Sorry for not posting for some time, but 2016 has been such a topsy-turvy year regarding progress with organisational Cyber Security. It started with the announcement that the EU was going ahead with its new, stronger, data protection regulation (GDPR). This would (of course) include the protection of personal data in the UK. Stronger meant, amongst other things, that organisations could be fined up to 4% of annual turnover for data breaches, and data subjects would have to be informed about a breach within 48 hours!
I explained the new regulation, and how it would affect organisations, in this document:
Just as this was sinking in, and some small businesses seemed be accepting that they would need to improve their digital security, we had the EU Referendum vote, on June 23rd. The argument changed… no longer was it about preparing for the new legislation but it became about whether or not GDPR would apply in the UK at all, because of… Brexit.
Many had still not scrutinised the detail of GDPR. They were made aware that it would not come into force until 2018… and Britain would be well gone by then, right? So those businesses who were starting to make preparations for GDPR because “it will soon be law” could be forgiven for putting their plans on hold. Other organisations were preparing for GDPR because they knew this would be an essential for participation in the Digital Single Market, but that’s another matter!
Finally, on October 24th, the Minister for the Department of Media, Culture and Sport (which includes cybersecurity!) cleared up the controversy. She announced that Article 50 would be triggered in March 2017 at the earliest, and departure from the EU would be in March 2019 at the earliest. That would mean that from early 2018, GDPR would be law in the UK. This would probably have generated outrage in the media, so it only got exposure in the computing and legal press. Nevertheless, it is pretty clear. Many organisations may still be unaware of Karen Bradley’s statement, but for completeness, here it is anyway:
“… I had a meeting in the Department for Exiting the European Union on Thursday with the Secretary of State. We went through a number of matters. An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
The good news doesn’t stop there! Google have announced that the next release of their browser, Chrome, will be getting tough on web sites that don’t provide adequate security protection for personal and sensitive data. A very brave move, but long overdue? If you’re interested:
So… organisations not taking security seriously enough will be publicly named and shamed on two counts… by browser (from January 2017), and by the law (April 2018). It’s too late for anyone to do very much now, but I can see that 2017 is going to be a very busy year for information managers in organisations! And perhaps peoples’ personal data will be a tiny bit safer.
Have a great Christmas, Everybody!