UK Data Protection: a pre-Brexit GDPR bombshell for business
The General Data Protection Regulation (GDPR) ‘call for views’ consultation process has come to an end. Minister of State for Digital, Matt Hancock, has drafted a ‘statement of intent‘ to overhaul data protection legislation. If you thought that leaving the EU meant leaving behind the potential impact of GDPR, you thought wrong. The new legislation will simply bring GDPR wholesale into UK law.
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account” Hancock insists, continuing “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
The Information Commissioner, Elizabeth Denham, seems happy enough with the plans. “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public,” she says.
IT Security Thing has been canvassing industry opinion to see if everyone is singing from the same hymn sheet. Here’s what we discovered:
Rashmi Knowles, RSA’s data protection and GDPR expert and Field CTO EMEA says:
“The current Data Protection Act came into force in 1998; so much has changed since then that we are long overdue an update. The new refresh will give consumers much more control over what data they are handing over to companies and how this will be used, which is a positive step not just for consumers but for companies too. Companies can now start afresh and have an opportunity to cleanse their data and engage customers. Yet this is not to say the changes will be easy to implement.
“Previously, the DPA only protected PII, and had a much narrower definition of what this constituted. Companies who are already complying with the DPA, or those who have already started on their GDPR journey, have a head start but there is a long road ahead. It is vital companies understand the changes and prepare accordingly to ensure they manage their business risk. For instance, under the new regulations PII will encompass areas like ethnic, genetic, and pseudonomised data – i.e. data that can be easily unscrambled to determine PII, such as an email address, IP addresses, or biometrics.
“The biggest challenge is going to be process; particularly around issues such as data availability and consent. This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit.”
Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland states that:
“This latest warning from the DCMS demonstrates the reality we now all live in, where cyber-attacks and data breaches are always going to be a threat. The worrying reality is that security is often an afterthought and security fundamentals are still not being followed such as changing default passwords. Hopefully the news of such fines will wake organisations up to the seriousness of the consequences from a financial stand point, never mind a reputational one.
“In security we talk about when, not if a security breach will occur, but that does not mean organisations should not be taking all the necessary precautions to limit the potential impact of a breach. In fact, the fast approaching implementation of GDPR will oblige organisations to carry out thorough preparations of their systems. Organisations should also use this as an opportunity to get all of their cyber measures in place, not just their data.
“Organisations need to focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber threats. There must be a clear and well-rehearsed incident management plan for a breach, addressing internal and external communication in addition to containment and recovery activities. Now is the time for organisations to stop being hunted and instead become the hunter when it comes to cyber security. Ensuring a compliant business environment, that will help protect the services that we depend on as a nation.”
Iain Chidgey, VP and General Manager International at Delphix comments:
“The golden age of free data is over and the Data Protection Bill means the regulator finally has teeth. Data privacy is emerging as a basic human right. The introduction of punitive sanctions shows the UK is serious about protecting the public and enforcing data best practice. Companies that don’t do enough to protect consumers personally identifiable information (PII) face genuine penalties that will make them think twice. In fact, it is planning to go even further than the legislation put in place by the EU’s General Data Protection Regulation (GDPR).
“People’s demands for the data privacy have changed. With data breaches and criminal hacking an everyday part of modern society, the public expect their data to be protected. However, change won’t happen overnight. Current data protection laws were created in 1998, before the smartphones, social media, online banking and ecommerce rose to prominence. This means businesses and governments are scrambling to establish processes and technology so they can care for PII and be seen as taking data security seriously. However, it’s only achievable if organisations have clear guidelines to follow and adequate time to replace or amend systems to comply with it.
“With 90% of data held in test, reporting and analytics systems, UK companies must put in place the ability to mask personal data. Not only will this protect individuals, it will also remove the compliance requirements for these systems as the data will no longer be personally identifiable. This has the added benefit that companies will not need to invest time, money and resources on complying with a right to be forgotten in these secondary systems. In order to move fast and survive, global businesses need rapid and secure access to data. However, it can’t be at the expense of consumer privacy. In a data driven world, security and privacy issues will define the winners and losers.”
Mark James, Security Specialist at ESET says:
“Protecting peoples data seems to be one of the hardest jobs for some companies to do in this modern digital world. It’s always difficult to put measures in place for something that may or may not happen and in some cases it may have been cheaper to deal with the fines of data breaches than actually paying to protect against it in the first place. In May 2018 that’s all going to change but currently the ICO can fine up to £500,000 for serious breaches of the Data Protection Act although to date we have only seen a couple of fines up around the £400,000 figure.
