My network and GDPR
So what specifically does this mean for IT personnel managing networks and what steps should senior staff members be taking to ensure compliance?
Expanding on the ICO’s guide 12 steps to take nowyou may find this guide helpful to get you started, but we do not recommend using this as a definitive guide on how you should begin your compliance policies.
12 steps to take now
Who are the decision makers within your organisation?
Produce a RACI table (Responsible, Authoritative, Consulted, Informed) for you network policies at a high level listing the decision makers that need to be involved or informed of the updated networking policies.
What personal data does your network collect or store?
Begin by mind mapping and documenting all the potential personal data you hold or touch. Where has the data come from? Is the data shared with third parties? Are you a processor or controller of this data? Unfortunately this step will be time consuming for the majority as every piece of data that may hold personally identifiable data will need to be considered.
For an Wireless MSP considerations will include;
- Where is my cloud infrastructure? Does the data centre have policies specific for GDPR? Am I hosting my own metal in my office and what polices for ensuring the protection, security and backing up of my data?
- Security of network users - What security policies do you have in place to secure and keep network data safe? Are you supplying pre-shared keys to guest or even staff? A pre-shared key can be installed on a rouge device, an ex-employees device wether personal or company. Essentially we are confirming that pre-shared keys are a huge vulnerability to the security of your network and needs to be re-considered how you can manage the on-boarding of users in a secure manner. As an organisation we promote and use Ruckus CloudPath - A secure on boarding and user security suite that uses certificates that can be managed centrally and remove devices on the fly.
- CRM - Likely to be the biggest area of concern as this will hold personal data. Even in B2B environments, you are likely to be storing some form of personal information wether its a customer who did a transaction on their personal credit card, had a delivery to their home address, or supplied your with drop shipping address details for their consumer. Do not think that because you operate in a B2B marketplace you are immune to GDPR.
- Guest access - If you are using a third party guest solution such as purple Wi-Fi (who have updated the solution to being GDPR compliant), ask them from their GDRP compliance statements and or certifications.
- Up to date and relevant data - Have you got processes in place to periodically check that the data you hold on individuals is accurate and up to data and how you remove old data? This falls under the Data Protection Act (DPA) 1998 so likely to already be part of your policies.
- Marketing communications require opt-in consent - for those networks with captive portals collecting personal data, the users must be presented with the option to opt-in to receive communications or have their data shared with third parties. These options cannot be “accepted or checked” by default. A user must be able to remove themselves from marketing lists as easily as they can add themselves which means portals should grant users full access to their data and ability to adjust their marketing preferences.
- Controller vs Processor - Are you a controller of processor of data for your customers? If you are providing guest access via a captive portal collecting data on guest users of the network, and this data is being stored within your cloud that the customer can directly gain access to then you are a processor of the data. If however you are providing free guest access to your customers so long as you are collecting and intend on using the data for your own personal marketing activities or other reporting than you are acting as a controller.
Essentially you will want to audit all the information you hold, where it comes from, what you are doing with it and where you send it and create a policy and process for each of the personally identifiable or sensitive data areas.
Update your network privacy policies for your users and guests
Paying attention to any terms of signing up to a network, specifically on guest, ensure your privacy statement is up to date and informs users of what you collect, why you collect it and how you plan to use it.
Checking procedures for individual rights
GDRP covers rights for individuals to be informed, right of access, right to rectification, right to erase, right to restrict processing, right to data portability, right to object and right not to be subject to automated decision-making including profiling. Again you might not need to do anything new if you already have good procedures in place, however paying attention to the automated decision-making including profiling may be more relevant to your procedure if you are capturing guests details and using inside a marketing suite.
Be prepared for subject access requests
The only big change here is that you might not realise that you cannot charge for a subject access request, and you now only have 30 days to comply. This was 40 days. It is worth having a meeting to explore subject access request situations to create a model to decide on the feasibility to adjustments to systems you may wish to implement to ease the subject access request process. Using a product like CloudPath you are collecting user details of network access, websites visited, and applications used. Using a product like iBoss you can go as far as automatically taking screen shots on a users devices when they perform certain actions such as visiting a block listed website. iBoss has some of the best reporting we’ve seen for networks to date. But even if you just use SmartCell insights or SmartZone, you are still collecting allot of data that you may need to consider for subject access requests.
Lawful basis for processing personal data
If you are explaining the basis for processing personal data in privacy notices and when answering subject access requests, if it is lawful it should comply with the GDPR’s “accountability” requirements.
