Official figures show that there were an estimated two million computer misuse offences in 2016 – that means once every 15 seconds there was a potential cyber security incident and a potential data breach.
When it comes to properly protecting the data they hold, the stakes are high for businesses, and they are getting higher. You have probably heard that next May, a new data protection law – the General Data Protection Regulation (GDPR) – will arrive with stricter controls and higher penalties for those who get it wrong.
GDPR builds on the previous Data Protection Act, but provides more protection for consumers and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data, and puts a responsibility on businesses to change their entire ethos to data protection.
Consumers Control Their Data
The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. Consumers will have the right to request personal data be deleted or removed if there is no compelling reason for an organisation to carry on processing it. They will also have the brand new right to data portability: the right to obtain and port their personal data for their own purposes across different services.
The GDPR will include new obligations for organisations as well. Businesses will have to report data breaches that pose a risk to individuals to the ICO, and in some cases to the individuals affected. They will have to ensure that specific protections are in place for transferring data to countries that have not been listed by the European Commission as providing adequate protection, such as Japan and India. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have obtained it if they rely on it for processing data. There are also obligations around appointing data protection officers.
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It is about moving away from seeing the law as a box-ticking exercise and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and privacy by design – are now legally required in certain circumstances.
It means a change to the culture of an organisation, and it is a crucial part of cyber security.
The Stakes Are High
The days when cyber security was purely an IT function are behind us. Just glancing over the National Cyber Security Centre guidance on preventing a cyber attack makes it clear that data security is as much about staff as it is about software. Sure, there are tips in there around malware protection and the importance of patching software. But advice around password policies, removing default user accounts, and restricting access to information to only staff who need it to do their jobs is about people, and about having a culture of privacy in place in your organisation.
The stakes are high. Getting it wrong not only risks enormous reputational damage, but for the most serious violations of the law the ICO will have the power to fine companies up to €20 million, or four per cent of a company’s total annual worldwide turnover for the preceding year. The GDPR gives regulators the power to penalise organisations for failing to put in place: data protection by design, a data protection impact assessment, data protection officers and documentation. If businesses cannot demonstrate that good data protection is a cornerstone of their practices, they are leaving themselves open to a fine or other enforcement action that could damage their bank balance and/or their reputation.
The ICO remains committed to helping organisations improve their practices and prepare for the GDPR. We have recently published an update setting out what guidance organisations can expect. It is essential reading and it will help you plan what areas to address over the next 12 months.
The central pillar to our guidance is the ‘Overview of the GDPR’. We are developing the Overview as a living document, adding content on different points as more guidance is produced by us and Article 29.
If you want to stay updated on new guidance our e-newsletter is a good place to start. More information, help and advice is available on our website, or you can contact the ICO helpline on 0303 123 1113.