“From May 2018 we could see fines of up to £17m or 4% of global turnover of the previous financial year. These fines are huge and definitely overdue but let’s put this in perspective – the fines are not necessarily for being breached, the fines are for not doing enough to protect your users data. These new measures are in place to stop companies doing little or nothing to protect the very data they often declare “is very important to them”, the new measures will also protect you as a user from having your data sold or used for other purposes that were not initially stated when your details were taken, something that happens so often these days.
“Encryption will be a big part of protecting our data, although it won’t protect you if an authenticated user is compromised, it will protect such failures as USB drives, laptops or DVDs left on trains, lost in the post or just lying around for anyone to view.”
Dr. Jamie Graves, CEO at ZoneFox comments:
“GDPR was spoken about extensively at its ‘one year to implementation’ as a game changer. NISD is no different and provides clear directives and repercussions for critical infrastructure – a vital area to secure in the fight against cyber crime. May’s WannaCry attack is a clear proof point for why the NISD is much needed. The way in which businesses need to secure themselves is no different from a phone shop to the National Grid. Data is the key piece of the puzzle, or more specifically, an awareness of data.
“Making sure that you have network visibility of information – and those accessing it – while it is stored, on the move or taken off the network is the first line of defence against any attack or potential attack. Coupling this with a reporting system that can alert the necessary authorities as quickly as possible and a robust backup will mean essential services are kept online and are in a much stronger position to protect themselves.”
Dan Sloshberg, cyber resilience expert at Mimecast responded:
“The new Data Protection Bill reinforces the expectation that the General Data Protection Regulation (GDPR) style compliance is a vital requirement for UK businesses even with Brexit pending. In fact post Brexit, demonstrating accountability around data protection may become a requirement to do business with Europe and its citizens. This is also a positive move for all individuals and citizens. The pressure is now on for organisations to be ready by May 2018.
“Understanding the data an organisation holds is key to becoming compliant. Identifying where personal information is held and the processes around its capture and management is a logical place to start. Afterwards adjusting processes and evaluating technology to help secure and find information effectively and efficiently is key. Businesses must also consider the importance of email in cyber security. Nearly all company information, be it employee, business or customer related passes through email at some point. Because of this, a compromised email server can leave an organisation in breach of new regulations. To ensure data is protected, businesses must implement a cyber security and resilience strategy and update outdated email archives that hold GDPR-governed data.”
David Emm, principal security researcher, Kaspersky Lab reckons:
“The drafting of a new Data Protection Bill would grant unprecedented rights for consumers to force social media websites and online companies to delete their data and take back control of their personal information. In combination with the incoming GDPR regulations being implemented by the European Union, there will be widespread changes in the coming years to the way organisations collect, store and process data.
“It is important that the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cybercriminals. New data protections laws are designed to make organisations more careful with our data, but regardless of this, it is important that we on an individual level know what information is being kept and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands. Being vigilant online – whether when using a work computer, home laptop, mobile or tablet device – should be second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using anti-virus software across all devices can significantly help protect data.”
Matt Walmsley, EMEA director, Vectra thinks:
“The NHS, utilities and transport networks are a critical part of UK’s infrastructure, making them highly priced targets for cyber criminals. Similar to GDPR, these new proposals will help ensure organisations enforce robust security protection and data management systems. In Q1 2017, the healthcare sector has received the highest level of attack behaviours (164 detections per 1,000 hosts), compared to 42 incidents in the energy sector, according to our analysis. As seen in recent cases like the Kiev power grid hack, a single cyber breach can take down a whole organisation. Tighter controls on our national infrastructure providers are absolutely essential.
“It’s not the capabilities of cyber attacker we seek to control, rather the risk created by them. To stay ahead of the game, organisations constantly need to be monitoring inside and outside their enterprise to spot the early indicators of comprise. This will enable them to react and mitigate attacks before they become full blown breaches or service outages. That has to be done at scale and at speed to be effective, and artificial intelligence is emerging as a pragmatic solution in this regard. Sadly, not every critical service, particularly those of a distributed nature is equipped to detect and thwart such attacks – whether they’re initiated by cyber criminals or foreign invaders – as evidenced by their repeated failures to defend against run-of-the-mill cyber attacks launched by criminal adversaries.”
Spencer Young, RVP EMEA at Imperva said:
“While this is a welcome intervention from the UK’s government to attempt to provide severe financial consequences for not taking cybersecurity seriously, it could be said that this state intervention represents a little too much of the stick, and not enough of the carrot. By focusing on the severity of the fines, we lose sight of the fact that there are better reasons than fines to have a comprehensive cybersecurity policy in place. Cybercrime can have devastating effects on both individuals and businesses, and having a strategy in place to keep your applications and data safe should be a priority for any business. A culture of preventative cybersecurity measures should be fostered to protect the businesses and remove the pipeline that cybercrime creates for other criminal enterprises down the line.”
