How does GDPR differ from the UK Data Protection Bill?

Discussions with clients in recent months have revealed that there is some confusion over the General Data Protection Regulation (GDPR) and the new UK Data Protection Bill (DPB) which are both due to come into effect in May 2018. Why should organisations focus on GDPR when the UK is also bringing in its own data protection legislation at the same time?

Firstly, it is important to note that in spite of the UK government triggering Article 50 of the Lisbon Treaty stating our intent to leave the European Union, Britain will still be a Member State when GDPR comes into effect on 25th May 2018. As such, all UK organisations will need to comply with GDPR until the exit process is complete. Those organisations which hold the personal data of even one single EU citizen after the UK’s exit will continue to need to adhere to the requirements of GDPR. For these reason, GDPR compliance is the main focus for UK organisations.

The new DPB, which is due to come into effect in May 2018, is the UK’s updating of the existing data protection laws to bring them into line with the needs of today’s digital marketplace. The DPB contains all the main principles of GDPR and compliance with one will almost certainly ensure compliance with the other. The DPB also includes details of how GDPR will apply in the UK, specifically where Member States have been given some flexibility, otherwise known as derogations.

After Britain’s exit from the EU, the DPB (which will be known as the DPA 2018) will replace GDPR for organisations operating within the UK. It is, however, highly probable that the UK will continue to be able to trade with EU citizens. Because the DPB contains the essence of GDPR, it is expected that the UK will be awarded an adequacy decision from the European Commission. This would mean that data can flow freely between an EU member state and the UK while providing data subjects with the reassurance and confidence that an adequate level of data protection is in place.

Going forward, both the GDPR and DPA 2018 will apply to UK organisations depending on where they operate but a breach will be considered under the legal system of the country in which that breach occurs. In addition to the potential issues relating to Britain’s status when it comes to sharing data with EU partners post Brexit, there are the individual country’s derogations to consider so the best course of action is for companies that operate in several countries to ensure that they are compliant with each country’s data protection laws.

As this is a complex issue, it is advisable for organisations based in the UK to consult experts in data protection requirements. SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the DPB and GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our website.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

For information on the testing requirements for GDPR register for our free webinar.

Or read our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: 10 key issues facing UK retailers

GDPR: 10 key issues facing UK retailers

The law regarding personal data will change on 25th May 2018 when the EU General Data Protection Regulation (GDPR) comes into effect. Replacing the UK Data Protection Act 1998, which was drafted long before the exponential growth of the internet, GDPR reflects the new data landscape and sets out to protect the fundamental rights and freedoms of individuals and their data. With fewer than 100 days until GDPR becomes law, the pressure is on to ensure compliance is achieved and maintained into the future.

SRM has operated in the information security environment for many years. Our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification and are able to advise on the strategic management of GDPR compliance. While GDPR applies across all sectors and services, addressing the key issues of consent, security and access rights, there are a number of key issues which will directly affect retailers.

1. What is considered personal data?

In short: anything and everything. From mobile telephone numbers to individually named email addresses. Generic email addresses are not considered personal data because they could belong to multiple individuals.

GDPR also includes ‘sensitive personal data’ which includes information on, for example, biometric data, race, political opinion, physical or mental health conditions or sexual orientation. This may not be information commonly held on customers but may frequently be held on company employees by HR departments.

If personal data is unidentifiable, under the rules of GDPR retailers may keep that information for as long as they like. Anonymising data is not sufficient: pseudonymisation or encryption  of personal data are the best security measures.

2. Consent

When any form of personal data is collected – from customers and employees – the legal basis of its processing must be considered. In the vast majority of cases where customer data is collected, consent must be given.

Customers: many retailers ask their customers for their email addresses at the point of purchase. This data is then used for marketing purposes but under GDPR retailers will need to ensure an individual’s consent is fully informed, actively and freely given. That is, they must positively affirm their willingness to be contacted. Pre-ticked boxes are not allowed.

Employees: the issue of consent also relates to the people who work for you. GDPR has made clear that the same rules of consent apply to employees and customers. Retailers should update their employee consent procedure to be fully compliant when it comes to the processing of their personal data for which consent is required

3. Profiling

Retailers profile customers in a number of ways. Data can be collected through automated forms, loyalty cards or through the use of Cookies. While this information is a valuable tool when targeting online advertising, if it includes ‘legal effects’ – perhaps deals are restricted to certain behavioural types – then the customer must have the right to object.

Note that the profiling requirements of GDPR are separate from the current e-privacy rules (Privacy and Electronic Communications Regulations – PECR) which still require consent to place Cookies on an individual’s device. This regulation is also being updated at the same time as GDPR is implemented.

4. Loyalty programmes

As part of the profiling process, many retailers use loyalty cards. Where rewards under a loyalty programme might involve a customer’s data being shared with the applicable reward provider, this arrangement is likely to involve data sharing. Not only does a detailed agreement need to be in place with all parties but the ICO’s Code of Data Sharing should be considered too.

5. Data processing

The responsibility for data processing extends to all suppliers. For example delivery logistics providers as well as marketing agencies. Data processors have a responsibility for security under GDPR and all agreements should be reviewed and, where necessary, renegotiated.

Under GDPR both the retailer and its data processor suppliers must adhere to specific security requirements. This is a change from the current law where processors do not have direct liability.

6. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Retailers therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness among suppliers and in-house training for staff is a vital element of this process. Retailers which trade across geographical borders will have to ensure that they are compliant in different jurisdictions. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

7. Access (rights of the individual)

At the moment, an individual who makes a written request is entitled to know what personal data is held on them by a retailer for a £10 fee. This charge will be removed after 25th May. In addition, once GDPR is in place there are likely to be large awareness campaigns, supported by the EU, to increase awareness of this right. These requests must be answered within one month. Retailers running loyalty programmes can start preparing for this by creating a form for these type of requests, reviewing what personal data is held and removing anything which has no purpose.

8. Third party suppliers

In addition to the other responsibilities relating to third party suppliers under GDPR, retailers should know that they are ultimately responsible and address some fundamental questions: if third party processors are based in the EU, do they have a safeguarding contract in place? Are these suppliers ready for GDPR? If the answer is no, alternative suppliers may need to be considered.

9. Cross border data flow

An essential element of GDPR compliance is identifying international data flow (including employee data) within a group of retail companies or their third party suppliers. Those operating stores or online sales across geographical borders must comply with the rules on international data transfers. The retailers lead regulator will be in the country where the controller or processor is based.

10. DPOs and CISOs

GDPR compliance requires the majority of organisations to have a Data Protection Officer (DPO) or a Chief Information Security Officer, whose responsibility it is to manage and drive the GDPR compliance process. When GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher) so these officers are under a lot of pressure to deliver. SRM can support and resource in-house DPOs and CISOs or can take on the full responsibility through our VirtualCISO service.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our website.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

How a CISO can exert influence at board level

The NIS Directive: who does it apply to and what will it mean?

May 2018 is a big month for cyber security.

Not only will the EU General Data Protection Regulation (GDPR) come into effect but a new UK Data Protection Act will enshrine GDPR’s principles in UK law in the same month. In addition, the EU Network and Information System (NIS) Directive, which aims to increase the security of network and information systems across the EU by encouraging the adoption of International and European standards, will also be implemented into UK law in May 2018. It is of particular importance to organisations which provide essential services, or those which supply those who provide these services.

There is, however, nothing to fear regarding NIS Directive compliance. By adopting ISO27001 International Standard for Information Security best practice and implementing robust Disaster Recovery and Business Continuity Management plans, organisations can ensure compliance will be achieved.

Where GDPR relates to the loss of personal data, the NIS Directive addresses the issue of loss of service by IT networks and information systems. Specifically, it relates to safeguarding essential services and those who fail to implement effective cyber security measures will face fines of up to £17m or 4 per cent of global turnover.

The measures outlined in the NIS Directive are part of the UK Government’s five year £1.9bn National Cyber Security Strategy. They are designed to ensure that the UK’s essential networks and infrastructure are kept safe and secure against the risk of cyber attacks. Not only will operators in electricity, transport, water, energy, health and digital infrastructure be required to demonstrate a resilient cyber defence, they will also need to demonstrate that they have robust incident response plans in place.

The NIS Directive is not, however, limited to these organisations. It is important that UK technology firms establish whether they fall within the scope of the NIS Directive because it applies not only to essential services but to those who are significant suppliers to the operator of an essential service. This covers a multitude of organisations and extends to online marketplaces, online search engines and cloud computing services.

Although the potential fines of up to £17m make headline figures, the Department for Digital, Culture, Media and Sport has made it clear that they are a last resort. Where operators can demonstrate that they have conducted adequate risk assessments, enacted appropriate security measures, implemented robust incident response plans and are fully engaged with the process, these fines will not apply.

The key, therefore, is to be able to demonstrate that the NIS Directive is at the core of an organisation’s cyber defence strategy. From staff training to penetration testing; from incident management to business continuity planning and ongoing resilience: every stage needs to be addressed. Those already in the process of adopting GDPR into their business process will be some way towards the NIS Directive’s requirements, but it is important to know what additional steps need to be taken.

Professional support is an important and cost-effective way to manage this process. SRM has helped many organisations become ISO27001 certification ready, and can assist with Business Continuity and Disaster Recovery. With experience and expertise across a whole range of organisations and a sound understanding of the requirements of the NIS Directive, SRM’s consultancy team can steer and manage the process without wasting time or budget.

For more information see:

GDPR free live webinar: the roles of manual and automated penetration testing

ISO27001 Lead auditor and pre-audit preparation

GDPR Self Assessment Questionnaire

Free live webinar: GDPR – the roles of manual and automated penetration testing

15:00 – 15:45 Thursday 8th March 2018

Have you tested to check your GDPR compliance?

A key aspect of GDPR compliance is demonstrating that your systems are secure. Penetration testing is a vital tool but with automated and manual tests both available which best serves your purpose?

In this 35 minute webinar, with time for questions, co-hosted with AppCheck, SRM’s Test and Exercise expert Andrew Linn outlines how a structured synergy of both will deliver the optimum result.

The webinar will cover:

  • The crucial role of automated testing
  • Automated and manual testing synergies
  • The manual component
  • Beyond the penetration test

There will be a live Q&A at the end and Andrew Linn will answer any specific questions relating to your business or sector.

How to register

The live webinar is at 3pm on Thursday 8th March and is free. You are simply required to register your attendance via this link:


Cyber Security Breaches Survey 2018 – shows that size matters and that numbers never lie

As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.

The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.

Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).

As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.

The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998.  Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.

Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.

Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.

SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.


SRM’s step by step self-assessment guide to GDPR readiness

For full details of the HM Government survey report see the Cyber Security Breaches Survey 2018.


Or see our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

After GDPR, what will happen to ICO notification fees?


SRM Blog