Interview: Compliance with the GDPR requires more than just IT solutions

Compliance with the GDPR requires more than just IT solutions


Despite the imminent deadline, many organizations are not yet ready to comply with the GDPR, says Mathijs Wijbenga, managing director of IT distributor Contec. "This is because of the fact that compliance not only requires technical measures, but also, and above all, organizational changes. Many IT suppliers claim that their products ensure compliance with the rules, but nobody can guarantee that. It is all about awareness, policy and behavioral change within organizations. That is still a blind spot in many companies and this is where we want to be of service to our partners and their customers as well. "


From May 25, 2018 companies and government institutions must comply with the stricter and new rules of the General Data Protection Regulation (GDPR). From that date, organizations must demonstrate that they comply with the rules for protecting the privacy of everyone whose data is being processed. Those who can not or do not do so are subject to a fine of 20 million euros, or 4% of the total turnover.


To comply with the GDPR it is important to know that all forms of data processing are prohibited, unless the citizen or customer explicitly gives permission for this. There are a few exceptions, for example when there is a general interest (such as data processed by the Child Protection Service) or legal obligation (employers must have a copy of the ID of their employees). The law interprets the term 'data processing' in the broadest sense and the protection must therefore be guaranteed when collecting, exchanging, storing, analyzing and archiving all data that can be traced back to a person. Because it is often IT systems and applications that process data, it is soon thought that compliance with the GDPR can only be achieved with IT resources. "IT is only part of the puzzle," says Wijbenga. "The GDPR consists of 99 articles and 173 explanations and a large part of this is not about technology, but about policy and behavior. We are therefore very pleased with the efforts of our trainee Bram Nijenhuis from the Business IT & Management - IT Service Management education. He dived into the subject matter for us and is now a real expert in the GDPR. He helps us to implement the necessary measures to comply with the law, but thanks to his research we can also advise our partners and their clients on compliance with the GDPR. "


Why does the EU tighten privacy legislation?


"The current privacy legislation was drawn up around 1995," says Wijbenga. "At that time, only a small part of the population had a computer. Now almost everyone is constantly connected to the Internet, often with multiple devices per person. As a result, the old legislation was no longer sufficient. "

People exchange personal data with each other, with apps and with companies. This creates a number of privacy problems, according to Nijenhuis. "First, people are worried about the large number of data leaks that have occurred in recent years. A good example of this is the data breach at the American credit agency Equifax, where hackers gained access to financial and personal data of nearly 150 million Americans. That is about half of the entire population. That is very worrying, especially because the incident was not isolated. In the Netherlands, since 1 January 2016, the reporting obligation of data leaks applies.This states that organizations must report data leaks to the Dutch Data Protection Authority straight away. This authority recently announced the figures for the third quarter of 2017. During that period, as in the previous quarters, more than 2,500 data leaks were reported. If that trend continues, it will involve more than 10,000 data leaks per year. That people are worried about is,   therefore more than justified, "adds Wijbenga. "No matter how good the reporting obligation is, a notification always means that it is too late for the protection of the personal data."


What is also addressed by the new law is 'profiling'. Bram Nijenhuis: "For example, you search online for a certain product and then you see ads appearing on the internet for that product. That is a result of profiling. Many companies collect this data by offering something for free, such as a downloadable file or a nice price. People take the profiling for granted, because they can then use that 'free' app and also get relevant advertisements. But  the word 'free' is misleading in this, because you pay with your data. "


That is not so bad is it? After all, you also get something in return. Wijbenga: "What people often do not realize is that the profiling carried out in the background can result in a digital profile of the online behavior of a person. If this information becomes accessible to hackers,this can give a lot of problems."

In order to comply with the GDPR, organizations must completely reverse the internal processes and activities, and also external ones such as marketing, Nijenhuis expects. "The way people do that now no longer works. The ePrivacy regulation, also known as the EU Cookie Act, is now a legislative proposal. This is expected to be approved and adopted before 25 May. This regulation gives more specific interpretation to the compliance with the GDPR, for electronic communication data that are seen as personal data. Internet users then note in their browser whether they accept or refuse privacy-sensitive tracking cookies. "


Another reason for the GDPR is that the Internet does not forget anything. That is becoming a bigger problem, especially now that the generations that have grown up with the internet have entered the labor market. "Suppose you put something naughty or upsetting on the internet in your youth, this could even damage your chances on the job market many years later," says Wijbenga. "But also negative news items, for example about bankruptcy, continue to haunt you long after the situation is barred or resolved. At the very least, you always have to answer or defend yourself. The GDPR therefore determines that people have the right to be forgotten. This means that internet companies, especially search engines, are obliged to remove all information about a person on request. "


The above developments contributed to the EU's desire to establish stricter rules for the protection of personal data within all forms of data processing. To comply with the GDPR, people must explicitly give permission for data processing, unless it concerns, for example, the general interest or legal obligation. "This is only possible if the organization clearly tells which data they collect, for which purpose they do this and how they are secured," says Wijbenga. "You also have to make clear what you do with that data. Then the citizen or customer must unambiguously agree. "


Nijenhuis: "From the 25th of May you should not only deal differently with the data you receive, but also with the data you already have. It is therefore not the case that you can continue to use a file with e-mail addresses that you have been using for years to send newsletters. It must also be demonstrable that, if none of the exceptions apply, the recipient has specifically given permission to receive that newsletter. "


In practice, it will mean that companies have to prove that they have "made reasonable efforts" to get this permission or to get this permission again. But what is 'reasonable effort'? Nijenhuis: "The Dutch GDPR Implementation Act must clarify this. The GDPR gives Member States the possibility to deviate from the rules nationally. In the Netherlands, the GDPR Implementation Act indicates this. However, this proposal still has to be approved by the Dutch Senate and the Senate. This can still lead to changes in the GDPR that Dutch companies will also deal with after 25 May 2018. It is therefore possible that some measures taken must be revised or adjusted later. Jurisprudence also plays a role in determining what 'reasonable effort' is. "


How does Contec help to become compliant with the GDPR?


