Adam: Hello and welcome to the next episode of Tales from the Cyber Lab. In this episode, we’re going to be talking about data protection and compliance. In the last episode, we were talking about, from an insurance perspective, what the first things that we should be doing when we have a data incident or a cyber incident.

One of the messages that came across very clear from Eric in the last episode, was that contacting your legal representation is the first thing you should be doing before you start doing anything else, so that they can guide you on what needs to be done and what doesn’t need to be done. To that end, with us today, I’ve got Emma Loveday Hill from Prettys Solicitors.

Emma, welcome to the podcast! Would you like to just introduce yourself and tell the good people a little bit about what you do?

Emma: Adam, thanks for having me today. So, I’m Emma and I’m partner and head of the Data Protection and Privacy Team at Prettys Solicitors.

Adam: Excellent, thank you very much. The format of these podcasts is that first, we’ll talk about the what, then the why, and then how we actually go about doing data protection compliance in the right way.

So, let’s start off with what data protection compliance actually means. It’s about ensuring that personal data that must be protected is being adequately protected. Can you elaborate a little bit more about that? What’s the first step in doing that?

Emma: So, that’s a really good question, because I think the first thing that we’ve got to think about is what actually are we talking about when we say personal data, because it’s easy to think that we’re talking about all data, but what we’re actually worried about from a UK GDPR perspective and a data protection act perspective, is what’s defined as ‘personal data’. Personal data is data that means that we can identify a living individual. And so, it’s data that relates to them. We’re not talking about commercial data, financial data, trade secrets or anything that might be commercially sensitive, in this context, what we’re talking about is personal data.

Adam: So, it’s about individuals and about humans, not about anything else.

Emma: Yes, exactly that. So, we’re talking about the data and the information that relates to a person, and that data or information has to be able to identify that person as well. So, if it’s anonymous data, then even though it might have related to a person once upon a time, it’s different, it’s not got to be protected in the same way.

Adam: That was a really good definition of it, but it’s often left me scratching my head thinking, what? What does that actually mean? Can you give examples of the sorts of data that would allow someone to be identified? So, I guess a name is an obvious example.

Emma: Yeah, that’s right. So, you’ve got name, address, job title. That’s another common one, because obviously if you’ve got a job title and you know it’s the CEO of CyberLab, then that person can be identified.

Adam: Yeah, you could tie it in with LinkedIn, for example.

Emma: Exactly. But it’s also data that’s kind of less obvious. So, even an IP address, that can be personal data because it can identify a person from that data. See it in terms of names, that kind of obvious data, but of course, you’ve still got to look more widely at what it could be.

Adam: So, a big part of this is understanding: one, how you identify that data, and then, I guess, really appreciating why it needs to be protected, which ties into fraud and all these other things. I don’t think we’ve got time here to list all the possible scenarios that that data could be misused, but hopefully the audience has got enough awareness to understand that there’s a reason for this stuff to be protected.

And that is the reason in essence, we’re talking about data and that the advice is always that in any cyber incident, you should be talking to your legal firms first, just to understand and double check whether or not something has been breached from a data perspective.

But a lot of cyber incidents could be down to anything. I mean, we’ve got the CrowdStrike one, that’s a cyber incident and it was, it was actually involving no third parties whatsoever. It was unfortunately just a mismanagement of how software was being tested and deployed. So, let’s talk around what is a data breach. At what point does a data breach become an actual breach so that something has to be done about it?

Emma: So, I’ve already mentioned the UK GDPR and the Data Protection Act 2018. Those are the two main pieces of legislation that we’re always thinking about when we’re working with data protection and privacy. So, the UK GDPR, just to be clear, is essentially the same as the EU GDPR that was introduced in 2018, it’s just changed to UK GDPR following Brexit. Under GDPR, the definition is that there has to be a breach of security relating to personal data, essentially leading to a loss of inaccessibility or something that happens to data that shouldn’t. It’s about a security incident that relates to personal data.

