GDPR news: GDPR turns six months old

06/04/2017: Box believes data authorities 'struggle' with GDPR

Cloud collaboration firm Box said Europe's leading data protection authorities still don't know how they will measure GDPR compliance, with just over a year to go until the regulation is implemented.

The data protection regulation will introduce large penalties up to 4% of an organisation's global turnover or 20 million, whichever is greater for failing to protect people's personal data. It will also give people much more control over what organisations can do with their information.

As companies prepare for the new rules though, which arrive in the UK in May 2018, Box's VP of compliance said Europe's leading data protection organisations aren't certain what a company must do to comply with them.

Speaking at Box World Tour earlier this week, Crispen Maung, VP of compliance at Box, told IT Pro the company is "ahead of the game" and has based its own compliance so far on US privacy standards like the HIPAA standards for medical data privacy.

He said: "Obviously those are all US-based standards but at the end of the day they are very prescriptive in the definition of what it means in regards to data protection. When we've taken that model along to the data privacy agencies they've actually looked at that and said 'we really like that level of prescriptive control and permission', because they kind of are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]."

He added: "From Box's perspective we are at a really high level of control definition and implementation and therefore for us to be GDPR compliant once they've defined exactly what that is it will be relatively easy for us to obtain that." That's because Box already abides by strict security standards like ISO 27002, which is what Maung believes GDPR will look most like. "My aim is to make sure that Box is compliant before May 2018 and driving us towards being ready before our customers really have that obligation, because we want our customers to be able to put their content into Box and by default, be compliant," he said.

21/03/2017: Local councils are underprepared for GDPR rules

Councils are underprepared for strict new data protection measures, according to the UK's privacy watchdog responsible for enforcing the incoming rules.

With the EU's General Data Protection Regulation (GDPR) due to apply to the UK from May 2018, local authorities lack key practices that the legislation outlines, with a third failing to conduct privacy impact assessments.

Another 25% do not have a data protection officer, despite GDPR making the role a legal requirement for public bodies, and 15% don't offer data protection training for employees handling personal data.

"Although there is good practice out there, with GDPR coming in May 2018, many councils have work to do," said Anulka Clarke, head of good practice at the Information Commissioner's Office (ICO).

The ICO's latest survey, conducted at the end of last year and published today, received 173 responses, and also found that 93% of councils have a data protection and information security policy, though 37% lack a data sharing policy.

While 90% employ a senior information risk officer, just 17% of councils have built an information asset register detailing what data they own and where it is, while 34% have yet to identify an information asset owner responsible for it.

Under GDPR, organisations must report data breaches within 72 hours or risk a fine of up to 2% of annual turnover, or 10 million, whichever is greater. However, the ICO's survey found 14% of councils still don't have an information security incident management policy, and 22% don't think to use reports and KPIs for security breaches.

"In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital. Every effort should be taken to minimise the potential impact on affected individuals. As such, it's a good idea to have a proper incident management process," said the ICO's Clarke.

The ICO offers audits, online guidance and a helpdesk to anyone with a data protection query, and more information can be found here.

07/03/2017: Embracing GDPR gives a competitive edge, says watchdog

Boardrooms should invest in meeting new data protection regulations as a way to drive real business benefits, according to the UK's privacy watchdog, the Information Commissioner's Office (ICO).

The EU's General Data Protection Regulation (GDPR) applies to the UK from 25 May 2018 and will give people more control over their data, as well as meaning organisations who breach the rules face tougher financial penalties.

But speaking at the Data Protection Practitioners' Conference 2017 yesterday, Information Commissioner Elizabeth Denham said: "There's a carrot here as well as a stick, and as regulators, we actually prefer the carrot. Get data protection right, and you can see a real business benefit."

Emphasising the importance of customer privacy, Denham argued that organisations who can demonstrate they respect people's personal data are more likely to attract more customers.

"Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge," she said.

"Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice."

She added that the ICO will be "at the centre of many conversations" around UK data protection after Brexit when GDPR will no longer apply once the UK has left the EU.

The government hinted at its thinking on post-Brexit UK data protection when digital minister Matt Hancock last month said GDPR will form the basis of any replacement UK legislation.

In a meeting with the EU Home Affairs Sub-Committee, he said the government wants to make sure the UK and EU share "an uninterrupted and unhindered flow of data".

24/02/2017: ICO is running at "race pace" ahead of GDPR

Preparing for incoming data protection laws is like changing a tyre on a moving car, according to the UK's Information Commissioner.

