InfoSec 2017 ends today and as expected one of the hot topics of the three day event was the forthcoming European Union General Data Protection Regulations that are due to come into force in May 2018. With the new regulations affecting any organization in the world that process the data of European Union citizens, it means that it will also affect the UK after they leave Brexit. This could be an issue according to Cameron Craig, the group head of data at HSBC because “without a data agreement, business would grind to a halt”
“The big risk is that [post Brexit] the EU doesn’t recognise UK as a adequate jurisdiction. Hopefully we’ll be whitelisted, and this is a key objective of the negotiation strategy. In the absence of that we’d have to create a treaty on data, like we do with the US. The bottom line is that we really do need to sort it out!”
In a wide ranging discussion at InfoSec 2017, the panel, that comprised of a number of information security and GDPR experts identified a number of key challenges that will come with GDPR as well as discussing some existing and upcoming advice from the Information Commissioner’s Office. One of these challenges is the new format and the language that exists in and around the new regulations. Steve Wright, who is the group data and information security officer at John Lewis said:
“Interpretation is the biggest challenge, we’ve been finding, very unlike an ISO or PCI standard. Another key challenge is around the vast amounts of data on legacy systems – regulation of this area, especially for us as a retailer is not something we’re used to dealing with.”
Whilst many organisations have not yet began their preparations for GDPR which is extremely worrying, some are falling foul of listening to rumours which have no basis in fact. The Information Commissioner’s Office has put together a series of briefing documents that includes information about appointing a Data Protection Officer. Many SMEs think that this does not apply to them. Peter Brown, senior technology officer at the ICO said:
“I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case. Where should you be on GDPR? Well, that depends. It depends on your business, your readiness, and how you have been working under the DPA – which, without naming names saw levels of compliance possibly not as high as they could have been – but in summary, you should be busy!”
Concerning GDPR fines however, Peter Brown did provide some reassurance if organisations were not fully compliant when the new regulations come in on May 25 2018.
“…we probably won’t be breaking down doors on May 25 2018 and demanding 4% of your annual turnover.”