by Ross Dyer
All over the UK people woke up this morning to something many thought would not happen: Britain voting to leave the European Union. It will take years and possibly even decades before we fully appreciate the repercussions. But from a data protection and privacy perspective, little in reality will change. The UK can’t afford to let its digital economy be locked out of Europe, which is why the government is likely to enforce laws on a par with the forthcoming European General Data Protection Regulation (GDPR)
The message is clear for UK IT security bosses: stay on the path towards GDPR compliance.
GDPR: the basics
We should all know by now that the GDPR will introduce the biggest shake-up of Europe’s patchwork of data protection laws in a generation. Specifically, it will introduce severe penalties for non-compliance and new concepts such as the right to be forgotten. Here’s a quick breakdown of some of the biggest changes it will bring about:
- Organisations which breach the GDPR will be fined 4% of annual global turnover or €20 million – whichever is higher
- Mandatory breach notifications within 72 hours
- Mandatory appointment of data protection officers for large firms
- Right to be forgotten
- Right to data portability
- Multinationals will only need to report to one national privacy regulator – in the country they’re headquartered
As you were
There are a few reasons why the Brexit vote won’t affect CISOs’ GDPR compliance efforts.
First, the two-year clock counting down to formal secession from the EU only starts once Article 50 is invoked by the government – and the signs are that this won’t happen for a few months yet. Many experts believe it could take even longer – three years or more – meaning UK firms are still bound by the GDPR when it comes in force on 25 May 2018.
Secondly, and perhaps more importantly, the UK government will absolutely have to enforce similar regulations to the GDPR in order to trade freely with the world’s largest single market. Failure to do so could irrevocably damage the country’s digital economy as firms move their data out of the UK and into adjacent European countries.
And finally, most of the elements of the new regulation are just good data protection practice. The laws were a necessary response to advances in technology designed to protect consumer privacy and customers will expect organisations to maintain these high levels of security going forward.
For those IT bosses still wondering where to start, here’s a handy checklist:
- Conduct a data audit to find out what data your organisation holds and how you are using it
- Classify data according to sensitivity and your organisation’s risk appetite
- Update DLP technologies to help prevent leaks
- Improve staff awareness and user education training programs with data protection focus
- Restrict number of privileged accounts and roll-out strong authentication (eg 2FA) for those accounts
- Roll-out mobile device management to ensure mobiles are covered by new rules
- Run regular pen tests to check the resilience of systems
- Develop an incident response plan to ensure you can report within 72 hours. Involve key stakeholders including legal, HR, PR teams etc…
- Consider advanced server-side technologies like Deep Security to lock down risk across physical, virtual and cloud environments from a single console