Q&A

GDPR And Retail: How To Secure And Manage Data, Implement Infrastructure, And More

A conversation with Dr. Alfred Rolington and Piers Clayden of The GDPR Advisory Board

data integrity

As we move through the digital age and into the Fourth Industrial Revolution, people have realized vital information about their life, work, and activities is being stored online by governments, commercial companies, and organizations. This means individuals now need to have some faith in the security of these systems.

But the number of cyber-security breaches in the past few years has made much of the global population far more aware of the problems of data protection security and often the lack of its complete effectiveness. The number and extent of cyber-attacks has made a growing audience question the strength of an organization’s website's security and how it’s broader cyber-security is working. This pressure can now affect whether or not a customer chooses to use a business commercially in the first place.

As a result, the European Commission announced an agreement to finalize General Data Protection Regulation (GDPR) which will take affect this May. The primary objective of the GDPR is to give citizens back control of their personal data.  Once GDPR takes effect it will harmonize previous and other data protection regulations throughout the EU.

The Retail Solutions network spoke with Dr. Alfred Rolington, GDPR Advisory Board senior cyber security academic and Piers Clayden, legal expert on the GDPR Advisory Board and founder of Clayden Law, about this regulation and what impact it will have on retail.

For additional information, visit The GDPR Advisory Board website. To find out more about accessible online GDPR training, visit www.melearning.co.uk.

Q: What should retailers do to secure their sites and data?

Rolington: Ensure you have effective endpoint, network, and email protection that filters out spam, malware, and dangerous file types.

It is very important to continue to train employees to be wary of emails, especially those that contain attachments, and to report any unusual emails or attachments to IT and security employees. These malware hacks will differ from different attackers and will become more sophisticated. On-going training for employees and management is very necessary. Additionally:

  • Segregate your networks with next-generation firewalls so your internal departments are separated. Install endpoint protection software that can identify and block infections in and going to your systems.
  • Implement full disk protection and encrypt sensitive data stored on servers or removable media, particularly those used for sharing with business partners.
  • Make your clients aware of your cyber-security efforts and the training you give to employees as this will give them more confidence in their commercial relationship with your business.
  • If you move to the cloud make sure the ability to encrypt the data, both in the cloud and also while being transferred, is properly dealt with.

Q: How can retailers implement technical infrastructure to ensure optimal governance of client data?

Rolington: No matter how large or small your company is, you need to have a strategy and tactical plan to ensure the security of your information and data assets — particularly client data. The process of creating a security program will make you think more broadly about your organization’s security and particularly about your data protection effectiveness.

A security program is very necessary and provides the agenda for keeping your company at a sensible security level by assessing the risks you face. The strategy and planning should decide how you will mitigate and alleviate them, and there should be planning for how you keep the program and your security practices up to date if you are attacked so you can ensure client data security and protect your company’s reputation. Your company’s press and publishing relationships are exceedingly important as a hack that gets negative comments in the news has a devastating effect on business.

If your data management practices are not already covered by regulations, consider the value of the following areas of data security:

  • Customer data, including any confidential information you hold on behalf of clients and customers.
  • Product and service data, including charters, patents, copy-rights, designs, source code, submissions, and applications.
  • Your business financial information, market knowledge, and analysis. If a hack takes place inside your accounting records and changes the data in your business security, then the systems need to be able to inform you immediately.

A secure program and data audit review should be irregularly undertaken so even staff doesn’t know when it will take place. This helps ensure your organization has a far more secure cyber system and process in place. Make certain you have workable steps to mitigate the risk of or losing data or having data externally changed.

Your security program defines what data is covered and what is not. It assesses the risks your company faces and how you plan to mitigate them if you are successfully attacked.

Q: How can my business uphold these new regulations and define client data collection and storage?

Rolington: GDPR requires categorizing types of information by value and confidentiality and companies should priorities what data they should secure and protect first. Document and plan what types of personal data your company processes, where it came from, and who you share it with to improve documentation.

For example, if you have inaccurate personal data and you have shared with it another organization, you won’t be able to identify the inaccuracy and report it to your business partner unless you know precisely what personal data you hold. Therefore, begin with a thorough review of your existing database.

Client data information systems are an excellent place to begin because only a few specific systems typically own the ability to update that information. Securing unstructured information such as contracts, financial releases, and customer correspondence is important and should be reviewed out on a departmental basis.

It's essential to understand current workflows, both procedurally and in practice, to see how confidential information flows around an organization. Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of seepage requires a more in-depth examination. Organizations need to ask themselves the following questions of each major business process:

  • Which employees or services these information assets?
  • How are these assets created, modified, processed, or distributed by these participants?
  • What is the chain of events?
  • Is there a gap between stated policies/procedures and actual behavior?

By analyzing information flows with these questions in mind, companies can quickly identify vulnerabilities in their handling of sensitive information.

Based on the risk assessment, an organization can quickly craft distribution policies for various types of confidential information. These policies should address who exactly who can access, use, or receive which type of content and when, as well as oversee implementation, enforcement, and prosecution actions for violations of those policies. Review the following:

  • executive and management communications
  • customer information
  • intellectual property
  • employee records

Once distribution and sharing policies are defined, it's essential to implement monitoring of the communication streams.

Jurisdiction positions should be established to monitor information usage and traffic, authenticating compliance with dispersal policies and performing enforcement when policies are broken. Due to the immense amount of digital information in modern organizational workflows, these monitoring systems should have powerful identification abilities to avoid false alarms and have the ability to stop unauthorized traffic.  A variety of software products can provide the means to monitor electronic communication channels for sensitive information. In addition, systems should be reviewed extensively in the event of a breach to analyze system failures and to identify suspicious activity.

