The government announced its plans to write the EU General Data Protection Regulation into UK Law. The requirements of GDPR will be enforced in Britain under the new data protection bill, announced by Matt Hancock, the minister for digital in a statement of intent on 7th August 2017.
A quick background, in case you haven’t heard about GDPR (in which case: where have you been?) or seen our previous advice on the regulation (here and here): the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The legislation itself has actually been completed since April 2016, but its complexity led to the EU allowing a 2-year grace period for countries and organisations to prepare and comply adjust.
We are nearing the end of that preparation timeline, and in 9 months GDPR will come into force, bringing enhanced powers over personal information for data subjects, and huge fines for those organisations and data processors that aren’t prepared.
By acting now, you can ensure you know exactly how the new data protection legislation could affect your organisation and be confident in your data protection processes and systems come the May 2018 deadline.
The government’s proposed Data Protection Bill goes a step further than the GDPR; in their official press release they highlight one of the areas the bill brings into scope is expanding the definition of ‘personal data’ to include IP addresses, internet cookies and DNA. Quite how they expect to enact this alongside the Investigatory Powers Act remains to be seen.
The bill is also touted to introduce new criminal offences to deter organisations from creating situations where anonymised data could be traced back to a real person – be it intentional or through reckless handling of data.
It’s not all doom and gloom though – the new bill will bring UK data protection laws in line with the EU in time for the UK’s exit from the union, allowing easier flow of data for organisations who operate across the continent.
Those criminal offences will work alongside increased fines to encourage organisations to toe the line. The maximum fine for breaches is set to increase to £17 million, or up to 4% of annual turnover, whichever is highest for the worst offenders – a huge jump from the ICO’s current max of £500,000. You can bet the ICO are sharpening their teeth as we speak, and following the introduction of the new regulation they and the media will no doubt be waiting to pounce and make an example of the first breaches after the bill becomes law.
Take steps to understand how the new data protection regime will impact your organisation and you can avoid panic come May next year. This means not only understanding what your organisation needs to do to achieve compliance with the regulation, but also concentrating efforts on security to ensure you don’t fall foul of breach penalties.
If breached, you may need to provide evidence that your organisation took appropriate steps to mitigate the risk of a breach to the ICO, so adopting a scheme like Cyber Essentials or the 10 Steps to Cyber Security can help with this. Both were developed by the government to ensure any organisation can protect themselves from common cyber-attacks, and are easily implemented for organisations of any size.
Regular testing of your defences can also prove beneficial, as this allows you to constantly remediate gaps in your security. Demonstration of a regular schedule of testing can also provide evidence that you are focusing on security, potentially helping you escape those dreaded fines.
Your staff are your front line against common threats like phishing, and simple steps like increasing their awareness of how they can be vigilant and defend against such threats can mitigate the risk of attacks impacting your organisation.
The Information Commissioner’s Office is producing resources to give organisations an idea of what to expect as part of their preparations. Though these form a good starting point, for most organisations preparation will require working with a specialist to ensure all data is accounted for and all practices, policies and controls are brought up to the new standard.
The main thing is that by taking preparatory steps to reduce your risk of breaches, you can equally reduce the risk of falling foul of those fines. Partnering with an expert who can provide you support and advice to meet the legislative and cybersecurity challenges of GDPR will provide the greatest return on investment, and the most effective increases in security. No one wants to suffer a breach, and so the arrival of GDPR and the new data protection bill in the UK should be seen as an opportunity to take stock of current security and improve upon it.