"Data and system security are important focal points of the GDPR," says Wijbenga. "This involves protection against both burglary and outbreak. Because you can build a strong wall around a network, but that does not help if employees deliberately or accidentally leave the office with data. Contec offers a number of solutions that help to comply with a few articles of the GDPR, but we do not pretend that we help companies to comply with the full GDPR. Many suppliers seem to create that impression, for example by publishing 'GDPR Checklists'. What they mean is that their products help to comply with certain articles. There is no independent checklist for complying with all 99 articles and 173 explanations of the law. "


Nijenhuis: "The Dutch Data Protection Authority has a 10-step plan with which organizations can prepare themselves for the GDPR. That is very practical and if companies do this they are certainly doing well. But a common blind spot is the documentation of the activities. Companies must map the current data and the data processing thereof. This includes, for example, recording what personal data they have, where they come from, how they are processed and with whom they are shared and why. In addition, it is important to evaluate how people request, receive and register permission. These analyzes reveal the risks that companies run in compliance with the GDPR and which measures can be taken against them. Creating and maintaining a register of processing activities is very important. GDPR compliance depends on the documentation.


"The Dutch Data Protection Authority also requires that the entire organization is aware of the basic principles of the GDPR  in a timely manner, so that they are taken into account in all processes and behavior. Employees must be trained so that they know why and how policies and processes change.


"If companies have branches or activities in several countries, it must first be determined which country is the leading supervisor. As mentioned above, Member States can adapt the GDPR, for example the minimum age to allow data processing. According to the GDPR, that is 16 years, but a country can lower or increase it. This way,  every country has dozens of exceptions. The lead supervisor should be asked for advice as to whether a 'responsible person' should comply with 'only' the requirements of the relevant implementing legislation, or whether additional measures are required for the situation. '


IT solutions to be compliant with the GDPR


One of the issues that Contec can help with is the security of the equipment with which data is processed. Wijbenga: "Even if you only have a list of contacts in Outlook or in Salesforce, these data are actually already subjected to the GDPR. However, it is not practical to ask everyone in your contact list for permission to keep in touch. How should you do that at all if you can not use the data you have without permission? It is therefore important that you can demonstrate that the devices you use to process this data are properly secured. Webroot makes that possible with a light and fast application for endpoint security. This not only keeps viruses out, but also hackers and other unauthorized people. Webroot furthermore confirms compliance with the GDPR by preventing users from accessing unwanted and unreliable websites.


"With Mojo Networks, we secure wireless networks and control who has access to which part of the wireless network. You can also separate business and guest traffic by offering guests a separate wireless network. Mojo secures the data both in transit and at rest with data encryption, which guarantees the privacy of users. The Hillstone firewalls protect the data streams and are thus actually the first check on the checklist for compliance with the GDPR. In addition, the firewalls control who gets access to what data and what happens to it. So even if data flows from the inside out, the Hillstone firewalls see that. The firewalls also warn in good time if strange things occur in the network traffic.


"FileCap is the right solution for the exchange of data. Many companies send files, offers or invoices via e-mail. To comply with the GDPR it is important that you do not send documents with sensitive or confidential data as a public attachment to an e-mail. This data should not be accessible to unauthorized persons. With FileCap you encrypt files that you exchange and you are obliged to put a password on these files. Without the right key, nobody can access the data. Moreover, the files are not stored by FileCap, but on your own secure server. You can also set how long the data is stored on this server. With FileCap you can therefore demonstrate that the data is processed securely and according to the guidelines of the GDPR.


"It is important for our partners to know that complying with the GDPR also has consequences for service providers. Many companies outsource data processing, for example payroll administration or IT management. The service provider must then follow the guidelines of the organization about what they are allowed to do with personal data.


"We can therefore advise on FileCap, Hillstone, Webroot and Mojo. But also about how you handle files and how you create awareness among employees and partners about how to deal with files. With FileCap you can tick off an article from the GDPR and Hillstone, Webroot and Mojo can also provide a check mark. For example, you have to complete the entire list of 99 articles and 173 provisions, and that has to be done again when the GDPR Implementing Act enters into force in the Netherlands. "


All these solutions help to comply with the GDPR, but that is not enough, emphasizes Nijenhuis. "Companies are GDPR compliant by designing policy at process, employee and board level. That is not a matter of products or IT alone. Yet too many organizations are still staring blindly at what needs to be done and they forget to record why and how they did things so far. While this reporting is essential for the accountability with regard to compliance with the GDPR. The Authority for Personal Data can also carry out checks without any reason. You have to be ready for that. "