Brexit or not, the UK will be adopting the EU General Data Protection Regulation ("EU GDPR") and plans to update our own Data Protection Act. What does it mean for UK citizens and UK-based businesses? What is going to change? And why is it happening?
Firstly, it's important to recognise that the original incarnation was created in 1998; a simpler time in a land without smartphones, online banking or smart homes. Much has changed since then; nothing more so than our relationship with companies and data.
The new regulation, which aligns the UK with the forthcoming EU GDPR (which will also be formalised into law when it takes effect on 25th May 2018), should be music to consumers' ears. Having better data processing controls should help to reduce identity theft, and it could even protect us from physical harm - imagine if someone hacked into your health records and changed your blood type? Yet for businesses, things may be more complex.
Under the new regulations, the definition of what constitutes Personal Data has been expanded. Now it can also include data such as IP, or genetic data, which could easily be used to identify an individual even if they are not named directly.
Consumers will also have enhanced privacy rights. They continue to have a right to request a copy of any data a company holds about them, and also to ask for their data to be rectified or restricted, as well as permanently deleted if asked.
Particularly daunting is the fact that companies who are data controllers will in many cases have to notify the Information Commissioners Office (ICO) within 72 hours of a personal data breach, giving detailed information including the number of records compromised, the likely consequences to individuals, and the remediation steps taken. This will be no mean feat.
Added to this, unlike planned annual audits, the regulation requires continuous compliance. This is not a one-time tick box exercise; people need to be on guard the whole year round.
If a company fails to comply - either by not having the proper controls in place, losing customer data or failing to make it available to customers within a reasonable time - they may face extreme fines of up to 4% of their global turnover. A sobering thought for any company.
GDPR needs to be seen as a friend and not foe
Taking the lead on GDPR will actually serve businesses well in the long-run. Being able to prove a commitment to transparency and demonstrating dedication to safeguarding customer data and privacy are not just admirable, they are profitable.
It could help businesses to increase customer loyalty, reduce churn and differentiate against competitors. Conversely, failures could negatively impact reputation, share price, valuations and bottom line revenues.
How to mitigate risk
However, there is no 'GDPR solution', no silver bullet and no quick technology fix; no matter what security vendors will try to tell you. The process burden will be acute, and compliance cannot be guaranteed.
But there are steps that businesses can take to help mitigate their risk:
1. Conduct a thorough GDPR compliance risk assessment/gap analysis: Identify what your most important personal and/or sensitive data is, where and how it is being stored and what your biggest areas of risk are.
2. Develop appropriate controls and processes: Manage personal and sensitive data throughout its lifecycle, from when it is collected, through to establishing consent, to processing and evidence of erasure.
3. Deploy a security incident detection and response tools: Have the ability to identify where and how a security breach has occurred, which data has been impacted and how you can reasonably mitigate the threat - fast.
4. Have a privacy breach response plan: Have an operational plan that identifies key stakeholders, clearly defined roles and responsibility of core incident response team, communication and notification strategy.
5. Correlate to business context: Don't work in silos. Create a holistic GDPR compliance solution that helps you to join the dots and contextualise any incidents with business risk.
It is important to remember that GDPR is designed to protect individuals' rights to privacy. EU Regulators know that you can do all the right things and still be the victim of a breach, it's just the way of the world we live in. It is important that a company must demonstrate that they have a thoughtfully considered their GDPR compliance requirements and have taken appropriate steps to achieve compliance.