In terms of what that can look like, it doesn’t always have to be obvious, such as a cyber-attack. It’s not always just about losing the data. People often refer to old examples, like leaving a USB stick on a bus. But now, it can be even more straightforward than that.

It can even be emailing the wrong person. That, that could be a data breach. It will depend on what the context of things.

Adam: Which we’ve all done that. I’ve certainly done it! It’s embarrassing and you cringe as soon as you realize what you’ve done, but it does happen, unfortunately.

So, we’ve talked around what a data breach is and what that means. Now, what are the obligations on us as the organization that thinks that we’ve suffered some kind of data breach? Who needs to be notified and how quickly must that be done?

Emma: So, in the UK, the regulator is the Information Commissioner’s Office, who we call the ICO. Now, the ICO are who would need to be notified when there has been a reportable data breach. Whether a breach is going to be reportable will depend on whether there is a risk to the people’s rights and freedoms. So, whether there is a risk to those data subjects whose data is involved in that breach or not. So, that’s when the ICO needs to be notified. In addition to that, the individual data subjects involved may also need to be informed about the data breach and given certain information to help them mitigate the risks to their data and be made aware that what’s happened is a high risk to them.

So that’s a slightly higher threshold than reporting to the ICO. Essentially, if a client came to me, what we would do is we’d say, “has there been a personal data breach?”. If the answer to that is yes, then we would help them then assess whether the Information Commissioner needs to be notified, and then if they do, then we’d help them fill in those forms and report the breach. At the same time, we’d be assessing whether the individual data subjects also need to be told or not, because if there’s a high risk to them and to their rights, that’s when they would need to be notified.

So, we would look at that at the same time. And we would also be working out if they do need to be notified and informed what that is going to look like. So, we’d work through every step of the process. There might also be other organizations that need to be notified, for example, the police, if there’s been any criminal activity involved, or there might be other regulatory requirements, and actually, depending on the type of organization, then there can be other requirements under the legislation, under the privacy and electronic communication regulations, for example. So, there are other obligations that we must look at.

So, we start looking at the whole picture with the client from, hopefully, the very earliest stage and work them through to that end-stage. And then, if it is reportable, then we would help with that.

Adam: Interesting for me, as someone that’s got no sort of legal background whatsoever.  I’ve moved away from being a technical specialist now to a certain extent, but I still consider myself a techie. And this, this is potentially a real minefield.

There’s lots of different regulatory bodies that could be involved. There’s the financial conduct authority; I would imagine that they’re going to have stipulations and things like that. So, the fact that you guys have got this specialist knowledge that we can leverage that and lean on you guys and say to, to guide us.

I think that’s invaluable really. And I said this in the last podcast, that my go to is not to contact legal when we’ve got a problem. I will start trying to work out the problem and start trying to get things under control. And this just reiterates to me that the need to make sure that you’re doing it properly, you’re contacting legal and you’re then getting your ducks lined up to make sure that you’re telling everyone that needs to be notified and limit the damage that potentially could be done to your organization is crucial.

Emma: The other thing just adds into what you were just saying is the time limits, they are so short in terms of making sure that if you have to report it, then you have to report becoming aware of that breach, and that includes on weekends, bank holidays and overnight.

So, 72 hours starts, okay. It’s what be reported to the ICO.

Adam: What about Christmas? Do we get some leniency around Christmas?

Emma: No, unfortunately not.

Adam: Oh, okay. Fair enough.

Emma: If you find something on Christmas Eve, then you’re going to have to work over Christmas to resolve it…

Adam: So, data breaches will ruin your Christmas? Great. That’s lovely. So, I’ve just talked about about how quickly you’ve got to do it. What if you don’t do it? Well, what could happen then?