Elizabeth Denham, in charge of the Information Commissioner's Office (ICO), said the regulator is running at a "race pace" to prepare for the EU's General Data Protection Regulation (GDPR), which will take effect from May 2018.

But she accepted it will be a challenge for both the regulator and organisations to comply with the more stringent data rules while running their day-to-day activities.

Speaking yesterday at 2017 DataIQ 100, an event listing the UK data industry's 100 most influential and effective leaders, Denham said: "It's business as usual, but we have to get ready for massive change as a regulator.

"You as businesses are looking at this too, and for me, it feels a lot like changing the tyre on a moving car," she added. "So we really have a lot to do."

GDPR will give people more control over what others can do with their personal data, and forces businesses to get clear consent when they want to use people's data, with tough penalties for mishandling it.

The changes come against a backdrop of huge, ongoing data breaches. Yahoo spilt 1.5 billion customers' details in two separate incidents, while firms including Three and TalkTalk have also been hacked.

Denham said the ICO's most recent survey found that 75% of customers now don't trust companies with their personal information. "I found that stunning and shocking," she said.

Explaining that the variety of data people give organisations is now very complex, she added: "So if you add to all of this a security breach, you might understand why individuals feel that they've lost control over their personal data."

But GDPR gives organisations the opportunity to win back customers' trust, according to the regulator. "What the GDPR is really all about is putting the consumer and the citizen at the centre of your decisions," Denham said. "By demonstrating your trustworthiness to consumers and the regulator, then you get to do innovative and imaginative and cool things with people's data to solve new problems or old ones."

Sainsbury's chief data officer, Andy Day, who topped the 2017 DataIQ 100 list, told IT Pro that the supermarket's data protection ethos echoes Denham's sentiments.

"As an organisation, you should worry less about the fines that could be levied and more about the fact that our customers' data is their data, it's not our data," he said. "There's a degree of reverence you need to have to handle their data with."

Conceding Sainsbury's has a "big body of work" to be compliant with GDPR by May 2018, Day said that putting the customer first will help the retailer exceed the requirements of the rules.

"We have a very clear plan of action, we'll be ready in time and I think we'll probably go above and beyond, putting ourselves in our customers' shoes and seeing what we do with our customers' data through their eyes," he said.

15/02/2017: GDPR must be taken into account when choosing a data centre

Upcoming GDPR regulations coming into effect next year must be taken into account when choosing a data centre, warned a lawyer.

Speaking at the Data Centre World conference in London, James Walsh, a partner in the technology, outsourcing and privacy group at legal firm Fieldfisher, said that organisations looking for a data centre need to be "pragmatic about the data centre solution and recognise the limited role data centre operators have where no logical access is provided".

He added that organisations should select a data centre solution with the appropriate physical and organisational security, "taking into account the state of the art".

Walsh said that where new regulations mean that in the event of a breach, organisations must notify the competent supervisory authority no later than 72 hours and this meant that organisations must ensure that the appropriate security measures are undertaken else in the IT stack "where the risk of suffering a data breach may be greater".

The potential fines under GDPR range as high as 4% per of global turnover and for some cloud providers, taking data centre space into account, this could go into the billions.

He said that both customers and data centre operators need to figure out what liabilities may arise as a result of a security incident and what other security measures and mitigations should be in place and who should be responsible for them.

He said it was important for data centre operators to have a clear contract with customers on data protection issues and customers should "recognise that the data centre operator may require contractual protections in reverse".

02/02/2017: Most UK workers 'are not aware of GDPR'

Most UK organisations have not informed their employees of impending data protection legislation that will change the way they can handle people's information, according to new research.

Around 70% of workers said they have not been told about the EU's General Data Protection Regulation (GDPR), while just three in 10 staff, of 2,000 surveyed by cloud security firm Netskope, said they were aware of it. One in five said they have been offered 'plenty' of information about the incoming legislation.

GDPR is due to apply to UK law in May 2018, introducing tough fines on companies that suffer data breaches and imposing restrictions on what organisations can do with people's data.

However, 63% of respondents told Netskope they had never heard of the legislation, and just 13% said they generally understood it.

Only 1% of respondents could accurately quote the maximum fine for organisations who breach GDPR rules, which is 20 million or 4% of a business's annual turnover, whichever is greater.

