Why UK-based companies are at a crossroads with GDPR [Q&A]

Data privacy regulation, GDPR, has been in force for five years but it will soon be superseded by UK GDPR. The Data Protection and Digital Information Bill, now wending its way through parliament, will see organisations move to a UK equivalent following the country's withdrawal from the EU. But what will the change mean in practice?

We spoke to Jon Fielding, managing director of EMEA at Apricorn, to find out how UK GDPR will affect businesses and how they handle and protect data.

BN: GDPR is now five years old. Has it achieved all it set out to do?

JF: The regulations are widely regarded as having set a gold standard in how to mandate data protection and have been looked to by other jurisdictions wanting to introduce their own laws. In that way, it's been something of a trail blazer, with Gartner predicting that 75 percent of the global population will be covered by privacy protection regulations by next year.

It's also been well enforced, with Information Commissioner's Office (ICO) handing out €3,987,196,353 in fines over its lifetime, and has taken on tech giants such as the mighty Meta, with the Irish Data Protection Commission levying two separate fines of €405m and €265m last year and a €1.2bn fine in May of this year.

But those fines also indicate that businesses have found compliance challenging. Breach reporting, for example, has gone up every year. A recent survey carried out by Apricorn found that 39 percent of organizations had notified the ICO of a breach or potential breach under GDPR and that this has increased year-on-year from 25 percent in 2020. And it's not because businesses are getting more conscientious because the number of organizations reported by somebody else was also up at 32 percent (compared to 21 percent in 2020, despite having dropped to 4 percent in 2022).

BN: GDPR as we know it is due to be replaced by UK GDPR. How will this differ from the current version?

JF: The hope is that there will be less red tape, making it easier for businesses to observe the regulations, focus less on compliance and more on implementing appropriate security controls.

There are a number of welcome clarifications. What can be considered 'personal data' is now much narrower. Essentially, if it is unlikely that a third party would be able to identify an individual from the data, that data no longer needs to be classed as PII. This will significantly reduce the compliance burden but just because data is no longer in scope does not mean that it should not be protected.

There's also much clearer wording on under what terms a business can prove it has legitimate reasons for processing. Plus, the new version addresses the thorny issue of Automated Decision Making (ADM) which is liable to become more pressing as AI becomes more widely adopted.

Secondly, those that aren't handling high risk data stand to benefit in three ways. They are no longer compelled to keep Records of Processing Activities (ROPA), do Data Protection Impact Assessments (DPIA) or to appoint a Data Protection Officer (DPO).

However, those that do carry out high risk processing must still keep a ROPA and appoint a Senior Responsible Individual (SRI). These requirements will still apply if you are a small business, with no exemption now based on size. The problem here is there is currently no definition of what constitutes high risk processing.

Other changes include the right to decline a Data Subject Access Request (DSAR) which is deemed excessive or vexatious, a risk-based assessment of data exports to other jurisdictions, and an increase in the fines associated with ePrivacy and cookie law which have now been brought into line with those of GDPR. The regulations are also likely to be overseen by an appointed board rather than just the ICO.

BN: Do the proposals put pragmatism before data privacy?

JF: There's been some criticism of the new proposals because they make it easier for companies to decline a DSAR and harder for data subjects to escalate a complaint (they must approach the controller first). There are less hoops to jump through but that also equates to less guidance. And some claim appointing a board to oversee compliance could see a conflict of interest arise when it comes to enforcing the regulations.

BN: Is UK GDPR better for businesses?

JF: It's still too early to say. The bill is still being debated in the House of Commons and then needs to pass through the House of Lords so could yet be amended. There are also other caveats to consider. How will high risk processing be defined and will it see the majority deemed in scope? If you are a deemed a low risk and choose to dispense with ROPA and DPIA, how will you prove due diligence? What we do know is that the proposals certainly put the business back in control of data protection and the focus is now not on compliance but developing good practice.

BN: How can businesses make the transition a smooth one?

JF: For many organisations that operate solely in the UK, UK GDPR promises to make life easier. But if you operate internationally and the EU is not satisfied that UK GDPR provides adequacy i.e., affords data the same level of protection then those businesses would need to continue to meet the demands of EU GDPR and gain little.

However, there are some who will experience significant disruption. Small businesses that were previously deemed out of scope who now need to comply, for instance, will be starting from scratch. They'll need to do what many did five years ago and assess their data protection processes, where the gaps lie and determine how they will comply cost effectively, which will mean implementing simple but effective controls.

For those businesses who already comply but who are deemed low risk, UK GDPR does indeed promise to streamline data handling. But they can't afford to take their eye of the ball. UK GDPR will have the same punitive fines as its EU equivalent so it’s in their interests to ensure data is adequately protected. That will mean addressing people, processes and technology.

Take, for example, device loss. Addressing this might start with security awareness training to reduce the prospect of lost or stolen devices, and in the event that this still happens, that those devices are protected through hardware-based encryption.

BN: In addition to observing GDPR, what can businesses do to improve data security?

JF: UK GDPR will enable the business to observe the regulations more flexibly. It will take the guard rails off and in doing so mark the end of an era of tick-box compliance, presenting us with an opportunity to focus instead on putting in place practical measures that prioritise data security.

In, fact in many ways, GDPR has failed to move with the times. Over the course of the past three years we’ve seen remote working become the norm and yet the latest Apricorn survey found that almost a quarter of organizations said remote working has made it even more difficult to comply with GDPR. This is because data is no longer safely housed on the corporate network but is being accessed over a variety of endpoint devices and over different networks. If that mode of access becomes compromised or the device loss or stolen, that data then becomes at risk.

The simplest way to address data risk, wherever it resides, is to use encryption. But in order to protect data remotely, it's important not to focus solely on the storage layer as this leaves other unprotected points vulnerable to attacks.

Unlike software-based encryption which can leave devices exposed to counter resets, software hacking, screen capture and keylogging, hardware-based encryption sees it built into the device. This provides far more robust protection and, if the device is held in a hardware crypto module, the encryption keys are protected from brute-force attacks and unauthorized access.

Compelling employees to use FIPS certified, hardware-encrypted mobile devices and enforcing this through policy and security awareness training makes it possible to implement encryption across the organization. In this way, the business not only ensures compliance but can also mitigate the risk of human error and stay ahead of cyber threats.

Image credit: [email protected]/depositphotos.com