Personal data carries significant value in today’s global economy, and international treaties such as Europe’s “Convention 108” exist to govern the flow of information across borders. In 2016, Mauritius ratified “Convention 108”, which carries the risk of a 20 million Euro fine in the event of a data breach related to EU citizen personal data. With the fast approaching deadline of the European General Data Protection Regulation (EU GDPR), many Mauritian companies dealing with EU data subjects, urgently need to implement privacy controls. The importance of the EU GDPR was highlighted by the Mauritius Chamber of Commerce and Industry in April 2016, and more recently a multi-billion Euro turnover, Geneva-based organisation, has been urging its local representative to address information security as top priority. Even more worrying, claiming insurance for loss of business in the aftermath of a disastrous data breach, may be invalidated by the insurer if internal controls were to be found lacking.
Common examples involving personal data include scanned passport copies, medical claims, payroll administration, financial information, or accessing personal information on a remote server in the EU.
In June 2016, The Republic of Mauritius ratified the Convention for the protection of individuals with regard to Automatic Processing of Personal Data, also known as “Convention 108”. The European General Data Protection Regulation (EU GDPR) impacts every entity that holds or uses European personal data and shall be enforced on the 25th May 2018. This is the date that Mauritian organisations need to be ready by, not the day in which they should start preparing.
The EU GDPR regulation introduces a set of rules that require organisations to implement controls to protect personal data. Non-compliance may incur administrative fines up to EUR20 million, or up to 4 percent of total worldwide revenue (whichever is the greater). Companies must also demonstrate that considerable security measures are in place to protect private data.
In layman terms, compliance with the EU regulations is enforced with the threat of ceasing to do business with non-compliant organisations, the threat of a substantial impact on the bottom line, and a substantial demand on security and IT operations. Fortunately, these threats can be mitigated by implementing an information security management system (ISMS) as well as supporting technology.
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organisation's sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by pro-actively limiting the impact of a security breach.
Technology alone is not enough to defend against the evolving nature of information security threats. There is much more to information security than antivirus or firewalls. Technology is required in order to be compliant, and can help to achieve compliance, but the overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated, and cross-referenced to ensure overall effectiveness.
To cut short, information security strategy must be driven by executive management, and not by the IT department.
From a compliance perspective, implementation of an ISMS promotes a culture and awareness about security in organisations. The ISMS can assist with risk assessments, management of information security incidents, classification of information (personal data), identification of applicable legislation, contractual requirements, asset management and privacy by design. For software development companies, privacy by design ensures that information security forms an integral part across the entire development lifecycle.
In a nutshell, once the ISMS implemented, the organisation is halfway towards ensuring the protection of personal data, and minimising the risk of a leak, from which the impact could be catastrophic. Organisations should thereafter conduct an EU GDPR Gap Analysis to determine what remains to be done to meet their EU GDPR requirements.