The purpose of the EU General Data Protection Regulation (GDPR) is to update and modernise the principles already enshrined in the 1995 Data Protection Directive to guarantee privacy rights. 7Safe’s Michael Shuff asks: After Brexit will the GDPR affect UK organisations and what will the ICO recommend to UK Government?
EU data protection reform is intended to strengthen citizens' rights and “build trust”. In the words of the European Commission, the GDPR focuses on: reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. The new rules are designed to make sure that people's personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet
The evidence presented by the European Commission states that nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and seven out of ten worry about the potential use that companies may make of the information disclosed. [Source: Questions and Answers - Data protection reform, European Commission].
With social networking sites, cloud computing, location-based services and smart cards, processing of personal data has grown exponentially. The EU has recognised a need to put in place a robust set of rules to make sure people's right to personal data protection – recognised by Article 8 of the EU's Charter of Fundamental Rights – remains effective in the digital age. The Commission claims that “This will at the same time be beneficial for the development of the digital economy”.
Should UK organisations continue preparations for the GDPR?
The ICO’s EU referendum result response published on 24th of June (see below) clarifies the Information Commissioner’s position regarding Brexit and GDPR. PA Consulting’s GDPR lead consultant, Mark Pearce, commented that: “There is little change in the positioning of GDPR and the necessity of UK organisations having to respond to the requirements. The new incoming Information Commissioner will influence the debate, but the clock remains ticking on the longer lead IT-related items, such as Privacy by Design, right of erasure, breach notification and unambiguous consent.” One of the few certainties at this historic juncture is that the timetable for transposing the GDPR into the laws of European member states will not be affected by Brexit.
As previously reported in 7Safe’s blog, the EU expects organisations to take a positive approach to the full data lifecycle, from the point personal data is collected or created through to its destruction. Knowing what data needs to be collected is important as it will form the basis for many of the changes that organisations need to make in order to comply with the Regulation. Procuring large systems, or changing them, can take a long time and businesses should plan now to identify any changes or new requirements to ensure that they will be compliant by Q2 2018 when the GDPR comes into force. [Source: EU Data Protection Regulation: Approval expected soon].
No ‘GDPR Exit’ for organisations doing business within the European Union
Although those opposed to EU Regulations may see Brexit as an opportunity to simplify and/or water down the GDPR, if the UK chooses a separate path from the EU, as lawyers Toni Vitale and Rhoda Elise Bryans of Addleshaw Goddard said in The Register (24 Jun 2016), “It will become more difficult to export data to and from the EU and UK (without putting in place EU model clause contracts or binding corporate rules). Implementing model clause agreements between every legal entity in a complex corporate structure is at the very least an administrative headache."
If the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection law will have to be equivalent in key aspects to the EU's General Data Protection Regulation framework starting in 2018.
ICO to consult UK Government on new – and much tougher - DPA legislation
The ICO points out on its website that having clear laws with safeguards in place is more important than ever, given the growing digital economy: and is also central to the sharing of data that international trade relies on. The ICO position that the UK will continue to need effective data protection laws that address the need for digital trust is likely to lead to a significant updating and strengthening of the UK Data Protection Act 1998.
There is already a precedent for following the EU model. As Mark Pearce says: “The UK Data Protection Act 1984 was updated in 1998 to respond to the 1995 EU Data Protection Directive. The UK did not need to update its own Data Protection laws because it was only an EU directive and consequently not mandatory. However, the UK did respond, as the EU directive was stronger legislation and to comply in business terms with EU entities. The strong probability is that the same will happen now for the same reasons, even though the UK will no longer be part of the EU.”
Addressing both Cyber Security and Data Protection essential for Digital Trust
Since 2010 or thereabouts, there has been a dramatic climb in advanced threats and malware; more sophisticated in nature than could reasonably be prevented or contained through the use of security practices of the type defined in the UK’s Government’s Cyber Essentials Scheme and procedures driven by, for example, the widely adopted ISO, NIST and PCI DSS compliance regimes.
It is not that any of these control sets and standardised procedures are faulty, it’s simply that powerful technology and global politics have disrupted our understanding of the ground rules of data security and data privacy. Simple measures for achieving cyber hygiene will prevent, as CESG states, 80% of known cyber-attacks. But this is of little comfort to large organisations that own personally-identifiable data on millions of people – data that is often processed by third parties in complicated relationships. One data breach – malicious or accidental - could be potentially ruinous.
The scale of the cyber security problem facing organisations today compared to 1998 cannot be understated. For example, according to a recent ISACA and RSA survey, 13% of enterprise IT professionals surveyed cited nation-state attacks as a threat actor that had exploited their organisation in 2015. It isn’t just the‘lone wolf’ illegal hackers who are willing to publish confidential data on the dark web. The need to protect data from malicious insiders and organised gangs of hackers and cyber criminals has become one of the top risks that the C-suite has to address in 2016.
[Source: State of Cybersecurity: Implications for 2016, An ISACA and RSA Conference Survey, 2016.]
Mitigating risks of owning & processing data requires training
Against the rising threat levels and pure destructive power of some types of attack, at every level within almost every organisation all the way up to the CISO, there is a lack of qualified skills in the areas of data protection and cyber security best practice.
Politicians and academics debate why this is the case and talk about improvements in the education system that, one day, will deliver a different mix of skills and stem the demand for cyber experience. Regardless of their efforts though, the EU GDPR will require organisations to appoint a Data Protection Officer (DPO) and demonstrate due diligence in applying the requirements of the Regulation to avoid severe penalties. - But where are we all expected to find skilled data protection professionals in today's market? GDPR training course programmes that cover European data protection law and information/cyber security policies, processes and controls are required soon!
In 2015, the number of zero-day vulnerabilities discovered more than doubled to 54, a 125 percent increase from the year before. Or put another way, a new zero-day vulnerability was found every week (on average) in 2015. [Source: Symantec], This finding suggests that the cyber hacking threat to data systems is escalating faster than it is possible to resource Security Operations Centres in many large organisations with trained staff. At the same time, the risk of accidental disclosure of information by employees remains a fact of life that prudence suggests needs to be planned for before the incident becomes public knowledge.
The 1998 Data Protection Act says you should have security that is appropriate to:
- the nature of the information in question; and
- the harm that might result from its improper use, or from its accidental loss or destruction.
This principle is most likely to carry over into the new Act, whether it pays attention to the GDPR’s full set of requirements or not. For most organisations, determining what confidential information they and their data processors and third parties hold, and seeking to mitigate their risks in owning and handling that data, has become a major priority. Brexit will only add a UK dimension to a debate which is largely over in the EU and is set to make a big impact on organisations and global markets.
# # #
Are you planning a GDPR project and want to know what information your organisation needs to protect and how best to meet the requirements of the Regulation when it comes into force in 2018? You can talk to our expert consultants in complete confidence and find out about the services 7Safe and PA Consulting can offer to help you succeed.