If Brexit means Brexit, what does GDPR mean?
Politicians do tend to favour soundbites and Theresa May is no exception. So when she said that “Brexit means Brexit” some nodded their heads as if this simple statement explained everything. Others, and in particular Chief Information Security Officers (CISOs), may have found this statement inadequate when it comes to explaining exactly how the Brexit vote affects their responsibilities for data protection.
It’s not just soundbites which populate the post Brexit vote world, however; acronyms also feature heavily and the most important of them all is GDPR. The General Data Protection Regulation was drawn up pre-Brexit but is still on track to be adopted in the UK in May 2018 regardless of the timing of Britain’s exit from the EU.
The UK government will have the option to adopt it; but regardless of whether it does or not, GDPR will still apply to all organisations or businesses that hold or handle the data of any citizen within the European Economic Area (EEA). This means that any organisation handling EEA personal data and doing EEA business will be regulated under GDPR by a ‘supervisory authority’ in the EEA. This would be on top of any data protection laws in the UK.
If GDPR is enacted in the UK, which seems likely, it will replace the current Data Protection Act (DPA) 1998. If it is not then tighter privacy laws which reflect the rules contained within the GDPR are still going to come into effect, perhaps in the form of an enhanced DPA. So there really is no escaping the inevitable and it is important that organisations start the plan for the adoption of the GDPR or its equivalent from May 2018 onwards or face the consequences. Because in short, what GDPR means is business. It imposes mandatory high tempo reporting of breaches and also carries significant fines for those organisations who fail to fulfil their obligations. These can be up to 20m Euros or 4% of global turnover.
As a first step, organisations should review and update their current administrative and technical controls. Most importantly under GDPR’s accountability heading, organisations need to demonstrate information security compliance; and under GDPR’s mandatory breach reporting requirement, solid detective controls need to be implemented.
If you need help, SRM provides three types of service. Our Virtual CISO service (VirtualCISOTM) has been developed to provide a board level / SMT strategic advisory role and provides a cost effective route to accessing the full range of SRM professional services supporting, resourcing and advising on all practical and strategic aspects of Information Security including GDPR compliance. We also now provide VirtualISM to support and enhance the role of Information Security Manager and provides the umbrella under which we deliver our delivery consultants expertise, providing you with an experienced ‘active’ resource to effectively deliver your initiatives and projects.
Our portfolio of classic compliance, consultancy and incident response services are all available as single or multiple service offerings tailored to your specific requirements. The blend of a VirtualCISOTM and VirtualISM can provide a truly value add service to an organisation which perhaps cannot or does not wish to directly employ either role. In short, we can provide the strategic direction and support combined with experienced delivery consultants you need to help you seize the initiative in this Brexit world.