Emma: If we don’t report to the ICO in time within that 72 hour period, then the first thing to do is actually make sure you report it as soon as possible after that, give reasons why you’ve delayed and not given them all the information. If there has been an issue and it hasn’t been reported to the ICO in time, then the ICO can actually issue a fine of up to 2% percent of annual global turnover up to 8.7 million pounds.  And so, the financial implications could be rather severe. Of course, on top of that, the ICO can also issue a fine for actually what’s caused the breach itself for the non-compliance, or the breach that’s happened as well.

And that can be up to 4 percent of annual global turnover, or 17. 5 million. So, we are talking about big numbers here. I think the thing to remember is that we, so far, haven’t seen fines of that level issued by the ICO and they will take what measures you’ve taken into account. And that’s only going to be in the most extreme cases. It’s not automatically a 2% or a 4% fine, it’s looking at what’s appropriate.

Adam: But still potentially very expensive consequences, you know, significant consequences for not adhering to that 72 hour notification window.

We’ve talked around what data protection compliance means, and I feel like I’ve got a much better understanding of that now more than I did have at the start of the podcast. So, now let’s put some context around this and talk about why this is so important. When I looked at some of the figures from the ICO, I noticed that 27% of the reported breaches in Q1 this year were cyber-related.

So, that means that it was a cyber threat related; it was either down to phishing or malware attacks. And does that by and large make up most of what you deal with?

Emma: To be honest, most of the breaches that we deal with are actually down to human error, or issues that happen because of people sending things to the wrong place. Information being accessed that shouldn’t be accessed and that kind of thing, rather than the cyber side of things. I think that’s probably reflected in the figures, because the most common type of breach reported to the ICO actually relates to emails being sent to the wrong person.

Adam: I knew you were going to say email, because everyone uses it. We were busy, we rush, it’s so easy to make a mistake.

Emma: It is. And the thing is, even though every breach won’t be reportable, it’s really important that you keep records of those breaches, because if you can see a pattern emerging, then you might want to look at putting something in place to stop that pattern happening and continuing. So, if for every 10 breaches, 9 of your breaches within an organization are email related, then actually you might need to put something in place to stop that.

It’s really helpful to keep a record, because that can be assessed, looked at and reviewed, because at least then you’ve identified that there’s a gap or a need for something else. Under the GDPR, you have to take reasonable measures to keep safe and secure. And so, that’s really helpful. That’s the kind of thing that we’d be looking at, and when you’ve got your personal data, how, where it is and how is it being kept secure, how are you preventing it being used, inappropriately or in a way that it shouldn’t be used?

Adam: But looking at the cyber related incidents, these are targeted attacks that the attackers are trying to get this personal identity and personal data. It really it comes down to the old adage as, as information is power, isn’t it?

Emma: Yeah, that’s completely true, you’ve got to look at this in a wider context than just personal data. Because, if you are subject to a cyber-attack, then what data are they going to get? What’s going to be able to be accessed, because we’ve been talking about personal data, but there’s also commercially sensitive data or financial data that could have a massive impact on your business, as well as the personal data implications and obligations being breached under the GDPR. So, you’ve got to look at it from a whole commercial perspective. and that’s why it’s really important to protect it. The thing is, we talked about the levels of the fines that the ICO can issue, but actually, it’s wider than that.

You’ve got to think about the wider financial implications in terms of downtime, time to take to investigate, the costs of doing forensic investigations into what’s happened, all of those kinds of things. And actually, tied into that is perhaps one of the more important things: loss of reputation. You think of the CrowdStrike stuff that happened; it’s had a massive impact on their reputation. But, any organization that’s subject to a data breach is going to be in the spotlight, and that means that not only are the ICO going to be looking at them more closely, but the wider public will be looking at them more closely, because they potentially lost trust in that organization and their ability to protect their data.

Adam: Yeah, and this is one of the things that I’m quite passionate about and trying to raise awareness and make sure that the understanding is there. For customers, colleagues and peers that I talk to, it’s around the wider picture, about the damage that can be done by having a cyber incidents.

