As part of Assent’s mission to champion the consulting industry, Jess from Assent Risk Management has been interviewing experts from all sectors of the consulting profession. In this interview, Jess talks to Andrew Penteny, who is a lead consultant and auditor in ISO 27001, ISO 9001 and GDPR, specialising in cyber information and security. In this interview, Andrew talks about Data protection since GDPR, in particular, how GDPR has affected data protection, what ISO standard supports GDPR and the biggest mistakes companies make when it comes to data protection.
What is GDPR and how has it affected data protection?
The General Data Protection Regulation for [the] UK, as it’s now known, came into force in its original form in 2018 and really acts as an update to the existing data protection legislation. Largely in reaction to the way that information is being used, shared and provided. What it does, I think, is it puts things very simply. It means that information that you provide to an organisation, the information you provide to purchase something, to receive a service or to contract with a supplier if you’re a business, is treated in a manner to which you would agree to [and]you think is appropriate. In other words, as an individual not being mistreated, your information is not being used in a way which would harm you or cause you problems in the future.
What are the key themes and points of GDPR?
So, in essence, if you provide your information to another party, that party must treat it in a fair manner, be transparent about what use they’re going to put the information to and they must ask, if it’s appropriate, for you to consent to that use. And whilst they have that information, you’ve given the consent, they treat it, they process it, they use it in a manner that’s in accordance with what you’ve agreed to.
It’s making organisations understand and be fair about how they treat and process information
For example; if they use your information to collect some money and send you a product, that’s what they do. What they don’t do is then reuse or reprocess information, with their third parties and partners, to send you adverts about things that are in no way related to what your initial relationship was for. So if you bought a washing machine, do you necessarily want to hear about lawnmowers or hedge trimmers? No. And if you receive that, I think it’s only fair that you would think that’s slightly wrong.
And that, in a nutshell, is what it’s all about. It’s making organisations understand and be fair about how they treat and process information. Organisations need to think, should I have it? If I have got it, what can I do?
What has changed since GDPR came in in 2018? What was data protection before GDPR?
I think we can all, if we so wish, we could go back into news items for 2016/2015 and you could see the news is full of instances where information has been processed [on a] large scale without permission.
[For example] marketing phone calls, we’ve all sat at home, the phone will ring and we’d go, ‘Why are you calling?’. The marketing calls, unsolicited marketing calls and a lot of people, that’s what they think about GDPR is marketing, it’s about saying, ‘why are you contacting me? I’ve not spoken to you’.
Now I think it has delivered on that. But legislation cannot stand still because only recently I’ve been talking to a number of my clients and they’re saying that in the offices next to them, a company will arrive in the afternoon they’ll set up and in the morning they’re gone. Now, the reason they’ve done that is because they’re using a premise to use the phone number, making a large amount of calls, and then they’re going somewhere else.
Legislation cannot stand still
So regulations, legislation and law must keep track of this and be able to enforce that because, at the end of the day, you might not be able to trace the company who’s made the calls, but the impact is on the individual and the unfair use and practice of their information. And it extends beyond that to fraudulent activity, et cetera, et cetera.
What ISO supports GDPR?
So if we look at GDPR, what it actually is, if you strip back all of the packagings and get to the crux of what it’s all about, it’s about protecting information. Protecting information from the moment you receive it and asking that bold question, ‘should I have it’? All the way through to ‘should I still have it?’ And if not, how do I remove or exit information for the business in a way that continues to protect the identity and the details of the individual information? Security management is governed through a standard, ISO 27001. So the practice of implementing a management system such as that will enable a business to understand and implement and operate controls around the securing of information.
[To] put it in a nutshell, it ensures that only people with a business, legitimate or legal reason, can access that information, whether or they’re in a business or they’re within the supply chain. It’s a basic question: why do you need access, what level of access do you need? And if you have got access, do you still need it? Now, that gives you the groundwork of it. But then the additional controls or management strategies that you will need in order to work towards and maintain a level of compliance to the UK GDPR is then in a separate, as I describe it, a bolt-on to ISO 27001.
Compliance is not just about having documents in a folder [or] SharePoint or your chosen file system. It is actually doing it.
There are a small number of them, a good example is ISO 27701. By implementing that [standard], you are a large way towards compliance. Now, compliance is not just about having documents in a folder [or] SharePoint or your chosen file system. It is actually doing it. And there are a lot of times I see some quite good management systems and forms of documentation, but when you open the book and go to page seven and say, ‘okay, so let’s have a look at the information retention matrix. Not the policy, the matrix. What have you got, where is it?’ Sometimes it’s a very short conversation and they will think just by having a document [is enough] no, do it, it’s the doing. And if you ask me, as I suggest you may, what are some of the common sorts of mistakes that you may see in thinking that your job is done when the ink on the document is dry? Okay, the job is never done, but part of it is the document and then part of it is implementing that document in the business and having the evidence that you’ve done it. So for example, if you have an information retention policy, which in plain language [includes] What information you’ve got. Where it is? Who accesses it? How long do you keep it for? And what action needs to be completed at the end of that retention?
