pogonici - Fotolia

Security industry welcomes planned UK Data Protection Bill

The cyber security industry has generally welcomed planned UK data protection legislation, but some say it is hypocritical in the light of the Investigatory Powers Act

This article can also be found in the Premium Editorial Download: Computer Weekly: Tech takes the lead in the Tour de France

The government has announced the details of the planned UK Data Protection Bill as part of its commitment to update and strengthen data protection laws and bring UK law into line with the EU’s General Data Protection Regulation (GDPR).

The proposed legislation is set to deliver “much-needed” controls over personal data for individuals and provide confidence in digital businesses trading in personal data, according to Lawrence Jones, CEO of data hosting and cloud computing firm UKFast.

"The opportunity is arising for the UK to establish itself even further as a leading player in data analytics, datacentres and global data processing services. We’re in an incredibly strong position as we hold the highest privacy standards, but we need to keep that up after we leave the EU,” he said.

Jones said that in the light of Brexit, the government’s plan to to deliver legislation at least equal to the GDPR is reassuring.

“Businesses are built upon confidence – confidence in suppliers, in each other and in the economy. Brexit has already caused a huge amount of uncertainty in the economy, so that last thing we need is confidence to fall in our abilities as tech leaders.    

“Strong regulations like this help us to build confidence and to trade in the valuable currency of data, but the opportunity will only be realised if we maintain the same standards and inspire the same level of confidence in potential partners across the globe. We need to ensure the right safeguards are in place once we leave the EU in order to maintain and then strengthen our position,” he said.

Jason Hart, chief technology officer data protection at security firm Gemalto and former ethical hacker said this overhaul of UK data protection law is a “crucial step” towards updating the UK’s approach to cyber security.

“By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust,” he said.

Read more about GDPR

Bringing UK law in line with the GDPR is important, said Hart, because it will dispel any uncertainty businesses had around data protection post-Brexit. “With the deadline for [GDPR] compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.”

Dan Sloshberg, cyber resilience expert at secure email provider Mimecast said the proposed bill reinforces the expectation that GDPR-style compliance is a vital requirement for UK businesses even with Brexit pending.

“In fact, post Brexit, demonstrating accountability around data protection may become a requirement to do business with Europe and its citizens. This is also a positive move for all individuals and citizens. The pressure is now on for organisations to be ready by [the GDPR compliance deadline] of 25 May 2018

“Understanding the data an organisation holds is key to becoming compliant. Identifying where personal information is held and the processes around its capture and management is a logical place to start. Afterwards adjusting processes and evaluating technology to help secure and find information effectively and efficiently is key,” he said.

According to Sloshberg, businesses must also consider the importance of email in cyber security because nearly all company information, be it employee, business or customer-related passes through email at some point.

“Because of this, a compromised email server can leave an organisation in breach of new regulations, and to ensure data is protected, businesses must implement a cyber security and resilience strategy and update outdated email archives that hold GDPR-governed data,” he said.

Read more about the IP Act

  • Labour’s shadow home secretary, Diane Abbott, says wider society must now debate the controversial Investigatory Powers Bill, despite parliamentary approval.
  • As the Investigatory Powers Bill goes through its final stages in Parliament, a former GCHQ intelligence officer puts the case for the bulk surveillance powers contained in the legislation.
  • Former NSA technical director Bill Binney talks about the Investigatory Powers Bill and the UK government’s independent review of bulk surveillance powers.

Peter Carlisle, vice-president for Europe at Thales e-Security said the planned UK data protection law highlights the importance of data protection today, not only for organisations who possess significant amounts of data, but also to ensure that consumers are safe in the knowledge that their data is secure.

“As the number of data breaches continues to rise, businesses must ensure that they are able to control where and how their data is stored – and have robust cyber security strategies in place to protect that data.

“With the introduction of these new laws and the upcoming GDPR [compliance deadline], it is essential that organisations are taking all the necessary steps to ensure that they are compliant with these regulations or else risk facing devastating consequences, not only from a financial perspective but for their reputation too.”

Greg Hanson, European vice-president for cloud at data management firm Informatica says the proposed legislation means UK companies must have a comprehensive view over all the relevant data they hold.

“If a customer triggers their ‘right to be forgotten’ and the business doesn’t have a comprehensive data management strategy, it can’t guarantee to delete all the necessary information.

“With fines of £17m or 4% of global turnover for non-compliance, good data management just became an essential for all consumer-facing businesses. The price of non-compliance could be fatal.

“As a result, UK businesses need to identify which data will be subject to the new law and ensure that it can be easily accessed and deleted if needs be,” he said.