Remember that consent will need to be given by an individual for processing any personal data relating to him or her. Staff accessing the company network could have a consent added to their contract of employment. Guest or BYOD devices can have a consent terms and conditions to accept before joining a network so long as you confirm what you are going to be collecting and doing with the data.
For education organisations such as schools and for hospitality networks providing guest access to visitors you should put a system in place to verify an individuals age and seek parental/guardian consent. This is a little more involved for guest access and for many guest network operators, their decision may well be to disable access to anyone who verifies their age is under 16. The captive portal might then be smart enough to place a cookie on the child's device to stop them re-attempting to gain access to the Internet for a period of time to stop them adjusting their age, however that has user experience implications as what if the child was using their parents phone to watch the latest episode of paw patrol on Netflix? A more suited approach might be to have additional text fields appear during the user journey to confirm the guardians/parents names and check box that they give consent for the child and that they themselves are over the age of 16. This can be achieved using PacketFence or Cloudpath. For education a school network mat prefer for the on boarding journey to send an email to the parents/guardians to confirm access for their child to the network when they first register for the school, on boarding both the child and their devices before their first day of school. Many guest systems will attempt to implement a slightly different user journey, and CloudPath or PacketFence could create different user journeys depending on your situation.
Knowing your network and having procedures in place to detect, report and investigate data breaches is already going to be in practice unless you are a small start up yet to implement any such procedures. For the purpose of GDPR specifically, the big change now is that as an organisation you will need to proactively notify individuals if their personal data has suffered from a data breach. This could happen if you detect a rouge access point on your network that has sneakily been gaining users and performing a man in the middle attack while they attempt to log into the network where their password is taken and could in this instance be one that is used on their other accounts. It doesn’t take a pro hacker to put a script together to try and log into email account using details entered on a captured form. You might even have a more severe breach, where someone have physically plugged their devices into a port on your network, access a server running your ecommerce website, adjusted 1 file that now sends every customers card details to somewhere they can capture, all without showing any signs of a breach or problem to the user. The store still processes the order, the organisation sends the products to the customer and nothing strange happens for several weeks or months, when this save hacker then with the hundreds, possible thousands of card details starts to sell the card details or use the card details to make allot of purchases. Either way, in any such circumstance, the organisation is now obliged to content every possible effected customer and visitor of the breach and inform them of the severity of the breach. You can imagine how damaging this bad PR could be for an organisation having to publicly recommending thousands of customers to cancel their credit cards! Moral of the story is to take you networks, whether in your building or co-located a data centre or in the cloud very seriously!
Data protection by design and data protection impact assessments
Traditionally falling under good practice, this is no a legal requirement under the term “data protection by design and by default”. Any situations where data processing results in risk to individuals, such as upgrading systems, profiling and transferring data needs a data protection impact assessment. Their are many DPIA templates if you simply google the phase to get you started.
Data protection offices, do you actually need one?
Does your organisation need to designate someone to take responsibility for data protection compliance? A DPO is only legally required if you are a public authority (excluding courts), an organisation that carries out regular and systematic monitoring of individuals on a large scale or an organisation that carries out the large scale processing of special categories of data such as health records or information about criminal convictions. Their is certainly unambiguity on what is classified as “large scale”, as a network managing hundreds of access points serving thousands of users is in our opinion “large scale”. An organisation using Ruckus SPoT technology for instance gathering lots of information on visitors locations are thankfully normalised so would not fall under this. Ruckus SmartCell Insights however is in theory individually identifiable and would fall under “regular and systematic monitoring”. iBoss which has very detailed user reporting could also force your organisation to be considered as caring out regular and systematic monitoring. The point here would be under the audit it to determine what tools may actually fall under the GDPR that you might not actually think as gathering personally identifiable information when in fact it is. You do not need to employee a full time employee, as an smaller organisation you could take the approach of obtaining an external data protection advisor.
Wether your organisation in part of Europe or outside, dealing we any data from individuals that is part of the EU is protected under the GDPR. If your organisation is located in more than one EU member state you should allocate a lead data protection supervisory authority and document this. The lead authority will be in the state where your head office / main establishment is.
Our technical account managers have been briefed and are regularly trained to understand legal and security requirements surrounding wired and wireless networks to aid our customers in meeting their legal obligations.
For further information on GDPR we recommend you visit the ICO. (Information Commissioners Office).
To get in touch with a DigitalAir representative to discuss your network, and how CloudPath, iBoss, SmartZone, SPoT or even our security audit service can be of use, or how to have these configured for GDPR compliance, please call 01202 612 400.