The long-awaited negotiations governing the UK’s divorce from the EU officially began on 19 June, marking arguably the most important period in the country’s history since the Second World War. What follows remains to be seen, but given Brexit is now a reality, many UK organisations may be wondering/hoping whether this means they’ll be spared the sweeping new data protection regulation directed from Brussels.
As the recent Queen’s Speech has again reminded us, there will be no such reprieve for UK organisations. Brexit means Brexit, and that means firms must accelerate their EU General Data Protection Regulation (GDPR) compliance plans in time for the 25 May 2018 deadline.
GDPR compliance is non-negotiable for two main reasons. First, the UK will still technically be a member of the European Union by the time the compliance deadline passes. In fact, the timetable for talks is set at two years – taking us through to early 2019 – although legal experts have claimed it could take many more years before a final agreement is reached.
More importantly, the Queen’s Speech announced on the 21 June a new UK Data Protection Bill, which crucially will implement the GDPR. The focus is on “meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”
Legal experts have confirmed that although there could be some minor changes to this law following the UK’s formal departure from the EU, the government’s intention is to ensure as much harmonisation as possible with the GDPR, protecting data flows and the digital economy as a whole. The last thing the UK needs is for its burgeoning digital economy to be stuck in limbo while negotiators try to hammer out a Safe Harbour/Privacy Shield deal with the EU.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data,” the speech declares, noting that the digital sector contributed £118 billion to the UK economy and employed over 1.4 million people in 2015.
Time to Secure Access
All of this means it’s time for UK firms to hit the gas when it comes to GDPR compliance. New stats from Spiceworks claim UK IT pros are actually doing better than their European neighbours and counterparts in the US, and are better informed and more in favour of the regulation. That might be partly a result of UK experts at the ICO and elsewhere playing a major role in drawing up this new regulation.
However, despite this positive mood music, only 40% of UK respondents said they’d already started compliance efforts.
With less than a year to go until mandatory 72-hour breach notifications and possible fines of up to 4% of global annual turnover, there’s still a worrying lack of urgency here. One of the key strategies organisations can take to minimise the risk of damaging breaches and prove to regulators that they’re taking a best practice approach to securing data is to enhance their access controls.
As the recent cyber attack on the UK parliament has revealed once again, passwords are no longer fit for purpose in our digital age, exposing organisations to phishing, brute force and even password-guessing attacks which can open the virtual front door to hackers right into your network. Instead, IT leaders should be looking to enhance passwords with multi-factor authentication (MFA); if possible as part of risk-based systems which only require a second layer of authentication if a log-in looks dubious. It could have saved parliament from this recent unauthorised access incident. Combined with user education, “least privilege” access policies, automated provisioning and deprovisioning and other measures, MFA can greatly reduce your cyber risk exposure.
A recent Centrify study revealed that firms experience a share price slump of 5% following a breach. The GDPR could further multiply the damaging financial and reputational impact of poor cybersecurity. Compliance is non-negotiable, so get started today.
Centrify is running a monthly blog series, focusing on a different part of the regulation each time. In our first blog, we explained the scope of the new law. In our second blog, we addressed the first key step, Data Mapping.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.