Data mapping

To achieve this, Hanson said UK businesses should map out all their data across the whole organisation, no matter where it is stored. “Many companies have built up vast databases of personal information over the years, so an automated data discovery system is essential – humans can’t process it all in time.

“A powerful automated data management strategy is essential if UK businesses are to gain the deep insight they need to ensure they are compliant,” he said.

Iain Chidgey, vice-president and general manager at international data firm Delphix said the golden age of free data is over.

“The UK Data Protection Bill means the regulator finally has teeth. Data privacy is emerging as a basic human right,” he said. “The introduction of [stronger] punitive sanctions shows the UK is serious about protecting the public and enforcing data best practice.”

The maximum monetary penalty that the UK Information Commissioner’s Office can impose for breaches of the Data Protection Act (DPA) is £500,000.

“Companies that don’t do enough to protect consumers personally identifiable information (PII) face genuine penalties that will make them think twice. In fact, it is planning to go even further than the legislation put in place by the EU’s GDPR,” said Chidgey.

“People’s demands for the data privacy have changed. With data breaches and criminal hacking an everyday part of modern society, the public expect their data to be protected. However, change won’t happen overnight,” he said.

New technologies

Since the DPA was introduced in 1998, Chidgey said smartphones, social media, online banking and ecommerce has all become prominent.

“This means businesses and governments are scrambling to establish processes and technology so they can care for PII and be seen as taking data security seriously. However, it’s only achievable if organisations have clear guidelines to follow and adequate time to replace or amend systems to comply with it,” he said.

David Emm, principal security researcher at Kaspersky Lab the proposed legislation will grant unprecedented rights for consumers to force social media websites and online companies to delete their data and take back control of their personal information.

“In combination with the incoming GDPR regulations being implemented by the European Union, there will be widespread changes in the coming years to the way organisations collect, store and process data.

“It is important that the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cyber criminals,” he said.

Although the proposed data protection law is  designed to make organisations more careful with personal data, Emm said it is important that individuals know what information is being kept and how it’s being handled to reduce the likelihood of it falling into the wrong hands.

“Being vigilant online – whether when using a work computer, home laptop, mobile or tablet device – should be second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using anti-virus software across all devices can significantly help protect data,” he said.

Building trust

Joe Hancock, cyber security lead at legal firm Mishcon de Reya, said transparency and openness are key to building trust in how businesses process data.

“Clearly telling customers how you collect their data and use it, in plain English, should go a long way to addressing many of the frustrations with data collection practices,” he said. “These laws are intended to protect individuals, not to penalise businesses: it's entirely possible for businesses to collect and use personal data if it is done in a managed and open way.

“It is clear that privacy and security of data needs to be taken seriously. It seems that many businesses still do not budget for the effort required to do this properly. Getting the basics right and complying with regulation should prevent a lot of the problems we see today.”

Although welcoming the government’s plan to bring UK data protection law in line with the EU’s GDPR, digital rights organisation Open Rights Group, has some reservations.

The group said that while the proposed laws will strengthen everyone’s ability to control what data can be collected about them and how it can be used, it points out that these laws could be fundamentally altered after Brexit. “The Government must explain how these data protection rights will be guaranteed after the UK has left the EU,” said Javier Ruiz, Open Rights Group policy director.

“We are disappointed that UK ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws.

“Citizens face increasingly complex data ecosystems. It is almost impossible for average person to be able to know which organisations hold their personal data. Enabling privacy groups to take independent action will ensure consumers’ rights are properly enforced,” he said.

Conflict with UK Investigatory Powers Act

While the proposed data protection law is a step in the right direction, Simon Migliano, head of research at Top10VPN.com, said it appears to be at odds with the UK’s Investigatory Powers Act.

“However, it feels hypocritical for the government to be trumpeting these new data protection measures while at the same time being responsible for the IP Act or Snoopers’ Charter, that runs completely contrary to these proposals.

“Will the Government have to ask “explicit” permission to harvest your data? Will you be able to ask them to view or delete the data the Government holds on you? I doubt it,” he said.

Migliano also said UK citizens should not rely on the government to look after their digital rights and data. “They should instead take responsibility for minimising their digital footprint through a combination of cautious, careful habits and technology,” he concluded.

Migliano recommends that UK citizens:

  • Browse the web with a virtual private network (VPN) and use private browsing settings – like the Incognito tab to avoid capture of your IP address and placement of cookies.
  • Avoid websites and apps that ask for more information than is required to use them.
  • Be especially wary of entering personally identifiable information such as date of birth and postcode into unfamiliar sites.
  • Set up a secondary email for use on ecommerce sites, forums etc. so the account with your most sensitive information is not at risk when you share your email address.
  • Set social media to private where possible and avoid using Facebook login on other websites. 

Read more on Privacy and data protection