"Organisations have a lot of work to do in order to educate employees on the GDPR and the safe data handling behaviour needed to achieve compliance," said Andr Stewart, Netskope's vice president of EMEA.

"Employers will need to show that they have trained their employees on the GDPR to achieve compliance. The amount of effort put into coaching employees on secure data handling is likely to be one of the questions regulators ask when deciding whether to penalise organisations."

The news comes after the UK government gave an indication that it will seek to draft equivalent legislation to the GDPR after the UK leaves the EU.

Speaking to the EU Home Affairs Sub-Committee yesterday, the minister for digital and culture, Matt Hancock, said the UK will base its replacement legislation on GDPR, in order to ensure "an uninterrupted and unhindered flow of data" between the EU and UK.

"So in a sense, we are matching them rather than asking them to match anything from the UK," he said. "Our view is you bring the whole thing [GDPR] in full so we are operating [in accordance with] the EU regime so that they don't have to change their regime in order to bring compliance [with the UK]. We are starting from a position of harmonisation rather than a position of difference."

What does GDPR mean for your business? Register to watch our live webinar, sponsored by SolarWinds, at 11am on Thursday, 2 March, to find out from the experts.

23/01/2017: ICO outlines its GDPR guidance priorities

The UK's data protection watchdog has outlined how it plans to introduce the EU General Data Protection Regulation (GDPR) in 2018.

Although the UK is set to leave the EU following the Brexit vote, British companies must still comply with the EU's forthcoming data protection rules when they become law on 25 May 2018, or else face heavy fines for not protecting customers' data sufficiently - up to 4% of their annual turnover, or 20 million.

The Information Commissioner's Office (ICO) said it is now entering the second phase of its strategy to help businesses bring their data protection policies in line with GDPR.

Part of that plan will see the ICO work with fellow European data protection authorities under the Article 29 Working Party (WP29) group, in order to offer organisations resources to bring their data protection rules up to scratch.

In a blog post, Jo Pedder, interim head of policy delivery at the ICO, said: "The ICO remains committed to helping organisations to improve their practices and prepare for the GDPR.

"Consistency across the EU is one of the key drivers of the GDPR, and the Article 29 Working Party - the body that currently brings together the [data protection] authorities across Europe - is leading the way developing guidelines on some of the key aspects of the law," she added.

The ICO has also shared the WP29's guidelines with UK firms, with plans to add these into its own 'Guide to the GDPR' document, which will include essential resources for businesses to learn from.

"Where we decide it is appropriate to go ahead and develop ICO guidance on issues not currently being considered by the WP29 we will incorporate it into the Overview," the ICO said.

"This guidance may take some content from existing [data protection authority] guidance, where it is still relevant. In the event that the WP29 decide to consider a topic we have already worked on we will be in a position to provide input based on the products we have already developed, whether that is guidance or background policy thinking as mentioned below."

Cookie walls' should be banned under new ePrivacy rules as they are not compatible with GDPR, according to the European Data Protection Board (EDPB).

In a statement on the widely-anticipated revision to the EU's ePrivacy Directive, the EDPB, the official body tasked with overseeing the consistent application of the new data protection laws, called for a strengthening in how user consent is obtained.

Cookie walls, deployed by websites to hinge access on the condition users consent to storing cookies on their device, was referenced directly alongside tracking technologies in general, as the EDPB said GDPR's requirement for organisations to obtain "a freely-given consent" should "prevent service providers from including cookie walls for their users".

"In order for consent to be freely given as required by the GDPR," the statement continued, "access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited."

The text for the new ePrivacy Regulation is yet to be finalised by the EU parliament despite being first proposed by the European Commission in early 2017. These are tailored specifically to cover electronic communications, where GDPR covers personal data, but delays in its drafting mean the exact form it will take has yet to be established.

Drafted in a bid to replace the existing Cooke Law, these new regulations will bring service providers within the scope of the EU's ePrivacy rules for the first time. A submission from the Information Commissioner's Office (ICO), the UK data regulator, to the EU's consultation on the Regulation, said the revision should "achieve a proportionate balance" between privacy rights and "legitimate interests of information society services".

The EDPB, set up on 25 May to coincide with GDPR coming into force, is an EU body tasked with applying and regulating the new set of data protection laws consistently across member states; comprising the head of each nation's regulator, among others.

The UK, however, was recently informed by the EU's chief negotiator in Brexit talks, Michel Barnier, that it will be relegated to "third country" status, and that the ICO will no longer have a decision-making seat on the body.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.