“It's all about how you treat people whose data you are collecting,” explains Iain Bourne, group manager (policy delivery), at the Information Commissioner's Office, describing the underlying premise behind the new EU GDPR at InfoSec today during the panel discussion: Regulation, Risk & Privacy: Data Privacy, EU GDPR & the Global, Connected Enterprise.
The session kicked off with moderator Stewart Room, partner PwC Legal, Global Head of Cyber security and Data Protection, PwC, emphasising that the new regulations are the biggest piece of legislation affecting the UK as it affects everyone, trumping Employment or Health and Safety legislation in their pervasiveness. And the consensus on the panel was that the legislation will still affect us all even if the UK were to choose Brexit and quit the UK – though Eduardo Ustaran, partner, privacy and cyber security, Hogan Lovells insisted that this will not happen, while Bourne noted that if it did, there are more attractive Data Protection regulations around the world to serve as a model than EU GDPR, “So there are a lot of options.”
The demise of Safe Harbour was also referenced, with Nina Barakzai, group head of data protection & privacy, Sky noting how the free flow of data across borders is necessary for Sky, and needs to be done lawfully, complying with the law of various countries, this the need for something practical and pragmatic was needed to end the current uncertainty. Quentyn Taylor, director EMEA Information Security, Canon EMEA commented that he could envisage the UK in the dock over the issue, and the Peace shield doesn't provide protection of data from government thus date will continue to be unsafe. Barakzai agreed, calling for a set of standards that can be kept to.
Bourne noted that the EU had now voted on and accepted a set of standards, saying, “We'll make it work as well as we can.”
For Taylor, “If you do the right thing and keep an eye on the legal side [of compliance] you'll get through.” Barakzai, agreed but sought greater clarity, saying: “We do assurance, we have a framework of principles – what we do, why, who we work with - and it has to be consistent with a known direction. Room also supported the notion that doing the right thing will get us through – though noted that the motivator was often the risk of consequences for not doing the right thing – and while ICO fines of up to £500,000 were considered manageable by some organisations, four percent of global turnover [under EU GDPR] was a greater incentive – or disincentive.
Bourne went on to describe how, in continental Europe, regulators often appear to act as privacy activists – therefore the risks of non-compliance (with the new EU GDPR) escalates – but agreed that seeking to do the right thing was the best way forward.
Ustaran suggested that the focus should be on what can be gained from good data protection so that data protection is designed into the businesses processes which incorporate privacy principles.
Bourne offered the ICO's 12-step guide as a route to raise corporate awareness of security issues (dpreform.org.uk), adding that while this was not something that companies were required to do, those that had good data protection would have less to do to be EU GDPR compliant.
It was noted how, in Europe, people are encouraged to go to the regulator if they have a grievance, rather than seeking legal redress – with Max Schrems, the student who brought down Safe Harbour, also then holding the regulator to account, saying that the prevailing interpretation of data protection was not good enough – and that under EU GDPR citizens, consumer organisations and activist would more easily be able to take organisations to court , and the courts would be in a stronger position to affect outcomes. Though European data protection cases taken to court to date were already reported to have been resolved in favour of the individual in 100 percent of cases.
Another effect of EU GDPR, noted by Barakzai, is that companies will be expected to say sorry, doing what people who entrust their data to us expect us to do, as a result of the requirement to provide breach notification – though Sky as a telco is already required to report breaches. She also noted that under GDPR it is not clear when you have to report (very trivial events), and regulators need to nail down, is it when you do harm, cause loss or embarrassment? Also, the need to notify in 24 hours will increase the visibility of security staff, allowing them to move faster on other issues that may deliver commercial benefits – and the time to restructure is now.
Ustaran suggested that the level of notification of breaches would likely move from about one in ten currently being reported, to a need to report six in ten – which he suggests will have a big effect on how companies view their cyber-security structure. Taylor adds that we can expect to see expenditure go up tremendously and benefit info security as a whole. Bourne suggests that many will be surprised at the scale of breaches that get reported, which could also see a consumer backlash, demanding more action to protect their data.
Taylor says the changes will encourage companies to understand which what data they have and which is going where, which vendors and products they are allowed to use, and there will be cloud providers who understand what customers want and benefit, plus those who fight it and become uncompetitive.
Bourne pointed out another effect – that currently if your cloud provider steals your data or messes up, there is nothing you can do about it, but under GDPR the regulator can go after the processor. Other issues not resolved, is that the fines are specified in Euros, and there are currency exchange issues to be agreed. But everything is resolvable, and Bourne's parting message was that there is no need to panic, all that's required is prioritisation and planning.