I mean, CrowdStrike is a perfect example. There was no ransomware or anything. Typically, when we’re talking about these things, you know, we’re talking about people hacking or a ransomware incident, people being breached initially by a phishing emails and stuff like that.

But the CrowdStrike instance was really a perfect example of a big cyber incident that’s caused widespread disruption. I think there is 8.5 million windows endpoints, and that’s actually less than 1 percent of the windows endpoints across the world, which kind of terrifies me a little bit, but what if something wider happened, what would be the global effect of that?

But, let’s not talk about doom and gloom in that regard. It is really about the reputational damage and about the fact that people just won’t want to work with you. There are companies that I’ve been looking at in my role as a vendor manager. When I’m also looking at onboarding new vendors, I have to look at their history. Now, there are some vendors that I’m quite happy to onboard, even though they’ve had a breach in the past. The reason for that is because I’ve looked at how they conducted themselves in the immediate wake of that breach. One of these companies, I was a personal customer of them. I’ve used them for a long time and their communication was really, really good. And when I look at the model of how that management of the incident and the data protection, when I look at the framework of how they’re supposed to do it, this particular vendor did it impeccably. They were then really up front and open about explaining to their customers and to the sort of the wider world about how it actually happened and how they’ve remediated what action they’ve taken, but also what protective measures they’ve now put in place. It’s actually made me think that as much as reputational damage can be a cause for concern, if you’ve had a data breach and you’ve conducted yourself really well, I think that that’s actually a good indication.

The reason I say this is that initially, when companies had data breaches, people would think, ‘Oh, that company has really dropped the ball. The way that cyber security is today, and the way that the threat landscape is, the way that it’s commoditized and that it’s all financially motivated, certainly when we’re talking about the cyber-attack elements of it.

I think it’s only a matter of time until most organizations have suffered something like this. That’s what’s brought me around to saying “well I won’t disregard someone purely because they’ve had one data breach or they’ve had a significant incident”, if however there’s an example in the last couple of months where they’ve had multiple incidents, that kind of signifies to me that they’re not taking it seriously and they’re not doing what they need to be doing to protect themselves against this.

Emma: It does. But equally, as you said, how a company handles itself is really important, because actually, if you know that they’re handling it correctly and doing everything that they should do, then that mitigates the other impacts on a data subject or on the relationship.

I think this highlights how important it is for companies to have data-breach notification policies in place and make sure that staff know what to do if there is a data breach. It could be somebody really junior who identifies the data breach, but they might not know that it is a data breach or know what to do with it. So, training is going to be really important. That’s actually one of the things that the Information Commissioner’s Office expects staff to be trained on: data protection generally. And, it helps to demonstrate that you have mitigating factors and steps in place.

Adam: Yeah, I know exactly what you mean. So, this actually comes back to something I touched upon it at the start of the last episode, and it’s around cybersecurity not just being the responsibility or the realm of one particular area of the business, and everyone else can just carry on regardless.

It’s something now that very much needs to be endemic within the entire organization. You touched upon the need of having processes and policies in place. This again, having a cyber incident plan and having it so that you’ve got all stakeholders of the business, you can pull them together quickly. You can assess what’s going on.

Which area of the business has been affected and what are the next steps? Is data involved straight away? We need to contact legal, so it’s having that stuff in place, but it’s not easy to do it. It’s not something that will happen quickly either, because of this mentality, for example, someone that manages the stock cupboard or something like that. In cybersecurity, they don’t necessarily understand what it’s all about. They know that it’s important, but they might not really appreciate what their role in it is, even though their role is potentially just as vital as senior people in the business that are making these decisions.

