By Steve Iddon, Lead Security Consultant, Auriga
Along with other recent issues, Brexit will no doubt be laid to blame for future data breaches and subsequent fines that organisations will be liable to. The fact is that as it stands today we just do not know what the de facto standard will be for the protection of personal information; whilst the GDPR will be the EU regulation there is also the recently published Privacy Shield which replaces the now invalid Safe Harbour for the framework between US and EU organisations, on top of these there are also a couple of loosely adopted ISO standard for data privacy. What the world (and not just the UK) needs is a collaborative and agreed framework which ensures that the appropriate and proportionate controls are in place to harmonise data protection regulations.
Whilst GDPR is finalised as a regulation, the required implementation and scope is far from agreed. Member states of the EU can opt out of particular articles through a flexible model designed to meet the requirements of a member state and the organisations within it, which poses the question of how can regulation be achieved with so much flexibility?
The GDPR compliance requirements are very stringent in certain areas, in particular the reporting of incidents which would have to be reported to the regulator within 72 hours of discovery, which through past experience would be very onerous to enact as this is the critical time period when an organisation is responding to and mitigating an incident.
There is also the potential issue that organisations may reduce their incident detection capability for ease of compliance with GDPR; if they loosen their incident detection capability then they will have fewer incidents to actually report upon .
To meet the reporting and other GDPR requirements will take significant investment from organisations which will most certainly be met with resistance from budget holders. It is more likely that the driver for compliance will be the huge financial sanctions that are proposed – 4 percent of an organisation’s worldwide turnover.
I believe there will be many multi-million pound/euro/dollar sanctions for data protection breaches within this decade alone and whilst the standards and regulations are yet to be ratified, organisations need to start looking at a compliance strategy to work towards the intended 2018 mandate of the GDPR.
While we don’t yet know what form the data protection legislation will take (the UK may mirror the requirements, as it did back in 1998 with the Data Protection Act which was drafted to comply with the EU Data Protection Directive in 1995, or it could see us simply adopt the same regulation under a different moniker) it’s in the interests of UK companies to start making moves towards compliance now. We don’t yet know if the ‘right to be forgotten’ be, well, forgotten, but we must assume that the bones of the regulation will apply.
Because of the uncertainty, organisations need to look at adopting a two stage implementation, addressing the changes that are going to be activated immediately and leaving any issues that are expected to change. Points for immediate action include the appointment of Data Protection Officer role and definition of responsibilities, selection of Data Protection Agency/ies, adherence to data processing of EU citizens’ data requirements, educational programs raising awareness and the training of personnel dealing with personal data to achieve compliance.
With article 50 not yet triggered, it is not known for certain that Britain will leave the EU. But whatever the outcome, either way the country needs to harmonise with the GDPR in some manner as we are both providers and consumers of services and systems containing personal information that span not just the EU but the rest of the world. In this respect, the affect of Brexit on data protection is largely immaterial because of the international nature of the data in question. What’s vital is that we do address data sovereignty and the protection of that data to prevent future misuse. In my view, GDPR doesn’t go far enough in that respect. So perhaps we should all regard the EU GDPR not as a definitive blueprint but as a starting point for better data protection.