As the EU brings in tighter data controls and the UK passes the Investigatory Powers Bill, iStorage considers opportunities and risks around data protection
The increase in data theft is definitely on the rise and there are more and more reports daily of criminals taking advantage of unsecured data. Whilst the EU is placing tighter controls on data through the new General Data Protection Regulation, the UK government has on one side stated the UK will meet the new EU regulations, but has also asserted its rights to pry through the Investigatory Powers Bill – the so-called ‘Snoopers Charter’.
The Bill was passed into law in December 2016, giving the UK government unparalleled permission to track its citizens’ online behaviour. It will allow over 40 government bodies to access phone records and internet data. Many online services, such as Snapchat and WhatsApp, have already taken measures to provide encryption.
Encryption is more important than ever; hackers are getting better every day at taking small chunks of personal data and then, with the aid of social media profiles and the like, gathering more information to enable them to make use of that personal data for fraudulent activities. The kind of data that cybercriminals are targeting comes from your bank account, passport, insurance certificates or even driving licence. At this years’ Consumer Electronics show there were a plethora of new smart/connected/Internet of Things devices for the home, creating even more opportunities for cybercriminals. By taking the measure of storing this information on encrypted devices, the risks are massively reduced.
Documentation and reporting requirements
Meanwhile, the EU’s General Data Protection Regulation (GDPR) comes into force in May 2018. The regulation is designed to protect an individual’s personal data, but its impact will be wide-ranging.
Many of the new regulation principles are similar to the current Data Protection Act. It’s a primary premise of GDPR that organisations need to know exactly what personal data they hold. GDPR puts greater emphasis on the documentation that data controllers must keep and, of course, where the data is stored. The data needs to be assessed for risk and procedures need to be in place to detect, report and investigate a data breach. Any breach must be reported in under 72 hours. However, Article 32 states personal data needs to be stored with either encryption or pseudonymisation to ensure confidentiality and integrity.
Brexit doesn’t change the fact that organisations in the UK will still need to comply. GDPR will be enforced on the 25 May 2018, and even if the UK government triggers Article 50 in spring 2017, it is anticipated that it will take two years for Brexit to happen. That gives businesses a full year to comply and ensure that they avoid a hefty fine of €20 million or 4% of global turn-over (whichever is greater) for suffering a data breach.
Elizabeth Denham, UK Information Commissioner, recently acknowledged that legislative change brings nervousness but, she said, “It also brings opportunity”. Having stronger data protection laws and enforcement is aimed at “inspiring public trust and confidence”, and the GDPR is “an incentive to improve your practices, to sharpen things up, and encourage organisations to look at things afresh”.
She continued, “We believe that future data protection legislation, post-Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public”.
Data is the new gold
Minister of State for Digital and Culture Matt Hancock, who has previously hinted that GDPR would stay in place, upon the release of the report said:
“As part of building a country in which people have confidence to use and build digital technology, we are committed to making the UK the safest place in the world to go online. The responsibility for keeping the UK, its economy and its citizens safe is shared.
“Every business, charity and institution up and down the country must realise that cyber security is their job as much as it is Government’s. Only when the effort is concerted and persistent can we fully tackle this challenge.
“The Review notes that the upcoming General Data Protection Regulation (GDPR) will be key to ensuring strong organisational data protection regimes supported by strong cyber security.”
The definition of “personal data” is both nuanced and broad, it is any information relating to an ‘identified or identifiable natural person’, which is a minefield. Personal identifiers don’t just include name, location and online identity, but also mental, genetic, cultural or social identity.
If data is the new gold, then you are going to need a great bank!
Tel: 0208 991 6260
Please note: this is a commercial profile