Data privacy in the UK has hardly been a quiet topic in recent months, but there have been two news stories from the last few weeks of particular note. They are each remarkable individually. Put side by side, they show a trend that is more thought-provoking than the sum of their parts.

It was announced in late September that Equifax was to be fined £500,000 by the UK ICO after hackers stole 15 million UK citizens’ various personal details and records last year. The vulnerability occurred because security patches were negligently overlooked by Equifax’s IT team. Even more galling is that only a couple of months previous, the business was warned by US Homeland Security that their infrastructure was not secure.

The £500,000 fine is the heftiest sum that the ICO could impose under the pre-GDPR Data Protection Act 1998. And to think that this is the same ICO that only a few years ago was frequently criticised for being unwilling to impose serious fines for data breaches. Even after 2010, when it was first empowered to issue financial penalties, it rarely “went big”. In those first five years, it only levied £7m of fines.

Largely, and perhaps in fact admirably, this was due to a policy of preferring support and collaborative remediation over fines. After all, many feared that fines would be considered by the largest businesses – and the ones that could do the most damage to the public’s privacy – as an acceptable risk of doing business, leaving illicit or unethical processes unchanged. Proactively helping businesses to respect subjects’ privacy without damaging their own productivity, and without threats, was seen by the ICO as the better way to deliver on its core goal – effecting real change amongst UK businesses.

This ethos was regularly reported as set to continue after the introduction of GDPR. Before its arrival, the ICO took great pains to push a strong message that the GDPR was a catalyst for them to work even harder to protect UK citizens’ data by ensuring businesses were using personal data legitimately – and not that it was a weapon to be brandished. Unless in the most serious circumstances.

This exception was reiterated by Emma Martins, the Data Protection Commissioner for Guernsey, when she exhibited the exact same mentality in our GDPR Interview Series, published before the GDPR May date. In it, she was quoted as saying:

 “The vast majority of processors and controllers want to do the right thing, so if we help them do so, we will all benefit. Having said that, we are going to be ready to implement the legislation if and when we need to. We of course should be seen to correctly address the serious breaches and that is certainly what we will do where necessary and appropriate.”

And so we come to the formal notice from the ICO to AggregateIQ, issued the day after the Equifax penalty was reported.

Both organisations committed their key transgressions before May 2018. But while Equifax’s errors were confined to a point in time in 2017, AggregateIQ not only profiled and targeted voters on behalf of Vote Leave during the Brexit referendum campaign in 2016, it then continued to process the data after May this year. This brought the case under the GDPR, and its far heavier penalties. AggregateIQ is appealing the notice, but the industry speculation is that the largest possible fine of E20m (or 4% of global turnover) is being considered.

In years gone by, the ICO was considered relatively benign. For some, even the two-pronged message of preferring to support rather than fine, unless forced to, was considered an opportunity to shirk difficult decisions. The cases deemed serious enough for headline-grabbing fines would be few and far between, and so the GDPR would remain little to worry about.

That no longer rings true. The Equifax incident has shown the ICO’s appetite, courage and determination to impose punitive measures. AggregateIQ will doubtless reinforce this. It is irrelevant whether the ICO is driven by its mission or by public pressure (and I personally think it is the former) – the net effect is that businesses will have to re-examine the legitimacy and ethics of their processing of UK citizens’ personal data.

The GDPR is only a law. It requires a body to enforce it, and the ICO is clearly up to the challenge.

Concern about the strict new General Data Protection Regulation continues to focus on security at expense of data privacy

93% of companies are worried about the storage of their data in the cloud after the General Data Protection Regulation (GDPR) and 91% are concerned about how the new rules will affect cloud services, according to new research from Calligo, a world-leading cloud solution provider.

IT decision-makers report inadequate levels of sponsorship from the C-suite despite the General Data Protection Regulation deadline next May

69% of board-level executives are neglecting to ensure the UK businesses they run will comply with the General Data Protection Regulation (GDPR), according to new research from Calligo, a world-leading cloud solution provider.

The figures were in a survey of 500 IT decision-makers in companies with more than 100 employees and £15 million turnover, examining how businesses are preparing for the new regulation.

Only 31% of respondents said they had governance sponsorship for GDPR at board level, while just 9% said their compliance departments were giving them full support. This lack of interest at the top level comes despite more than six out of ten (62%) respondents agreeing that the new regulation would affect the profitability of their business, including 19% who said the impact would be negative.

“It is worrying to see signs that GDPR governance does not have the full attention of so many C-level executives,” said Julian Box, CEO, at Calligo. “Too many of those at the top think it is all about security, when that is only a part of it.”

“The deadline for compliance is May 25 next year and any company that subsequently fails to handle data in the correct manner risks the severe penalties stipulated in the regulation. The top people in every organisation need to get to grips with this challenge, ensuring that their data is being stored and handled in full compliance.”

The survey found that only 43% of companies have appointed and resourced a Data Protection Officer, despite this being a requirement of the GDPR for medium-sized and larger businesses. In IT and telecoms, the figure is just 37%, while in manufacturing and utilities it is just 36%.

On average, organisations said they will employ 10 people on the task of achieving GDPR compliance, with healthcare sector proving the most committed, devoting an average 26 employees. This compares with averages of nine in IT and telecoms and four in arts and culture.

Calligo is an expert in the General Data Protection Regulation, which comes into force next year and which will standardize the protection of personal data of EU citizens.