Adam Nash, EMEA Regional Manager, Webroot adds:
“I think this shows how seriously the government is taking cybercrime and the threat that this poses to infrastructure and critical services in the UK. We have started to see gangs of cybercriminals launching targeted attacks to businesses holding critical systems to ransom knowing that the companies cannot function without those systems. This is no longer about haphazardly encrypting machines but about taking specific resources offline as this gives a much better chance of a ransom being paid. With state sponsored cybercriminals also targeting critical assets like power and health services these legislations have come at the right time. You wouldn’t leave your car door unlocked and expect to keep the contents of your glove compartment, equally in the in the digital age you cannot afford to have lax security measures in place to protect your key assets.”
Kirill Kasavchenko, Principal Security Technologist, EMEA at Arbor Networks says:
“The world is becoming increasingly digitised, which means that personal data is often collected every single day. Whenever data is collected and stored, there is always a risk that it might be vulnerable to a cyber threat. So it’s great to see the UK getting ahead of the curve, with an ambition to legislate the most robust set of data laws in the world.
“Any responsible company will see measures that empower individuals to have agency over their own data as a good thing. Some companies might face a huge challenge getting internal policies up to speed in the short-term, but the long term protection these regulations will bring for clients, customers and prospects will be worth the initial efforts. The security industry have long advocated storing only essential data – organisations operating within the UK will now be compelled to review how data is gathered, stored, processed and shared. Doing so will make it that bit harder for cyber criminals to target UK companies.”
Lal Hussain, Director IT Applications at Insight UK responded with these comments:
“The Data Protection Bill comes at a time when many companies, large and small, are attempting to grapple with the gluttonous amount of data we’ve been generating. Transferring GDPR into UK law is a natural progression that will enforce compliance to a new understanding of how data should be handled, forcing organisations to come face to face with the dark data they’ve been carrying since the beginnings of the digital age.
“Veritas recently estimated that on average 52% of the data an organisation holds could be dark. That is to mean they don’t know what it is, where it sits or whether it is sufficiently protected. It also means they don’t know the value that data holds. While GDPR is a requirement for all organisations, it’s an opportunity to define how data can be use and drive real value from it, while also establishing cost-effective storage strategies.
“How you manage data privacy could become as important to customer retention as the overall buying experience. If organisations therefore have to develop a mature approach to data in this modern age, it’s vital they first recognise its protection, storage and assessment affects – and benefits – the entire business. Organisations must build teams that reflect this reality, drawing on expertise in IT, legal, sales, marketing, and more. This is a collective issue that must be addressed collaboratively.”
Ross Brewer, VP and MD EMEA at LogRhythm had the following comments:
“As we saw with WannaCry recently, the consequences of an attack on our critical national infrastructure are unthinkable. Cybercrime is no longer a game involving hackers manipulating people and computer systems to get their hands on valuable data or money. The stakes are now much higher, with criminals proving they are capable of disrupting services that can effectively cripple an economy, a country’s stability and, worryingly, our lives. This initiative is a bold, but much needed step in the fight against cybercrime. With fines as high as those that will be implemented under GDPR, businesses that manage our critical infrastructure will suffer significantly should they fail to implement an effective security strategy with the right people, technology and processes. One weak link in our critical national infrastructure makes us a very vulnerable country.
“If they haven’t already, organisations need to sit up and realise that hackers are motivated and persistent and will do everything and anything to successfully access – and cripple – our networks. Organisations relying heavily on prevention need to realise that this is no longer enough and that they need to invest in the right monitoring, detection and response technologies to help them effectively manage today’s sophisticated threats. As attacks on our infrastructure become more commonplace, businesses need to take these government proposals seriously. The fines are high, and are a reflection of how dangerous today’s cyber criminals are and the threat they pose to our country.
“Unlike traditional warfare, cyber-attacks are ‘invisible’ and often easy to forget until you become a victim, and they have the potential to be far more catastrophic. To avoid these fines and ensure their services are protected from modern-day and future threats, businesses must have intelligence that gives them deep, consistent visibility across their entire network so hackers can be stopped.”
Meanwhile, Justin Coker, Vice President EMEA at Skybox Security, says:
“Organisations are in the midst of GDPR compliancy work so the government restating the European legislation will be UK law is welcome. It also gives a clear signal that the UK government wants to set a high standard for cybersecurity and this should drive innovative approaches to protect and secure data. However, as consumers and citizens are given new powers to be forgotten, businesses do need to overhaul their own systems to keep pace with this change. Too often organisations have been caught out because they don’t have full visibility of where the threats and vulnerabilities are. And, they have been hamstrung by an overload of security management tasks. So, the bill should be a further catalyst to the use of smarter security analytics and automation.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic pitches in with:
“Essentially what the directive sets out to do is to drive security. In my experience a large proportion of organisations are not very good at responding to incidents and on average it’s 205 days before a breached entity is able to detect a breach, and they often do not detect even it themselves. The NIS directive sets out measures designed to ensure critical IT systems in critical sectors of the economy like banking, energy, health and transport are secure so its shocking that not more organisations are concerned about or talking about it over or in addition to GDPR.”
