The recent announcement from the UK Government that they will largely follow the EU General Data Protection Regulation (GDPR), with the new Data Protection Bill, when the UK leaves the EU has widely been anticipated. UK organisations, including the public sector, will face a £17 million fine if they fail to protect against personal data breaches or 4% of their turnover. As one of the firms who participated in the planned reforms and who is already helping a number of organisations implement the GDPR, we believe such reforms are good for UK citizens and if implemented in the right way by UK industry, good for the UK as a whole.
All public sector organisations have a fiduciary duty to understand and comply with the new Data Protection Bill (and the GDPR, prior to Brexit), just as they had to do so with the old Data Protection Act. However, the new Bill will be a ‘game changer’.
As reported by Information Age, the Information Commissioner’s Office (ICO) shows that UK healthcare organisations accounted for 43 per cent of all reported data security incidents in the last three years, while central and local government made up 11 per cent. In 2016, the National Audit Office (NAO) found that the 17 largest government departments recorded 8,995 data breaches in 2014-15. Only 14 of those were reported to the ICO (and of course each one could have led to a £17m fine and unwelcome scrutiny. But under the GDPR, all organisations have a responsibility to report all personal data breaches within 72 hours to the ICO.
Many public sector organisations hold and process large amounts of sensitive personal information, including names, addresses, financial data, contact/historical records etc. Through the need to reduce costs and improve public service, many organisations have outsourced their data management and processing. Under the GDPR such third-party contractors are equally liable, along with the customer organisation. You simply cannot contract out your liabilities for the management of sensitive personal information.
The new Data Protection Bill will provide the UK with one of the most robust, yet dynamic, set of data laws in the world. It will include the public sector and will help safe guard essential services such as water, energy, transport and health firms. It will also require public sector organisations to show they have an data strategy to cover power failures and environmental disasters.
Whilst the Minister of State for Digital, Matt Hancock, has stated that any fines would be a last resort and that fines will not apply to firms which had put safeguards in place but still suffered an attack, one of the key challenges we see in the implementation of the existing GDPR is knowing what is ‘adequate’ in terms of safeguards. Under the existing GDPR framework there are still a number of grey areas, such as how much encryption technology you should use. We have already seen some drastic measures, such as the deletion of entire customer data, which can obviously have a very negative impact on any organisation. We have worked with a number of organisations to help them take a balanced approach to make a risk-based decision around the controls required. In our experience, public sector organisations need to work with both legal and their operational functions to make sure that the implementation of the new Data Protection Bill (and the GDPR prior to Brexit) balances the needs of the business with the that of data protection. Specifically the three key considerations are:
- Identify where personal information about your citizens and employees is stored, both within and outside with suppliers, and the controls and protection place today
- Make sure you have the governance in place ie an officer responsible for information, a Data Protection Officer etc. and that the authority is registered with the ICO as required by the current DPA
- Revisit the transparency arrangements you should already have in place for releasing and publishing information to the public and make sure these are adequate under GDPR.
By Elliot Rose, Digital Trust and Cyber Security Expert at PA Consulting Group.