As of 1 January, this year UK law that is concerned with the security of personal data (and what happens when things go wrong) is contained within the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. The law is concerned with personal data -any information that relates to an identified or identifiable living individual.
If a Data Controller [someone who determines what is done with personal data and how it is dealt with] or Data Processor [someone who processes personal data on behalf of a Controller] fails to comply with the law (and there are lots of compliance obligations) then the Information Commissioner’s Office (‘ICO’) may take enforcement action against them. In the most serious cases this can result in a fine.
Affected individuals -known as ‘data subjects’ can also seek compensation for any harm that they suffer. There will also likely be reputational damage if a failure to comply with the law becomes public knowledge as well as a loss of organisational time dealing with issues and putting matters right.
However, information is a wider term than mere personal data. It includes personal data but will also include things such as intellectual property, corporate financial information, business plans or research.
Information security seeks to ensure that all information (that actually needs securing) whether that be in electronic or in hard copy form is secured.
On the other hand, data protection is about how to handle personal data in accordance with the data protection laws i.e., how to lawfully process personal data, how to secure valid consent, the data protection rights of individuals, the need for contracts, when to undertake a Data Protection Impact Assessment, how to transfer personal data overseas etc.
The disciplines do overlap as the UK GDPR places an obligation on a Data Controller (anyone who employs staff or has individuals as customers or schools or membership organisations and so on) to process personal data in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. A Data Controller must protect using appropriate technical or organisational measures.
The UKGDPR does not tell a Data Controller what technical (or organisational) measures are appropriate. This is because security is not a ‘one size fits all exercise’. Every organisation that processes personal data is different and it is for the organisation to assess risk and to decide what is appropriate.
What is appropriate requires an assessment of what types of personal data is processed by the organisation and its sensitivity/ criticality to the organisation. Regard should be had to how the personal data is processed and what could ‘go wrong’. Any vulnerabilities in existence and threats to the personal data should be identified as well as the likelihood of any threat materialising and, if it did, the impact upon the individuals concerned. Cost of implementation also plays a part.
Weighing all of the above up then what is appropriate to protect the personal data (and restore availability and access to it in the event of an incident) can be determined.
For technical measures, a cyber security specialist can assist. Organisational measures include staff training and policies, procedures, and guidance as to what to do/ not do.
A failure to have appropriate information security impacts upon data protection as the law is concerned with the privacy of individuals. If there is unauthorised access to or disclosure of personal data or it is lost or damaged in some way then this impacts upon privacy and may cause harm to individuals.
The following specific UK GDPR obligations also have a bearing on information (personal data) security:
1) only collecting (and thus securing) what personal data is needed, collecting the right data, ensuring it is not kept for longer than needed and of course maintaining Confidentiality, Integrity and Availability;
3) the need for Privacy by Design i.e., considering security and how it ensures privacy at the design stage- before any processing gets underway;
4) the need to undertake Data Protection Impact Assessments in certain circumstances – these can be used to identify risks to personal data and the identification of appropriate control measures;
5) the need for documented agreements when two or more controllers work together -to focus the mind of the parties on their obligations and security;
6) the need to undertake security due diligence on data processors and the right to inspect them and the need for contracts.
8) when things go wrong – assessing risk of harm to individuals, potentially notifying the ICO, communicating with affected individuals and dealing with any investigation by the ICO.