James Chappell, CTO and co-founder of Digital Shadows, insists:
“When the UK made its decision to leave the EU one of the concerns within the cyber security industry was that it would choose not to enact the regulatory commitments the country really needs to toughen up its cyber defences. In fact the opposite has been the case. The UK interpretation of the NIS Directive has put forward equivalent fines to those mandated by the General Data Protection Regulation. Today’s announcement pertaining to critical national infrastructure goes further than is required by the EU under the Network and Information Systems (NIS) Directive.
“Just last month we saw the havoc caused by the so-called NotPetya malware which took down the Ukrainian power grid. The UK’s critical national infrastructure is a mix of public and privately-owned assets. This diversity is a strength in that it would be tougher to take it down in its entirety but also a weakness as it’s fragmented and harder to enforce uniform standards across disparate systems and teams. We hope that the threat of large fines would never need to be enforced, however it does help coalesce thinking and ensure that CNI providers are answerable to their shareholders as well as the public at large when thinking about their cyber security measures. The proposed scale of fines demonstrates that UK government takes the cyber security of Critical National Infrastructure seriously.”
Darran Rolls, CTO and CISO, of identity company SailPoint, adds:
“Many changes and challenges will emerge due to the new legislation, which serves to further amplify the requirements of the GDPR coming into effect next year.
“Complex chains of data processing, storage and sharing between providers exists in most IT ecosystems. This all poses a significant challenge for those collecting and storing personally identifiable information and raises the bar on managing exactly who has access to what across the entire end-to-end system.
“These changes should not be viewed as solely punitive. In fact, 73 per cent of organisations view compliance as a key goal and driver behind identity governance programmes. While preparing for the new legislation to take effect, companies should seize the opportunity to clean up their data and refresh processes, adapting to our tech-driven society. It’s critical that any business subject to data protection laws takes steps to understand how to implement the relevant controls and support its obligations.
“Identity governance plays a large part in getting ready for those new controls. By ensuring consistent identity practices and implementing clear controls, compliance with data protection laws can be turned into a business benefit rather than a compliance nightmare.”
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire said:
“These fines will act as a stark reminder that cyber security should be taken seriously. However, by implementing a defence system that focuses on the fundamentals; the people, the process and the technology, enterprises can already take the necessary steps to greatly reduce the risk of suffering a cyber attack and being fined, which could potentially put a company out of business. By educating the workforce, companies can reduce the risk of successful cyber-attacks which use methods like phishing and URL drive-by, which can also help users identify unusual system activity that may result from malicious action.
“Incident Response is just one example of where a well-defined and regularly practised process can make a huge difference to the outcome of an incident, possibly preventing that incident from becoming a breach. Technology, such as encryption and dual factor authentication, forms a large part of the Foundational Controls necessary to support a defence-in-depth security solution. Organisations also need to make sure that they have robust backup solutions and processes in place. Not running regular backup / restore tests could also leave them open to a single point of failure should there be any errors in the daily tasks. Only discovering these errors during a live failover could be classed as a major risk.
“On that note, all backup procedures should also factor in taking the backups offline during non-backup runs to avoid malware sneaking its way onto the backup sets to be reinstalled when a failover procedure is implemented. To stay one step ahead, organisations need to continuously implement risk assessments of the business, systems and data to uncover any unknown vulnerabilities.”
Paul Wilford, Cyber Security Architect at managed services provider (MSP) EACS, stated:
“This is a welcome piece of legislation and one that will make the UK a much more attractive place to do business with. However, organisations need to be savvy to certain elements that differ from GDPR. By way of example, an organisation could potentially be fined for a breach, or they could be fined for lack of compliance even if it hasn’t actually been breached. But there are also some new additions as well, such as a new offence for ‘intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data’. Offenders who knowingly handle such data will also be guilty of an offence and the maximum penalty will be an unlimited fine. Elements like this are beyond the original message of GDPR and suggest that the UK is actually bolstering the legislation.
“The UK government has put out a very bold statement in that its vision is ‘to make the UK the safest place to live and do business online’. In order for this goal to come to fruition, organisations must view these new laws as an opportunity to get ahead of the game, as opposed to a burden that will hold back their business. Essentially, every organisation is in the same boat and must demonstrate compliance. But forward thinking companies can actually embrace this as a USP by using this grace period to get their houses in order and to reassure both customers and partners that they are ahead of the game and that they are taking data protection seriously.”