Data Protection should be about Trust Rather than Fear

The latest blog from UKCloud, our official security partner.

Posted 22 August 2017 by

There have been a series of recent announcements from the Government regarding increasing data protection and cybersecurity regulations, as the Government seeks to achieve its aspiration of the UK being the safest place in the world to go online. This has sparked extensive media coverage, much of it being focused unnecessarily on the negative aspects of these regulations, such as the fines, reputational damage and new criminal offences. Bad news, after all, makes great headlines!

Government response to Dame Fiona Caldicott’s data security review

In her most recent report last summer, Dame Fiona Caldicott proposed a set of 10 data security standards for the NHS, in response to the issues caused by the NHS’s failed data initiative. The Government’s recent response accepted these and went on to say that the NHS Standard Contract 2017/18 had been changed to enable NHS organisations to adopt the standards. Dame Fiona’s report, published in July 2016, said that Trusts should make security control as high a priority as financial control, and recommended a significantly tougher Information Governance Toolkit for the Trusts.

On the positive side, Dame Fiona said that “new technological advances offer extraordinary opportunities for patient data to be used to improve people’s individual care and to improve health, care and services through research and planning”.

However, much of the media coverage focused instead on either the increasingly threatening landscape or on the cost implications for the cash strapped NHS Trusts.

Proposals outlined by the government for new Data Protection Bill

The Government announced proposals for new laws that will grant people more control over how organisations use their personal data. Despite the vote to leave the EU, the Government made it clear in its manifesto that it intends to implement the European Union General Data Protection Regulation (GDPR). The proposed new Data Protection Bill (DPB) is designed to transpose these European privacy rules into British law, replacing the existing Data Protection Act which has not changed since 1998.

The aim is to make sure that data can continue to flow freely between the UK and EU countries after Brexit, when Britain will be classified as a third-party country. Under the EU’s data protection framework, personal data can only be transferred to a third country where an adequate level of protection is guaranteed.

At the same time, it will update out of date laws to provide citizens with greater rights, including the ability to force global social media companies and online traders to delete or amend unnecessary or outdated personal data.

Once again, much of the media coverage focused instead on the size of the potential fines here. The legislation will also give the Information Commissioner’s Office powers to issue tougher fines of up to £17m, or 4% of global turnover (in line with EU GDPR), for data breaches or acts of non-compliance against data protection law.

Government announces intent to implement the EU NIS directive

Despite the vote to leave the EU, the Government signalled that it also intends to support the aims of the EU’s Security of Network Information Systems (NIS) directive. Intended to secure the UK’s essential networks and services, the Government outlined its plans to implement the directive from May 2018 as part of a consultation by the Department for Digital, Culture, Media and Sport (DCMS).

The intended aim is to make the UK’s essential services and infrastructure prepared for the increasing risk of cyber-attack, and more resilient against other threats such as power failures and environmental hazards.

However, much of the media coverage has once again focused instead on the size of the potential fines here. DCMS proposes that NIS should be closely aligned to the DPB, therefore failure to implement effective cyber security measures could see organisations fined up to £17 million, or 4% of their global turnover. Some publications even speculated on the possibility of double jeopardy with firms potentially facing simultaneous penalties for failure to implement effective cyber security measures under NIS, as well as for failure to protect people’s personal data under the new Data Protection Bill.

Countering the negatives

The sensationalist coverage and unnecessary focus on the negative aspects of these regulations, such as the fines, sparked a response from Elizabeth Denham, the UK Information Commissioner. She penned a blog saying that: “not everything you read or hear about the GDPR is true”.

She additionally noted that “the law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that” and pointed to the ICO’s record:

It is hoped that her intervention will help organisations move away from the negative aspects of the regulations and focus instead on the positive ones, such as the opportunity to put trust at the heart of the way that they operate – grasping the opportunity to earn not only the loyalty of customers and citizens, but also their trust as well.

As Denham explains, the new DPB and GDPR are all about “greater transparency, enhanced rights for citizens and increased accountability”. Likewise NIS is all about making our essential services and infrastructure more resilient against all kinds of threats, and the Caldicott’s data security review is all about responsibly harnessing “opportunities for patient data to be used to improve people’s individual care and to improve health, care and services through research and planning”. The over-riding themes here are responsibility and accountability, and above all trust.

Given the evolving threat landscape, CIOs and IT directors must ensure that the focus extends beyond meeting the immediate deadlines and requirements stipulated in these regulations, to building a data management and cybersecurity programme that will better position their organisation to deal with future threats and procedural challenges.

All of this should be seen as a catalyst or opportunity for positive change in an organisation. The new regulations are providing a once-in-a-professional lifetime opportunity to not only secure the budget and organisational support needed to overhaul IT and security procedures, but also to implement procedural changes and enable cultural and attitudinal shifts.

While most organisations are seeking to harness the potential of mobility, cloud and the Internet of Things (IoT) to drive transformational change, few are as focused on the parallel challenges and opportunities in terms of cybersecurity and data protection.

At least the sensationalist coverage of the regulations has brought secure data management and cybersecurity to the attention of all decision makers. After all, it’s important for CIO and CISOs to take advantage of this to secure the budget and internal support that will enable them to create a secure-by-default culture within their organisation.

Bill is a tech industry veteran with over 20 years spent working in blue chip organisations mostly in pan-European and global leadership roles. He joined UKCloud in 2016 as Cloud Strategist. An IBM veteran and former CMO at Compare the Cloud, Bill is a regular commentator and speaker on all things cloud. He chaired Cloud and Devops World Forum in both 2016 and 2017 and is exceedingly active on social media (@BillMew) sharing his views on cloud as well on technology, economics, politics and Arsenal FC. He is one of the highest profile social influencers in the UK on areas such as HealthTech and GovTech and in the world on topics like Cloud and OpenStack.

For more details on UKCloud visit their website: https://ukcloud.com/