed to each country to be passed into their law.
And the supervisory authority for the UK is the Information Commissioner’s Office, the ICO, and they’re the ones responsible for ensuring compliance with the GDPR and they’ll also be the ones handing out the fines for non-compliance. So, something that’s raised quite a lot is the question about Brexit, is that going to affect it? Does it mean, actually, we only need to worry about this for a little while? And that’s not the case because we’re all still intending to do business with Europe or people in Europe and the UK will stay aligned with this and has brought this regulation in.
So, when is this actually happening? So, it actually was adopted by the UK in the 25th of May 2016 but we’re currently in a grace period and that grace period ends two years after that, so the 25th of May next year and that’s when compliance and the fines will come in. So, I’m just going to cover some bits about data protection in general, just some of the terminology just in case you’re not sure, apologies for people who are well up to speed on this. So data subject. The data subject is an individual to whom the personal data relates to. And the GDPR is all about giving power to those individuals about the data that is about them which I think is quite right.
I’m going to talk about some of those rights that the GDPR gives those individuals. This isn’t an exhaustive list, but this is some of the main ones that are to do with the industries that we’re involved with. So, the right to be informed, this is all about clear messaging about what data is being collected. So an example would be if you have a website and you’re collecting data from individuals there, they go onto a website and type in their details and then you’re storing it, it’s giving very explicit reasons about how and why that data is being processed, advising how long you intend to keep the data for and also advising how they can withdraw consent because they may consent to you having it today but in 6 months, 12 months, making a very easy way for you to withdraw their consent so that you no longer have the data, which brings me right along to the right to be forgotten.
So, this is about the subject telling the data controller, the person who holds data to delete their data and that’s a right they will now have and they have to comply with that as long as there’s no legitimate interest for the continuing processing that overrides the data subject’s rights. So, if you have a legitimate interest which is higher than that person’s rights over their data, then you can keep doing it, otherwise, it has to go.
The right to erasure currently exists under the Data Protection Act, but it’s limited to processing the causes unwarranted or substantial damage or distress. So that narrow criteria reveals that then there’s a legitimate argument for it to be deleted. The right to access. So, the right to access exists at the moment under the Data Protection Act but there is the ability to charge a £10 admin fee.
I think this is actually going to be a huge change because the fee is going to disappear under the GDPR in most cases. There are still some cases where it can still be charged. But the biggest difference there is it’s now the cost of an email to find out what data people have about you as an individual whereas £10, although it’s not much money, it’s enough to put off a lot of requests that would come through.
There’s a change in how long you have to comply as a data controller now as well. You now have one month previously or currently under the Data Protection Act, it’s 40 days. And a right to the data portability. So back to that example about the website where someone has entered their own details into the website and you’re storing that data, that individual has a right to take that data with them to another service or somewhere else or just for their own personal uses.
But you need to provide it in an appropriate format. So, an open format I think is how it’s specifically referred to, and that’s things along the lines of CSV files. So, things that can easily be opened and viewed or manipulated by other systems. So, data controllers and data processes. Just to briefly cover that. A controller says how and why the personal data is being processed, the processor simply carries out that processing on behalf of the controller exactly to the letter that they’re given.
So, under the DPA, Data Protection Act, it’s the controller currently who takes on the fines and the liability but after May next year, the fines will be shared with the processor as well. And that kind of gets to the heart of GDPR which is just about, it doesn’t matter who holds the data, whether you’re a processor or a controller, you are responsible for that data and you should be putting in things in place to prevent any malicious access or any accidental access, actually.
So, that’s all about putting in technical controls in place to make sure that the data you’re looking after has an appropriate level of security and it’s applied to the data regardless of who is storing it. One of the more straightforward ways of doing this is to apply a security standard like ISO 27001. One of the other things that you need to do is maintain written records.
So, a large bulk of the work that needs to be done as part of preparing for GDPR is just about auditing what data you have because you can’t take any action on what you should do if you don’t know what you’ve got today. And it’s all about saying, right, so what data do we have? How did it get there? Where does it go to? How long do you keep it? When do you delete it? Once it’s moving about or being stored how is it protected and who has access to it? And you need to have documented answers to all of those questions for all of the data that’s there, all of the personal data.
So, data protection officers, so that’s a thing that’s now mandatory in certain circumstances. So, if you are a public authority, then you need to have one. If you carry out large scale systematic monitoring of individuals, then you need to have one and also if you carry out lots of processing of special categories of data. So special categories of data are health, ethnic origin, political opinions, religious beliefs, trade union memberships, that type of thing.
Data protection impact assessments, DPIAs. So this is you’ve documented all the data, you know where it’s going to, where it’s coming from and it’s just doing a risk analysis of how it’s moving about of what the data is and working out are the risks appropriately low for that data, appropriate for your and for the data itself and then working out does more need to be done to the secure its processing.
