I remember when I first learnt about Data Protection….
Back then the technology was different. It was slow and limited, with a relatively small group of people capable of exploiting IT systems and affecting users and their data. Today, the world is a changed place, with technology now at the cutting-edge of all areas of business.
The Data Protection Act, first developed in 1984, then updated in 1995 and 1998, was the first real piece of impacting legislation for the IT community. These two acts had explicit rules introduced – not because of a concern, but rather a precaution to limit the exposure to new risks brought by technological change.
Little did those lawmakers know it would form the backbone of an entirely new branch of law and become the main form of governance over a vast array of bold new ideas over the coming years. Nor did they know that it would become the single most important law to guide a new generation of IT literate adolescents known as ‘digital natives’. Soon, digital natives will have a new piece of legistlation to ensure they are protected for another generation, called the GDPR.
Going Native – A brief history of Data Protection
The next big law following the Data Protection Act came in the form of The Privacy and Electronic Communications (EC Directive) Regulations 2003.
This law came following many high profile court cases including Napster (in 2001), a spate of computer ‘worms’ and internet-based viruses, and the birth of new type of attack called a Trojan Horse – a computer virus masquerading as something else – in most cases as an email or digital advert.
In January of that year, following a single worm attack, it was reported that over a quarter of a million computers were infected in a single day. This was quickly followed by the realisation that an attack could potentially turn infected computers into portals for sending out unwanted email advertising.
This prompted many senior figures within the IT industry to take note, with researchers at John’s Hopkins University and AT&T Labs demonstrating that it would be possible to automatically enter a victim’s name and address into thousands of online forms across the internet to bombard them with an avalanche of junk mail.
This directive, however well intentioned, has had little impact on many businesses since its development. The regulation prohibits all electronic communication without an ‘opt-in’ process, including text alerts, emails and automated phonecalls.
In principle this idea is a good one, but the sheer number of companies communicating with one another have made it extremely difficult to single-out and prosecute individuals. This has led to the law becoming largely unenforceable and therefore ineffective at slowing the quantity of spam communications.
Jump forward to 2008
To combat real threats to their business and customers which were emerging, companies took matters into their own hands. Card companies worked together to create a new basic standard for insuring card payments. This was called PCI / DSS compliance and had the practical approach of protecting data used for web-based payments and setting standards for places where these transactions were stored.
This new approach, required by all card vendors, forced companies to take responsibility for six key areas where customer data was involved: Building and Maintaining a Secure Network, Protecting Cardholder Data, Maintaining a Vulnerability Management Program, Implementing Strong Access Control Measures, Regularly Monitoring and Testing Networks and Maintaining an Information Security Policy.
The only actual change in digital legislation came from a single update to the Criminal Justice and Immigration Act of 2008 (originally designed to ease prison populations in the UK) which introduced harsher penalties for serious contraventions of data protection principles.
Now though, after thirty-three long years since the original legislation in 1984, it was announced that there were updates coming to the antiquated Data Protection Act. Finally we would see shift from a world of kilobytes, megabytes and floppy disks, to Gigabytes, Terabytes and HD streaming.
This new Data Protection Act even came with a new, important sounding, name: The General Data Protection Regulation (GDPR). It would be created following a consolidated approach to modern times with directives and mandates to enforce new regulations right across Europe.
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the European Council and the European Commission intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Following years of debate, procrastination, filibustering and compromise, the EU has been somewhat lacklustre in its approach to enforcing real change in the arena of data protection. This new regulation marks a change to this approach.
This new set of regulations not only sends an important message to those looking to exploit newer technologies, but also brings harsher regulatory control over a significant geographical area.
This new regulation contains clear guidelines for large businesses, such as reporting data transmission between countries (with a new Privacy Impact Assessment (PIA) process), creating a data breach response plan and assigning a Data Protection Officer (who is now a protected employee). There are some minor changes to data collection, with cookie acceptance now a requirement, opt-ins must now be actively selected (rather than being auto-selected). There is also a new right for consumers to object to profiling (collecting sensitive data which is not being used for the purposes of consumer testing).
Companies must also abide by their own countries compliance regulations (rather than the company they are trading in) and will have one point of contact who will manage all their global compliance needs (rather than separate ones in each country).
The largest and most important change is the increase in penalties for being found negligent during a data breach (now with fines upto €20 Million or 4% of annual global turnover).
What isn’t included?
What was not really present in the new regulations, however, is any thought to consumer protection, focus on issues such as countering Ransomware or thought towards the technology of tomorrow – especially with big data now a huge issue.
The subject of employee devices in the workplace (BYOD) was also not addressed, nor the impact of Mobile technology or mobile app security, which are red hot topics right now. In short, this new set of regulations brings with it plenty of red tape and quite an old fashioned approach to data protection in the grande scheme.
When does it take effect, and what about Brexit?
There are two key changes which take effect on May 25th 2018 which businesses and consumers need to be aware of. Please note that if you trade internationally, there are changes to the requirements for data protection in an attempt to normalise within the EU region, rather than exclude because of trade out of those regions. Brexit and the UK’s move away from the European has no effect on the GDPR: companies in the UK must adhere to the new compliance standards set out in the GDPR or risk significant fines if they breach any of the new rules.
- The Right to Object to Profiling.
Under the new regulations, consumers gain new rights to stop companies using their data. Profiling is broadly defined and includes most forms of online tracking and behavioural advertising. New regulations require: a. The fact of profiling must be made aware to the consumer and b. to track user data, a PIA is required.
- Mandatory Privacy Impact Assessments (PIA)
Businesses will be required to perform data protection impact assessments (PIAs) before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk to data subjects.
In particular, PIAs will be required for: A systematic and extensive evaluation of personal aspects by automated processing, including profiling, and on which decisions are based that produce legal effects concerning the data subject or significantly affect the data subject; Processing of special categories of personal data or data relating to criminal convictions and offences on a large scale; A systematic monitoring of a publicly accessible area on a large scale.
The NDPA will publish a list of the kind of processing operations that require a PIA. Data controllers can carry out a single assessment to address a similar set of similar processing operations that present similar high risks.
A Word on the Future of Data Protection
In 2017, the world is an exciting place – full of change, hope, opportunity and potential risks. It is also full of IT companies who are taking over management of IT environments. With outsourcing now a viable option with the majority of services delivered via the Cloud, it will likely fall to the outsourcing companies to protect their customers from harm.
In many respects this means working proactively to protect the business market and having measures in place to ensure total resilience against different types of threats – both those with exist now and those which will emerge in the future.
This change is critical when considering how companies manage their IT environments. Where companies used to be responsible for their own servers, backups, anti-virus and internet protection, now experts are setting up these environments with the explicit aim of making them impenetrable. Technology is shifting from a luxury which is self-managed to a necessity which is delivered as a service.
In the future it seems that the effectiveness of a data protection approach will rest on the level of business investment. From a consumer standpoint, the world will be a shaky place – full of grey areas and bad ideas, but as sharper controls hit the business world, consumers may see some uplift in their protection, with the number of active criminals decreasing in the cyber world.
It’s easy to be all doom and gloom, and the likelihood is that this problem will solve itself in the long term, but in the short-term it will be an ongoing issue. While this new regulation will probably not change the world, it may prompt private companies to take matters into their own hands.
Why not learn more about IT Outsourcing and the Protection it provides?
Visit our outsourcing page here or call us on 01268 627111 to learn more.