Emma: Yeah, that’s exactly right. And it has to be through the organization, throughout the business, that everybody understands what they’re looking for and what their obligations are in terms of data protection. When we look at how short the timeframes are for reporting a breach, if it’s a reportable breach, you don’t have very long, so you don’t want somebody to sit on it. And this is that common thing where somebody doesn’t, they haven’t quite known what to do with it. I’ve seen this so many times, where somebody hasn’t known that there’s a data breach, or hasn’t known exactly that it is a data breach they’ve sat on it until the end of the week. Then it gets to a Friday afternoon when they’ve suddenly thought, oh, you know, I’m on holiday next week.  I need to email this to my manager so that they can be aware of it.

Adam: It’s also reducing the stigma. Everyone makes mistakes and no one is completely infallible. It’s not about blaming people when things like this happen, it’s management’s responsibility to ensure they’ve gone above and beyond making sure that their staff are completely clued up on this stuff.

Maybe there’s a bit of a case to answer there, but most of the time, it’s just these things, unfortunately, accidents happen, people make mistakes. It’s very easy when you’re busy and you’ve got a lot of things going on. And because you’ve made the mistake, the business needs to know about it, the sooner they need, they know about it, the sooner they can do something about it.

Emma: So, no blame culture is really important, and even the ICO has a lot of guidance about breaches and lots of helpful information on their website. But, even they make it clear that as long as it’s not done maliciously, there’s no blame going to be apportioned to that person.

It’s the data controller as a whole, rather than the person involved in the breach. We don’t want people to be worried about coming forward about something. I might be that it’s a disciplinary matter, or a performance issue, or something else that needs to be addressed, but we need, ultimately, for people to come forward and say, “Look, I’ve discovered this or this has happened. what do I do next?”.  Here’s all the information you need to carry out the assessment. Businesses might have template forms in place so that, as soon as something happens, employees can fill in a form that provides all the required information, allowing the data controller to assess whether the ICO needs to be notified, but at least they’ve then got all the facts in front of them.

Adam: So, that kind of brings us to the last area about where we talk about how do we actually do that? So, how do we ensure data protection compliance is where it needs to be in our organization?  I guess the first part of that is controlling your personal data, or the data that holds personally identifiable information, isn’t it?

Emma: Yeah, it is. It’s really important to understand what personal data you have within the organization, and then knowing where it is and what security measures are in place to protect that data.

Adam: I think that’s a really good point, because it’s so easy now, especially for organizations that have been around, there’s been such a transition from our traditional on-prem way of storing data in file servers, to now cloud. I mean, we had Dropbox and there were other file sharing systems as well, they’ve been around for quite a while, but the real danger is that our data has become so scattered and distributed across all of these different areas, that it then becomes incredibly difficult once we even understand what data we have, let alone actually put in some kind of effective protection in it.

Emma: Exactly. And the other thing to add into that, is think about data retention policies, because data shouldn’t be kept for any longer than it needs to be. To serve the purpose as to why you’ve got it. And having data retention policies mean that you are deleting data after a certain amount of time, which reduces the amount of personal data that you hold, which helps in a situation like this, because of course, then there’s less data involved.

Adam: So, just following on from when you were talking about data retention… I think it’s also appropriate and important that you put suitable security measures in place to protect that personal data and prevent it from being potentially mishandled.

I mentioned this before that you can manage data loss prevention. So, that can be as simple as preventing passport or credit card numbers being sent out through email. Most people’s firewalls will have that capability built into it, but way to really do it to my mind anyway is to be doing the full data categorization piece.

So, categorize all your data that will allow you to identify which data is sensitive, whether it’s financially sensitive, commercially sensitive or personal. Identify sensitive information and then you can enforce controls around that, so that if someone does try to email it by accident, or they send it to the wrong person, it really gives you peace of mind that the chances of this then happening and you becoming one of those statistics is less. The vast majority of data breaches is because of email, where your data has been exfiltrated. It reduces that significantly.

So, the next bit is understanding the standards that you are expected to adhere to and the level of of compliance that you’re expected to meet. So, I guess you must know you must need to know what to do when to do it and how to do it.