So, as you go through this process as a business, you will find things that need to happen, need to be actioned and you need to have documented evidence that you’ve done this risk analysis. And so if you’ve done nothing that you’ve said, right, I believe the technical controls are appropriate as it stands. Another very important one is that breaches must now be reported in 72 hours to the Information Commissioner’s Office to the ICO.
The reason this is a very big change is because at the moment there’s no legal obligation to report breaches under GDPR. Once they’re reported to the ICO, the ICO may decide to investigate further and then decide whether they need to issue fines based on what they find from that investigation. And that brings me right along to the fine. So, if you’ve only just heard of GDPR, the thing you’ve definitely heard is the maximum fines are now 4% of the annual turnover of your organisation or €20 million, whichever is greater.
At the moment, fines are limited to £500,000 by the ICO, they don’t do it a lot. When I say they don’t do it a lot, they don’t do the larger fines a lot. But in 2016, they imposed a fine of £400,000 to a telecoms company for not implementing appropriate technical security, so it was vulnerable if you like. Under the GDPR, so if that happened at the end of next year, scaling that up to the same threshold it could have been £59 million, so that’s enough to make anyone in the business stand up and take notice.
So, what has CIPHR done? So, what we’ve been doing internally as a business? One of the most important things and that I’m a huge advocate of is just communicating out to all employees of the business and making sure they have a good awareness of GDPR and they know what’s going on. So if anyone speaks to them like a partner, other employees, prospects, whoever, they have an awareness of what’s going on and the things that need to happen and also the things that CIPHR is doing.
Implementing encryption or customer databases. So, this isn’t something that we did for GDPR, it’s something that we’d already started doing prior to having any of these discussions, but it’s just a very good example of what a company can do to offer control over the data that’s there. So even if a company has data turn up where it shouldn’t, if it’s encrypted then that person who has it can’t read it, so it’s still safe.
We have conducted audits to confirm the data that we have today. So that process that I was talking about, about looking at your business and all the data you have, how it’s getting there, where it’s going to, we run through that process and we have a clear picture that we’re still working on as things are still changing in parts of legislation but we need to keep up to date on it. We have a clear picture of what’s going on today with our business and where the data is coming from, how it gets there, that we’re putting in appropriate notification and controls to all of those parts of that journey of data of where it goes to.
So, I’ve talked about ISO 27001 briefly, there’s more information you can find online but it’s a global standard. We’ve implemented that in our business, again, not as part of GDPR. It’s something that we felt there was huge value in doing. We did that back in 2013 and there is a lot of value in doing it. If only for the peace of mind that you know you’ve gone through every part of your business and you understand how it’s working and the technical controls that you put in place.
Another very important thing, which I believe a lot of people don’t have at the moment is we’ve implemented protective monitoring. So that’s a piece of software that looks at everything that’s happening within your environment and all of the information that’s moving about and knows what normal activity is and also can identify abnormal activity. So if there’s any suspicious activity happening at any point in the day an alert will be sent out to the maintenance admins so that someone reacts appropriately, even if there’s nothing that needs to be done there’s a log that something happened and we can investigate that and understand what’s going on and just have a clear picture of what’s happening.
We’ve also actively renewed policies and procedures just to measure their compliance against GDPR. So, it’s all very well just making people aware of what’s going on but you need to have something to back that up so that you can refer to it and say, “Look, here is clear guidance on what you should be doing.” If there’s any gray areas that they’re not sure about, it’s just something that everyone complies to and then you can do further audits to measure compliance against those things that you’ve changed.
I will talk a bit more about pen testing in a second just to explain it a bit further. But we have used multiple CREST accredited pen testing companies. They are people who are ethical hackers and spend all of their time trying to find vulnerabilities in websites or services. And we’ve used multiple ones and we use them on a regular basis, have very good relationships with them to test the services that we have and the infrastructure that we have to make sure that it’s as safe as it can be.
We’re also a huge advocate of training to make sure people are up to speed on any of the things that are currently happening within our sphere. And we have multiple GDPR practitioners who are within the organisation. So, when we’re doing all of this rollout, we have people who have the knowledge to back up what we’re doing and just in different areas of the business that they have a very good awareness of what’s going on and what needs to happen. So, we just have that complete picture on people there just speaking up for the GDPR effectively.
So, onto the important stuff of how we can help you. Our business, we create a lot of tools that assist people with actually complying with whichever legislation or whichever thing that they’re trying to do. So, one of the things that we’re doing for GDPR is setting up a data retention view. So, we talked about the records that you will have and how long you are going to keep them for.
