UK Companies, particularly SME’s, are not ready for the legal changes racing toward them
Data Protection (DP) keeps executives and legislators awake at night. The sharp end of ‘Cyber Security’ (properly ‘Information Security’, because DP encompasses much more than just ‘cyber’) is about to get tough with stiff punishments, which are meant to hurt, for non-compliance. Companies must retain appropriate expertise on their Board – and to police their supply chain compliance. Regulators are increasingly taking action against individual executives where negligence is a factor. Woe betide those who fail to ensure the safety of data in their care.
On 25 May 2018, the EU’s General Data Protection Regulations (GDPR) will take effect. On that date, the UK will probably still be a member. If we’re not out, we’re still in. Grey areas will proliferate. There will be more opinions than lawyers. We could easily tie ourselves into legal Gordian Knots wondering what the Information Commissioner’s (ICO) stance will be on GDPR.
Whatever legal construct we end up with, the UK risks putting itself in a poor regulatory position if it doesn’t adopt or replicate GDPR. The least we can expect is an uprated Data Protection Act (DPA2.0) to make sure we stay with the pack – otherwise we risk placing ourselves on a lower standard of governance to our counterparts in the EU, North America and the Antipodes.
GDPR codifies that data ‘belongs’ to the person to whom it refers. It requires companies to know in detail their data footprint; what, where, why and what for? They are also required to have explicit permissions for the data they hold, effective purging and destruction procedures for when it is no longer extant and they must be ready to respond to disclosure requests from individuals and regulators. Minefields around the ‘right to be forgotten’ and children’s data lurk. Most are a million miles from being able to do any of that right now.
More worrying is that most UK companies are blissfully unaware that this regulatory tsunami is heading toward them. There is much to do, time is tight. We worry that companies will be tempted to use the tried, tested and failed parking of this ‘technical’ problem in the IT department – which would be decidedly suboptimal. Cyber Security is an element of Information Security which is an element of Risk Management. Risk Management must be supervised from the Board Room. If most breaches – 95% according to IBM – have their genesis in human errors/actions, not technology, education and training is paramount.
The general thrust of GDPR is to force all companies to address the entirety of their ‘Information Security’ risk – physical, personnel, digital/cyber AND breach response preparations – as a homogenous issue so that they create a concatenated, functional and effective governance regime.
Most at risk are the smaller companies. Less sophisticated, less well funded and focused on making the company work, they are frequently poorly served by traditional cyber security vendors because they lack scale and deep pockets. We need to get to work to prepare these companies or they won’t be ready.
CEO of Bronzeye IBRM
BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.