Data Privacy, GDPR, UK Data Protection Bill & ICO – In Perspective

Data Protection-GDPR-ICO_Graphic

We’re all swamped by the F.U.D. (Fear Uncertainty Doubt) proclamations around (the) EU General Data Protection Regulation (GDPR). Your business is going to suffer from massive fines, perhaps even go to the wall?

So they tell us.

This article from the BBC is another that paints the same worrying picture. It’s a good one nonetheless.

So, like every hype that’s gone before, there’s a mixture of myth and reality. Everyone is jumping on the bandwagon because it’s HOT (whether offering any value or not).

Important Point!

EVERY person, or organisation holding ANY data on people is affected. This applies to internal, external, even business contacts. Should you panic? Well if you’re not prepared, or not thought about it, damned right you should!

The Background

Let’s put this all into perspective. There have been many examples of organisations failing in their duty of care. As a result, consumers have lost identities, money, privacy and much more. Businesses themselves have lost money, production, reputation and much more.

Even worse, many organisations have abused the trust consumers have placed in them. We’ve all had spam mail/email from organisations with whom we have never interacted. How did they get our data? From where did they get that data?

Currently our (UK) data privacy is governed by the UK Data Protection Act 1998. Every one of the 28 EU countries have their own version. Any data privacy issue has to be through the country in which that organsation is Headquartered (HQ).

So, organisations choose an HQ that is most convenient for them – not the consumer. For example, Facebook is bound by Ireland’s data protection laws. Irrespective of where you are in the EU, if you have a data protection issue with them, it’s Ireland’s law that is applied. Here’s a great video by Jan Philipp Albrecht MEP, that explains all this in more detail.

As a result, the GDPR was created to:

  • better protect us
  • give us more control over our personal data
  • bring consistency to data protection and privacy laws across the EU
  • to improve consumer trust in the emerging digital economy

So actually, it’s a GOOD thing for us all.

(BTW: For us at EGOSECURE, we are bound by the strictest of the EU’s data protection laws, already close to that of the GDPR)

The UK Data Protection Bill (and the GDPR)

Now this is where we get to the IMPORTANT point. The UK will implement GDPR via the (218 page) UK Data Protection Bill (DPB), see here. So it is the DPB you particularly need to heed, especially since there are some minor variations to the EU GDPR.

So, forget about Brexit saving the day – this is UK Law.

The UK Data Protection Bill is planned to be in place by February 2018. It will then be ENFORCED from 25th May 2018.

It is the Information Commissioner’s Office (ICO) that has the responsibility for overseeing the implementation, management and monitoring of the DPB. Quoting from their website, “The ICO is the UK’s independent body set up to uphold information rights.” The ICO has lots of useful information and videos to help all of us become compliant.

EU GDPR-Busting Technology

It’s a myth!

We should not be lulled into complacency by some of the technology companies out there promising to fix your GDPR. It’s not about the technology. It’s your processes, procedures and behaviours that are key – albeit supported by the ‘tech.’

If you want to read some real myth busting information, the ICO has some great myth-busting blogs here. They are building this out and I would suggest you keep up to date with them.

OK, after my saying all that about ‘tech’ companies spouting their F.U.D. about all this, I know what you are thinking. Why are we at EGOSECURE doing the same thing? Well, here’s why……

Just like how our Insight solution works by identifying only the security ‘tech’ that you need, we approach the GDPR and DPB in the same way. We don’t say our ‘tech’ can support everything. Of the 99 articles, six particularly relate to data protection and privacy technology; #5, #25, #30, #32, #33 & #34. The first one (#5) relates to the principles of processing personal data.

Now, it’s the latter five articles are of particular interest to us because our security and encryption solutions help you address them

How Will Businesses Fare With The New Regulations?

I envisage that larger organisations will be best positioned to ensure their compliance with the new regulations. They have the massive resources and specialist personnel at their disposal to do so. SMEs or smaller public authorities, with limited skills, resources and specialised staff, will have the greatest challenge in becoming compliant in the time-frame.

Those who have gotten the message will already have engaged the necessary; training, resources, tools and technology to meet the regulations. They will have reviewed their vulnerabilities and security gaps. As a result they will have implemented data protection solutions that work simply and effectively with their systems and processes to help make them compliant.

The EU’s & ICO’s Pragmatic Approach to Data Protection

Finally, it’s important to counter the F.U.D of my opening paragraph. Yes, the new regulations introduce tough penalties for non-compliance and breaches. However, we have to bear in mind that the EU wants to give you a simpler, clearer and consistent legal environment in which to operate.

The objective is not to penalise business, but to ‘encourage’ behaviour that protects the consumer, i.e. all of us.

Here’s a great piece that reinforces the EU’s desire to protect, not unnecessarily penalise. “The GDPR states that penalties will be “effective, proportionate and dissuasive.” The ICO takes into account the gravity, nature, scope, duration and type of infringement.

So, if an organisation has suffered a data breach and has taken the right steps to:

  • prepare itself
  • encrypt its customers data
  • has any breach immediately flagged
  • contact the ICO as appropriate
  • identify remediation
  • etc.

….then of course the penalties will be more limited. If on the other hand, another organisation has taken no action in preparation for the GDPR/DPB, the penalties will be serious.

In Summary

If you have taken advice, are looking at where you currently stand in relation to the GDPR, have got a plan and are executing it, then you are in good shape to mitigate against any potential breach. So keep calm and comply.

If you find that you need the simple and effective (encryption and security) technology to help you address your Data Protection and Privacy, contact us:

Email:            sales@egosecure.co.uk

Telephone:   +44 (0) 203 876 8310

Website:       www.egosecure.co.uk