I should say, there’s no clear amount of time that you need to keep a record for, it depends on what the data is, the reason that you’re processing it, the reason you’ve got to, and then how long you decide that you need to keep it for. But we have a very easy method that you will be able to define your retention period. It might be five years, [inaudible 00:14:59] as an example. And then just being able to see all of the records that are approaching that five-year period and need to be dealt with.
And then on top of that, we then have the easy ability to deal with those records that need something done, too. So, the software we have at the moment obviously allows you to delete data but be able to do it in a more efficient way. So should you get a lot of requests to remove data that you need to comply with or just have a lot of records that have reached that retention period and you want to get rid of them, there’ll be a very simple way to do that than, just taking the pain out of that.
Also right to access. So, we have a vast array of exports and reports that can be done today and we’re just going to be offering more focused ones on GDPR related matters. So, we already comply with all the legislation for the Data Protection Act and we have exports that can fill that but we’ll be enhancing that so that we can offer things that allow you to comply with the GDPR.
So, here are some screenshots of the things that we’re working on. So, something that, actually, quite a few people are surprised when I mentioned it, in terms of the emergency contact details that you have within your system or your services, these are typically entered by employees and sometimes they won’t be vetted by anyone in HR. It might be something that they can put in themselves, which is perfectly fine, but there needs to be consent for these details to go in there.
So, we have the ability to record consent but more importantly, to have to be able to define a period that you want to reconfirm consent or just to manually be able to send out an email to all of the records that are in the system that are in there as contact details just to confirm with them via the email address that they’re still fine for that to be in there.
There’s going to be much clearer guidance on this as we get close to the time and we finalize things and start engaging with customers more, but it’s a very important thing that we’re working on at the moment. The other thing is the thing I just mentioned a moment ago about the data retention view. So don’t look too close on the actual words they use on here. They’re likely to change as more guidance comes out from the ICO. But effectively, if you look at the top left-hand side, we have a number of records there. We can see the detail of records that are approaching the end of that retention period and require something to happen with them.
And then just below that, so bottom left, you have a visual representation of the record. So, if we look on the left-hand side, we have Birmingham there, that’s an office that’s based in Birmingham and then we have the different departments within that office. So, the size of the square that’s on there represents how many records are in that period that need action. So, you can see from a very clear instant view, “Right, okay, we need to do something about distribution in Birmingham.” And then you have the other more granular views that allow you to do something about those.
So, how else can we help you? So, when you use our service, you would be storing your data with us, we would be your data processor. And there’s a lot of things that we do with our services that you can then document when you’re doing your documentation of all the things that you’re doing within the business. These are the controls that are applied to that data that you’re storing with us.
So, an extremely good example of that is internal penetration testing. So, we have certified ethical hackers within the business. We have people who are very strong on risk analysis and they will be looking on pretty much a minimum of a weekly basis on all of the services we offer out to our customers, and we’ll be running tests and viewing the results of those tests and then acting appropriately.
But on top of that, because everyone is spinning a lot of plates just to make sure the right focus is there, we then double up on that by having an external penetration testing company that’s CREST-accredited. So, the CREST accreditation part, I can’t remember if I’ve mentioned this, but it just certifies that they are a very, very high standard of being able to hack into things, for one of a better word.
And they run through that on a regular basis where they will attempt to access some of the services that we have there and they will give us remediation plans and be able to go through all the things that we should be doing to stay up to date with all the current security controls that are available in the market.
As previously mentioned, so we’re already encrypting databases. So, any database that has got to stay within the environment is already encrypted but everything’s kept within there so it can only be read within the environment. So, it’s just about having multiple layers of security and being sure that it’s not just one lock to get through everything, there are several stages, almost like an onion, I guess.
So, the 24/7 protective monitoring, so that is software that’s in there alerting about the things that are going on in the system. So, anything that requires action that’s there all of the time, so weekends, during the evenings, things will be coming through and that’s to protect your data that’s in there. But obviously to go along with that, we carry out extensive training and awareness in those individuals who are reacting to those alerts and things that are happening just in the security world so keeping up to date on everything that’s happening, just any vulnerabilities that come out from Microsoft or whoever, we’re already up to speed with them and know what we should be doing.
So, to go along with that protective monitoring, we also have the response team around that, so the people there to react. We have people permanently on call eagerly waiting for anything that might come in and just who have the technical awareness and ability to actually respond to those. So again, it’s just about layers, about covering up your data with as many protective layers as we can. So, I hope that’s been useful. We welcome any questions to be directed to firstname.lastname@example.org. I’m sure there’ll be lots and we will do our best to answer them.
I think I mentioned at the start, this is recorded and it will be sent out as an option that everyone can download. Should the audio cut out or any part of it go missing, you can catch up on any bits that may not come across quite correctly. But I hope that’s been useful. Okay. Thank you very much.