External systems audits are very useful for checking vulnerabilities and threats. Companies often implement security systems but fail to review events and any incidence reports that occur. Protecting confidential information assets throughout an enterprise is an on-going process rather than a one-time event. It fundamentally requires a systematic way to identify sensitive data; understand current business processes and review the improving systems software that might help in future.

Q: How can my business handle different types of data streams?

Rolington: Data is rapidly becoming the lifeblood and nervous system of the global economy. In the connected world of data, IoT and Artificial Intelligence (AI), data represents a new type of economic asset.

Data can offer companies a decisive competitive advantage, as well as damage the reputation and bottom-line of those that remain unsuccessful at ensuring the security and confidentiality of critical corporate and customer data. Despite the severe repercussions of compromised data security, until recently, the fines for breach of data protection regulations were limited and enforcement actions infrequent. However, the introduction of a potentially revolutionary European General Data Protection Regulation (GDPR) is likely to transform the way data-driven companies handle customer data by exposing them to the risk of hefty fines and severe penalties in the event of incompliance and data breach.

  • Data Protection by Design and Default — Up until now, businesses were required to take technical and organizational measures to protect personal data. But implementation of the GDPR will require companies to demonstrate the data protection measures are continuously reviewed and updated. To avoid the huge fines and severe penalties, businesses need to have complete and mature data governance in place. From reviewing the existing contracts to getting the key people in organizations trained for effective actions. Businesses are now required to review and to analyze their data process management in order to become GDPR compliant and to mitigate PR reputational and sever commercial risks.
  • Data Protection Impact Assessment (DPIA) — DPIAs are used by organizations to identify, understand, and mitigate any risks that might arise when developing new solutions or undertaking new activities that involve the processing of customer data. This includes data analytics and data-driven systems, including Business Intelligence, data-basing, data lakes, and marketing applications. GDPR makes it a necessary requirement for all organizations to conduct a DPIA and consult with a Data Protection supervisory authority if the review identifies any inherent issues and risks.

Taking the following measures can help you ensure your compliance to the new data protection legislation. Strategically create a roadmap and understand your sources of data input, processing tools, practices, and the methodologies that you use, and when and how your data is shared with other organizations. In addition:

  • Designate a Data Protection Officer —Appoint a Data Protection Officer who has the skills, support, and authority to assess and mitigate non-compliance issues.
  • Fast and Effective Response to Withdrawal Requests — Respond to the customers’ requests for withdrawal in an effective and efficient fashion and update the system to flag that the user has withdrawn consent to prevent further direct marketing.

To ensure their compliance to the GDPR and avoid the severe consequences of non-compliance, businesses are not only required to ensure optimal control and privacy of static batch data, but also develop means to collect, categorize, and process data provided by high-speed data streams. Data stream management software is a viable solution to this challenge. A data stream manager allows businesses to:

  • collect and distribute data in a private and compliant way
  • reduce costs and complexity in data life cycle management
  • have real-time access to all structured and unstructured data via the cloud or on premise
  • centralize all data sources for improved visibility and control
  • develop a controlled environment for data-driven operations

With a data stream manager, Data Protection Officers can define privacy levels, manage user rights, get an insight into how their info is being collected or used, and more.

Q: How will GDPR impact cloud cyber-security?

Rolington: Recently a new file-encrypting virus was detected on Google and Microsoft Cloud services. Often organizations that use the cloud have malware infections.

Companies that use cloud Software as a Service (SaaS) solutions are facing new challenges with the introduction of the EU regulations. There is a responsibility to comply with GDPR and how it applies to a SaaS solution when it is an EU website visitor. Choosing a SaaS vendor has never been an easy task, especially when GDPR compliance is a factor. Adding the additional privacy constraints to the equation, multiplies the complexity.

Here are areas to focus on when choosing a vendor. Verify whether your users’ private information leaves any tracks in the data path when it passes through and is processed by a third party. If this happens, the first question to ask is, "Where is your data?” This means the physical location. It is important to trace and follow/record the path of the data during the lifecycle of the process to ensure it is secure at every point.

Understand how the supplier handles your data and what methods they use to guarantee that it is safely managed, processed, and stored. The supplier must prove to you how your data is secured by explaining the controls and security management processes in place.

By focusing your specific requirements, you can comprehend if the supplier has secure applicable security standards in place. Confirm that the supplier has a precise access control policy that is well audited. Understand who can view and access your data, under what circumstances and if this access is being monitored.

Finally, comprehend and question how much your supplier involves in information security and clear data protection.

Some SaaS and IaaS companies may have a great product and are considered leaders in their space but sometimes security is not a clear issue they completely engage with and comprehend for their clients.

Q: How will GDPR affect data-driven organizations?

Clayden: GDPR will affect organizations big and small to a greater or lesser extent if they handle any personal data — even if it is just employee data. But for organizations that use personal data for marketing purposes, particularly targeting and profiling, the GDPR is going to pose some particular challenges. This is because the use of that data (processing) has to be lawful and to be lawful has to be done on one of the legal grounds for processing.

Historically, organizations have taken the view that, so long as it is dealt with in the privacy policy, it is ok to do it (without ever really bothering to consider the actual legal basis). However, under GDPR, organizations have to be much more transparent in their privacy notices on how they use personal data. This means spelling it out in the privacy policy — if relying on “legitimate interests” then you have to say what those interests are and why the processing is necessary for those interests.

For some of the more sophisticated profiling, the legitimate interest ground is less likely to be satisfied since it may be outside of an individual’s reasonable expectation. And organizations are less likely to be able to get consent for this sort of activity, since the hurdles for a valid consent have increased.