Well, the last few months have been quite interesting to say the least on the political front, with the UK deciding married life no longer suits them and getting a divorce from their beloved European Union, whilst the US decide to “build that wall!” and elect Donald Trump.

Literally, as this blog is being written, a raft of Executive Orders are flying off the Oval Office desk with the ink still wet. We are witnessing a fundamental shift in superpower politics being initiated with unprecedented haste and vigour.

Yes, some of these decisions may have seemed fanciful at best to downright ridiculous some twelve months ago, but the reality is starting to dawn and a new world order is starting to take effect.

So as the dust settles regarding these monumental decisions, those of us involved in the wonderful world of regulation are being asked what it means for EU GDPR?

Now if this article seems to have taken a Tarantino’esq right turn and you are asking the question:

“What on earth is EU GDPR?” then you have some catching up to do. Put simply, it is the biggest single change to data protection since the introduction of the Data Protection Act of 1998 and the scope of it is global!

So in true streaming binge-viewing mode, here is what happened in series 1:

The vision of EU GDPR was to create one digital economy for the then 28 member states of the European Union, with one set of rules and regulations for handling the 500 million-plus citizen’s personal data. Essentially its central premise is to better protect the rights of those whose data is powering the digital highway on which we now all navigate.

In October 2016 TalkTalk were fined a record £400,000 for the theft of 157,000 of their customer’s records. Under the new regulations that fine could have been in excess of £70 million!

So from a 10,000 feet view the EU GDPR offers:

• Rights to the EU Citizen on how their personal data is used. (Citizens must be informed and give their explicit consent on how their data may be shared/utilised). Therefore, this has significant repercussions for data traversing country borders, made all the more difficult by President Trumps Executive Order that puts in question the long term future of the Privacy Shield agreement.
• Punitive punishments for those who do not protect this data (fines of up to 4% of global turnover or 20M Euros, whichever is the greater, can be levied).
• Citizens having the right to be forgotten – no more holding on to personal data for no reason.
• The requirement for organisations to declare, in detail, data breaches or loss within 72 hours (bear in mind many security experts claim most aren’t found for months currently).
• The responsibility of data owners to deploy “state of the art” systems to protect data (aged systems and technologies will not be an excuse).
• Organisations to create the role of Data Protection Officer, this role is new and must understand both the regulation and how their organisation is complying and policing the data of the citizens.

It’s a significant regulation and the above just scratches the surface, but at least gives some sort of scale to the change. BUT, what does all of this mean with the UK about to exit the EU? Well at first glance, it is simple and falls into two distinct camps:

• Organisations who will have EU Citizens personal data after we exit the EU.
• Those who will not.

If you’re in the first camp and would potentially hold any personal data from an EU Citizen, then you’re absolutely still required to comply to the regulation. The regulation was always designed to be a global requirement when dealing with EU Citizens personal data. It also comes from the perspective of protecting the EU Citizens data, wherever it may reside.

If you don’t, or will never hold any EU Citizen personal data (to get in perspective what personal data is, think anything that could identify them, IP address, credit card, name, address, phone number etc. etc. etc. and you start to see the footprint that personal data has), then you won’t need to comply.

However, as free movement and trade agreement negotiations continue, there will be conditions concerning the implementation of these agreements and you can be confident that the flagship regulation on handling personal data could form part of this. Also, considering the Data Protection Act of ’98 is so out of date, the UK needs a new standard – why would we begin the onerous task of writing one from scratch when the robust framework we contributed to is already sat on the shelf and gives us parity with Europe?

So as I write this article nothing is certain. However, the regulation came into force on May 24th 2016 and therefore predates Brexit, making it currently law. Equally, it is unlikely that down the line, organisations will be able to avoid it. The regulation will be enforced from May 2018, which means the fines will start with each non-conformance and it’s highly unlikely that we will be out of the EU by that date anyway.

It’s time to embrace the change and get compliant. After all, isn’t a more secure a diligent digital realm something to be applauded? Personal data is literally pulsing around the world, traversing jurisdictional boundaries and is potentially at risk if anyone in that chain of data handling isn’t aware or proficient in the discipline of protecting it.
So if all the above has you now thinking “ok, it sounds like I should be doing something about it” your next should be “how do I start?” Well, you are probably best to identify an organisation that understands the regulation and critically can assist you in mapping out how to specifically align your organisation to it.

Standards are always a welcome sign for a maturation of standards. GDPR is no exception, as you can qualify as a Certified Practitioner for the standard against the ISO17024 category. This is an important step forward, as much of the action to date has centred around commentary and opinions of the regulation, as opposed to establishing actual frameworks to implement.

One of the biggest challenges an organisation will face is in the actual identification of all the locations that actually contain the Personal Data. This will typically be dispersed over multiple systems and technologies, and actually locating these records will be a sizeable exercise in its own right. A few key tips around this data mapping exercise would be:

• Do we have this type of data?
• If we do then where is it located?
• What controls exist and what conditions under which it is kept?

A simple mantra is true, you cannot control what you cannot see. Therefore, you must build an accurate data map to even begin to implement the processes under which compliance can be achieved.

This article is only scratching the surface of the impact of this Regulation. The noise generated by the dramatic political events in the last year are only serving to create more confusion. But one thing is certain, the enforcement of the regulation begins in May 2018 and it’s safe to say that being one of the first organisations to fall foul of the new powers will be a very uncomfortable place to be.

It’s time to mobilise and get compliant, and that journey starts now.