The General Data Protection Regulation (GDPR) is one of the most anticipated pieces of legislation in Europe’s history. Affecting industries, sectors and organisations across the EU, it’s a topic few haven’t heard of and many are preparing for.
For the EMS sector, we’re ready and waiting to support our customers with a sector-leading approach to understanding and implementing the data protection elements required to secure your elections. But how?
Understanding data protection
Going back to GDPR basics, there seems to be a degree of confusion between Information Security and Data Protection. Good information security is an essential precursor of good data protection, but it’s not the same thing. In fact, GDPR recognises this by including requirements which would normally be met by an ISMS (information Security Management System) in articles 24 and 32.
Our understanding of our client base – both in the UK and across Europe – tells us that the state of their information security is generally adequate, good, or in a few cases, excellent with huge steps already made over the last few years driven, in part, by the PSN CoCo. Therefore, while the understanding of information security is generally good, knowledge of data protection and how it differs is less understood.
And, make no mistake – Data Protection is 20% technology and 80% organisation.
The challenge facing most data controllers is being able to adapt the organisation so they can build data protection into a multitude of daily operational routines. After all, we live in an increasingly data-driven world that has changed drastically in technology, privacy and information manipulation since the previous Data Protection Directive was established in 1995.
A spotlight on EMS
GDPR’s attempts to harmonise and reshape data privacy laws across Europe has brought into play a number of new considerations for those with an electoral remit. From changes to Breach Notification and Consent to the Right to Access and Right to be Forgotten, previously unwritten rules are now clearly stipulated in black and white, and must be deliberated on ahead of the May 2018 enforcement.
Looking internally, we are not one of the GDPR categories that requires a data controller to appoint a Data Protection Officer (DPO), and our level of personal data use is typical of any SME. Our information security and data protection requirements (in DPA98 form) are already in place, so our customers can rest assured that we have only needed to do a relatively small amount of tweaking to internal processes to ensure compliance – for instance, changing our breach notification process to meet the 72-hour rule.
But we aren’t stopping there. The Idox Elections ethos is to understand and support our customers with a reliability and transparency that sets us apart from the rest. Considering GDPR from a client perspective, we’ve assessed our services and systems against the needs of customers – the ‘data controllers’ – in line with our role as a ‘data processor’.
We have also been proactive in assisting our customers to meet their GDPR responsibilities working towards ‘Data protection by design and by default’. We are building this concept into our product development processes so that they already meet the obligations placed on our clients by Article 25 of GDPR.
The recent release of the Cloud Connector is a prime example. From the way in which the data is encrypted and anonymized by the Eros Service before it traverses the customer’s internal network, through multiple stages of encryption up to report building, data protection has been part of every fundamental design decision. The technology is powerful but transparent as techniques such as OAuth2, HTTPS, TLS 1.2, Azure Encryption and bitlocked drives ensure the confidentiality and integrity of the data at every stage.
Covering all data bases
A large proportion of our GDPR work has focused on observing daily operational processes from a client’s perspective. The aim has been to advise how systems can be adapted effectively, understanding business processes and technology in parallel with the new data privacy laws to suit all. For example, the Eros EMS usually runs as a client/server service inside the enterprise security perimeter where we only look on from a distance.
Looking at areas such as this from a neutral standpoint, we can judge where the product meets the needs of GDPR and where something extra needs to done. That might be something:
- technical –like using encryption of the SQL Server backups, or replication for availability;
- functional – like reviewing data content to remove aged Eros data records
- operational – likeonly installing systems on machines where there is a real need for access and which are part of the core network (inside the security perimeter or connected by a secure VPN); or
- organisational –like instructing the call centre on how to verify a caller’s identity before providing WebEros details. Who needs training? Is that one-time or ongoing?
We have made risk assessments by reviewing each product and its business processes against the actual legislation, finding the risks and then coming with practical measures to mitigate or eradicate them. These can’t always be detailed because they will vary for each organisation depending on what measures are already in place and what importance is attached to each risk. But, knowing what the potential risks are and what can be done to alleviate them is a good start.
This knowledge is documented in what we call our ‘reverse DPIAs’. A DPIA (Data Protection Impact Assessment) is the preferred (i.e. recommended by the Information Commissioner’s Office) method for assessing how a new system will affect the existing data protection regime. Ours are reversed because they consider how a new regime will illuminate shortcomings in existing products and processes.
Evolving with confidence
GDPR is built on the principles of protecting and empowering and this holds potential benefits for all.
Our recent GDPR assessments have ensured we’ve taken the appropriate measures to support our findings and, where necessary, taken action to ensure that we have systems and processes in place.
To date, we’ve implemented documentation and/or process improvements that are ready or nearing completion across several notable areas. These include, but are not limited to:
- Review of current ISMS to verify suitability for GDPR support
- Review of privacy notes on public websites
- Revised ‘Data Breach Management’, ‘Information Systems Development Security’, ‘Security Incident Management’ and ‘Supplier Management’ policies within ISMS
- Internal and external engagement including staff training sessions and a customer survey on GDPR readiness
- Reverse DPIA Eros, WebEros, AVantGuard and Perses
We can also offer an easy method of scrambling ‘non-Live’Eros databases, to minimise the presence of real elector data in your environments. This solution can be run by IT departments, or as a fully managed service should you wish.
We understand that our customers have their own assessments to undertake – and measures to implement – given local authorities have the ongoing task of delivering frontline services for citizens and engaging with them on a daily, increasingly digital, basis. Our role as both a service and system partner puts us in the right position to offer that helping, supportive hand when it comes to securing elections. After all, innovation and evolution is always at the heart of our culture to ensure we meet the changing needs of the electoral services market – whether that be product development, customer training or providing the means for ensuring data privacy compliance.
Elections success is paramount to retaining public trust and we’re here to help both with GDPR and beyond. The proof is simply in the preparation.
Want to find out more or ask a question about our GDPR product offerings? Get in touch today – we’re always happy to discuss your requirements in more detail.