Then I would expect to see a spreadsheet subscription with information on it.
And there’s no business that can say we haven’t got much personal information. If you got staff, if you employ anyone, you got personal information. You may not have a lot, but you will have personal information.
What’s the biggest mistake companies make when it comes to GDPR and ISO 27001?
The biggest mistake that businesses make is actually thinking that they’ve done it just by having the ink on the paper but not actually implementing and keeping it consistent.
If we look at the ICO website and in the section ‘Actions Taken’, what you will see in some instances where there will have been some action taken against companies because they have not followed the essence of the regulation, the UK GDPR. There was also action taken not because they didn’t follow, but because they didn’t take appropriate levels of control of the information.
So for example, you may have a system where you store all of your staff information such as CVs, job descriptions, evidence for [the] right to work, perhaps next to kin information and so forth. Now, you could argue that that is very sensitive information, in which case you should protect that appropriately. So you might need to enforce two-factor [or] multi-factor authentication. We didn’t do that and some of the information was taken that caused harm to an individual distress, then action could be taken in that example, [I’m] not saying it would be, but it could be because you may not have been deemed to take an appropriate level of control. Now, that goes back to what we said previously about using ISO 27001 to enforce your capabilities, then you can use another one of these ‘bolton-ons’, which would then set when you would use that and how and how would you record that.
How can people start implementing ISO 27001?
So anyone who’s experienced implementing one of the management standards, ISO 27001, for example, will understand what I’m about to say. I’m about to tell you that it’s a journey, it has a start and it has a middle, but it doesn’t necessarily have an end. And that’s because once you’ve implemented it, which is a process of implementing, or if you liken [it] to growing a number of policies and procedures, then you have to do it. Now, the ‘doing’ goes on and [the] essence in that really means that when you come to do it, it’s got to work. If it doesn’t work, then what will happen? If it’s not effective, what will happen? Well, they’re one of the same, really. And that will mean that information may be accessed when it shouldn’t be. You may call that breach.
It’s a journey, it has a start and it has a middle, but it doesn’t necessarily have an end.
So [the] great thing about the management standard is you implement it, so a consultant will work with you to implement the documents. If you haven’t got any documents, we’ll start you off. We’ll get the business to agree to those documents, we’ll sign them off. And then what will happen is you’ll begin to operate. And once you begin to operate, that’s when the audit process will start and the auditors will come in and certify you against the standard. So you pass and you’ve got the certificate on the wall. That’s the start. So you’re now on the journey and you will begin now to be able to demonstrate that you continuously evolve that management system in this operation to ensure that as your business changes, as the environment in which you operate changes, you continue to build that management system accordingly. So it is definitely a journey. So you start and you have a look. What have you got? And the consultant will work with you to say, right, this is what we need, this is what you’ve got. Now, this is where we need to get to, if you like a gap analysis and for that journey, they’ll support you in getting to the first initial objective, which is to get certification.
But then they’ll also support you in making sure that for the next three years you’re able to demonstrate that. And once you start, it will begin to make sense. Your consultant will make sure, well a good consultant, will make sure you understand where you’re at, why you’re doing it and what the end objective is.
Remember that if a supplier comes to you and tells you about GDPR, think about where they sit. If you want to know about the UK GDPR, go to the ICO and just spend a few minutes with a cup of coffee and I’ll suggest a little bit of chocolate and just read it.
Because you will find that not only is it a great source of information, but there’s also some free resources. I like free, especially if it comes from one of the lead authorities. Look at that and start at the beginning. Don’t think ‘I’ll tell you what, I’m going to go right to the end and I’m going to demonstrate my compliance today’. Start at the beginning of that journey. What have you got? And the ‘what have you got’ is, what personal information have we got? Start the journey, understand what you’ve got, then say, I know what I’ve got. Where is it? [The] ‘where is it’, is the location, where is the supplier, what do they do with it then? Where do you process information and what purpose do you do it for? And then the big question, why do I do that?
If you go through that, then you can start to do it because you understand and people try [to] jump [ahead] here [but] need to start [at] the beginning.
Thank you Andrew for taking the time to take part in this interview. If you want to learn more about GDPR or ISO 27001, contact our expert Data Protection Consultants today.