At the end of the two-year divorce proceedings with the European Union, there will be a vast array of things that change for the United Kingdom. Trade, legislation on a myriad of issues, immigration, and political alliances of all kinds will be impacted by the decision to leave the EU, in ways we cannot begin to predict until after the fact. Brexit will dominate British politics for the next ten years, whether you voted to leave or remain. One thing that won’t change, however, is the General Data Protection Regulation (GDPR).
GDPR is an EU directive, but it will still be applicable and have a dramatic impact on UK businesses that use or store EU data as a function of doing business. According to the ICO (Information Commissioners Office), its strategy is based on a presumption that GDPR will also be assumed into UK law before the exit to ensure there are continuity and certainty about UK law afterward.
What is GDPR?
GDPR went into effect on 25 May 2018. The regulation was created to consolidate various existing privacy and data protection mandates put in place by individual EU member states. It protects a broad range of personal data, including social identity, medical records, genetic information, and economic details. This means if businesses have information pertaining to specific data such as your buying habits, or are aware of your ethnicity, religion or sexual orientation, all of these aspects could come into play in the event of a data breach.
The associated responsibilities with data in GDPR expand in many areas of people, process and technology. There is no silver bullet which requires businesses to understand their role in the data process and most importantly where the data is. GDPR places responsibility for safeguarding data with the entities that process or store personal data. Under GDPR, the ‘controller’ is the owner of the data — who decides to collect, store and use that information for their own purposes, and the ‘processor’ is a third party who may not choose to consume the data, but is still involved in the data processing; not necessarily responsible for whether you should be consuming the data. It is possible for a company to be both a controller and a processor under GDPR. It’s important for organizations to understand these roles and how they apply.
Brexit means Brexit?
Where, you might be wondering, does Brexit fit into this already complex picture? If the UK is to leave the European Union, surely this means it will have regained its sovereignty and won’t be forced to abide by legislation dictated by Brussels? Wrong. GDPR is not only a piece of legislation for the European Union to concern itself with, but one for the whole world to sit up and take notice of. In a globalized economic model, it is not uncommon for the data used by a business to move across multiple borders and multiple jurisdictions, but GDPR takes responsibility for the data of EU citizens wherever it is being handled. So, if a UK business has interests in the EU, or processes any data that pertains to EU citizens, it will have to ensure GDPR compliance. What’s more, the UK’s commitment to enshrine EU law into British law means even UK companies operating solely on their own shores, with no EU involvement, are also responsible for complying.
The first step for any organization hoping to operate within the boundaries of GDPR, is to understand how important your data is and the risk of it being compromised. Companies have to start by understanding where data protected under GDPR is collected, processed and stored.
It’s also crucial for GDPR—and business in general, really—to be able to quickly identify cyber threats and detect when a data breach occurs. A Security-as-a-Service provider can be invaluable because they specialize in security and have the tools, skills, and cyber security analyst experience to detect and stop cyber attackers.
Few organizations have the resources and skills necessary to understand the anatomy of a cyberattack and recognize it as—or before—it happens. Even if an organization wanted to build such a team, the cost would prohibit an effective implementation. In addition, the key to early detection is to see and watch as many cyberattacks as possible across similar environments and industries — many organizations don’t have the experience or data to process and gain the necessary intelligence from.
From a cyber security analysts’ perspective, working with an MSSP is often extremely attractive as they collect and analyze huge amounts of data that internal Security Operations Centers (SOCs) don’t get visibility of — getting to investigate the big threat actors and discovering the latest attack concepts.
Get Ready for GDPR
Complying with GDPR will require detailed planning and collaboration with virtually all the businesses in your chain. It will also depend on a pragmatic, solutions-based approach to data breach detection. To achieve and maintain GDPR compliance, you need to ensure your security measures are up to scratch or face the sizeable consequences of non-compliance.