Article

GDPR and Data Privacy after Brexit: What's Next?

Written by Donnie MacColl, Director of EMEA Technical Services
Posted:
May 18, 2020
GDPR in 2020

So, the GDPR hit us with a bang in May 2018 and aside from a few high profile fines, companies seem to be coping well on the whole. But is that really what’s happening or is it like an elegant swan, calm above water but flapping around underneath?    

It is safe to say that by now companies and employees are very much aware of the GDPR and the need to ensure that the data they process is kept secure. Most people – as either consumers or employees – also now understand that they have rights when it comes to the personal data they share with companies.  We (as data handlers) don’t own personal data, we are only allowed to use it when we have a legal basis to do so, we are merely borrowing it with permission and the person whose data we borrow has control of it, not the other way around. And that’s a good thing, right?

However, I have found that many companies have varying definitions of what ‘secure’ means and could be doing a lot more to ensure data integrity and security. Thankfully, HelpSystems has expertise in this area and can work with companies to improve their data security posture – more on that later. 

ICO fines under GDPR

There is a perception among some I talk to that since the GDPR replaced the Data Protection Act, there have been very few fines issued. This is not true and there is a very good reason why this perception exists. There is now a defined process to report suspected data breaches and help is available on how to handle them when they do, so fewer breaches make headline news.

What’s interesting about the breaches that have resulted in a fine is that individuals are also being fined, not just companies.

The fines issued include instances of Police Forces, Her Majesty’s Revenue and Customs, The Crown Prosecution Service as well as some household names, so the importance and the power that the GDPR has must not be dismissed as being ineffective, as quite the opposite is true.

In the first 12 months of the GDPR becoming effective there were over 200,000 reports and over €56 million of fines issued. 

An updated list of the GDPR fines and enforcement notices issued by The Information Commissioners Office (The ICO) confirms this:

Some examples that did make the headlines include Facebook, British Airways, Heathrow Airport and Google who among other data breaches were fined €50 Million euros.

With Brexit, what’s next?

With the UK set to leave the European Union (EU) on 31 December 2020, many companies are asking what’s next?

For the rest of this year, it’s business as usual. The GDPR is fully effective while negotiations take place to establish a different relationship with the EU. Considerations need to be made about how data can cross borders and the ICO is a great resource to help companies plan for this.

But what about at the end of the transition period? I cannot predict the future, but the most likely outcome is that the new Data Protection Act will fully embrace the standards set under the GDPR, so as long as companies already comply, then there will be little or no work required. The message for now is that companies should continue to focus on doing what they can to ensure the data they hold remains secure and that cybersecurity processes are in place should a breach occur.

How to reduce the risk of data breaches

The first step in this process is to understand where the vulnerabilities lie. Through its Core Security product, HelpSystems offers penetration (pen) testing services for companies to identify risks and gaps in their cybersecurity defences. Pen testing also helps validate the effectiveness of internal processes should a breach occur.

The next is to understand what, where and how information is being shared within the organization and the supply chain. Are shadow IT applications such as Dropbox and WeTransfer used by employees to transfer information? If so, how do companies ensure these transfers do not include information deemed non-compliant under GDPR? HelpSystems has a solution that enables companies to share information securely while keeping critical information protected.

Combining its GoAnywhere managed file transfer solution with its Clearswift Secure ICAP Gateway, companies can automate the detection and cleansing of information subject to the GDPR regulation. This reduces the risk of human error and allows the company to remain in control of the information it shares.

Encryption is an effective way to ensure that data at rest remains protected and complies with the GDPR requirements. HelpSystems has a solution that adds role-based access and administration to secure confidential information held on IBM i databases. Powertech Encryption prevents unauthorized internal users or external hackers from gaining access to sensitive information.

Another key risk area is the information shared over email and the internet. With its Clearswift email and web gateway solutions, HelpSystems offers companies the maximum level of data protection over these channels without getting in the way of everyday business activity. Based on a deep content inspection engine, the gateways detect and redact sensitive content coming in and out of the organization – including data in images and scanned documents – in real time, allowing clean versions to continue on their way.

Finally, companies need to be sure that employees can’t accidentally share or leak information via removable devices.  HelpSystems has a solution to increase the data security and compliance of endpoints. Its Clearswift Endpoint Data Loss Prevention solution gives companies control and visibility of data at rest and automatically redacts sensitive information being written to or read from devices such as USBs (data in motion). 

Elegant swan or duck out of water?

Whether your company has its GDPR compliance under control or has some way to go on its compliance journey, we’d be happy to offer you a free 30-minute GDPR consultation to identify the right solutions for you.

Further Information

Three lessons learned from a data breach

Paying the piper: what we learned from the British Airways fine

Encryption: the last line of defense