Emma: So, it touches on stuff that we’ve already spoke about a little today.  It’s really important to understand what personal data you hold, why you hold it, where it’s stored and how it’s being protected under the UK GDPR. The obligation is to make sure that there’s appropriate technical and organizational security measures in place to protect that data. What that looks like is going to vary on a case-by-case basis. There’s no one set standard and it doesn’t always come down to how much it costs financially. It’s what’s going to be appropriate in that case, and that’s going to depend on what data it is and how sensitive it is, or what you’re doing with it and that kind of thing.

Adam: Okay. So, it’s records, policies, and template forms. How do we go about using those things to make this easier to do then?

Emma: So, the starting point is always to make sure that you have a record of processing activities. That’s a requirement under the GDPR law anyway, to have a document in place that sets out the information about the personal data. And then, because you know where everything is, and it’s department by department, every bit of personal data should be covered.

On top of that, you should have a data protection policy in place that sets out your general attitude to data protection. In terms of data breaches specifically, I’d say it’s really important to make sure that you have got a data breach notification policy, which sets out what a data breach is, what to do in the event of a breach and the contact details for who it meets.

Having that in place means that any member of staff can then find out the information they need. If something happens, they can look and decide whether there might have been a personal data breach and what to do with it next that ties into them, making sure that there are template assessment forms in place. So, we would recommend two. There’s one for notifying the Information Commissioner’s office, and there’s also one to assess whether the individual data subjects also need to be notified. The final thing I think is important to have, is a record of your data breaches.

That doesn’t have to be anything complicated. It’s just making sure that you are tracking your data breaches that occur. Also, if you’re then not reporting any to the Information Commissioner’s Office, you’re then making sure that you’re keeping a record of them so that you can say that there have been breaches, but this hasn’t been needed to be notified because of this reason. And that can be really important, particularly if there’s a subsequent data breach that does need to be notified the ICO because then, you’ve got a breadcrumb trail to follow, haven’t you?  It’s all about showing it, being able to demonstrate your accountability.

Adam: So, I think really that the final step is around making sure that you’re prepared. And we talked about this previously, around how prepared people are to deal with data breaches and knowing what they need to do and when they need to do it.

I think this is the same approach that I would suggest around business continuity or disaster recovery. Anything like running tabletop exercises and run simulations of how this has happened. How is the business going to respond to this so that you can test the processes and procedures that you’ve put in place?

Then finally, record keeping. I think this is the one that’s common sense, but you may not instantly think about it, especially if it’s something that you don’t need to report, but it then becomes very relevant when you’re doing that sort of forensic audit trail, or you’re having to backtrack and provide evidence to say, well, look, this is how we approach breaches: We’re recording everything, we’ve investigated everything, but these ones have not needed to be notified to the ICO.

I think really that sums it up. Well, that’s all we’ve got time for. For anyone who’s watching, if you have concerns around data protection compliance and you want to make sure that you’re doing it better, please reach out to CyberLab: there’s contact details on the web page below this video.

We offer a cyber-posture assessment so that can look at your data compliance, as well as everything else across the field of cyber security in your organization. There’s also a free trial of a really useful tool that we use.

I find it really good for categorizing data, so it will help you to hunt down and categorize your data much easier using AI machine learning, than you would do on your own having to do it manually through some of the other solutions that are out there. That’s delivered by Forcepoint and is known as the data security posture management tool. It’s a free trial where you can get to use that and see how easy it could be to categorize your data, and then start to put some controls around it.

That’s all for this episode! Hopefully next time, I’ll be back in the office and not doing it from my garden in the lovely Forest of Dean. I hope you’ve taken something away from that! It’s an area that is a little bit of a black art to me, and, and hopefully this is this has shed some light on the area of data protection for your business.

If you want any further information, please reach out to CyberLab or you can reach out to me via LinkedIn.

So that’s it for this this time.

Stay secure.