Now the UK has finally had a referendum and is apparently on the path to exit the EU, UK businesses will want to know where they stand on EU General Data Protection Regulations (GDPR).
For many, the GDPR was the culmination of a lot of hard work, forward thinking and a genuine desire for an increased robustness in dealing with data breach and quality of data handling. The vote to exit will have a lot of people scratching their heads and wondering, ‘what next?’ The UK has had it’s own Data Protection Act for a long time and although we would have been set to take on all the requirements of GDPR, it doesn’t mean that the guidance for best practice would not or should not be adopted. Indeed, the UK could seek an EU Adequacy finding.
Regardless, the DPA (1998) will still be in force and given the change of climate when it comes to consumer attitudes to data breach. UK legislation could be changed to reflect the will of data subjects when it comes to how business should be penalised for mismanagement of the personal data they have been loaned in good faith. To confirm this, a recent poll from ICS indicated that 86% of consumers feel the Government should review data protection laws, with two thirds believing businesses should do more to safeguard personal information. Obviously, adoption of GDPR in 2018 would have helped support this consumer demand but the fact we are now on an exit course doesn’t mean we can’t use it’s guidance. We have the task of working out our cyber strategy and data protection obligations across countries as we move closer to actually leaving the EU anyway.. see ICO statement.
Looking realistically at Data Protection, threat to personal information does not stand still and business attitudes to Data Protection has historically been inconsistent not just with Enterprise sector but with big business too. Probably best summed up by Dido Harding when she explained TalkTalk had encrypted everything they were legally required to encrypt, after their mega breach… Business attitude to DP is still quite negative and it is viewed not as an opportunity to have top drawer practices, policies and procedures and more of an onerous obligation. GDPR was a way of legislating in behaviour that we as security professionals wanted to grow as an embedded cultural change; forcing businesses to place customer data much higher on business agendas and scrutinising how they handle and protect data, to bring about the massive improvements needed and indeed being demanded by UK consumers. Given that nearly a third of those polled by ICS said they are avoiding companies they know to have had a breach, the sooner the focus shift toward improved DP behaviour, the better.
- Posted by Ellie Hurst
- On 28th June 2016
- 0 Comments