The UK government has published a “statement of intent” on data privacy and security this summer. The law, an updated version of the Data Protection Bill, will mirror the EU’s upcoming General Data Protection Regulation (GDPR) rules for data privacy and the fines for non-compliance. The UK law will likely go into effect in September 2017, which does not give organisations time to meet the GDPR requirements by 28 May 2018.

About the Data Protection Bill

The new Data Protection Bill requires any organisation that collects or manages personal data to be accountable for that data. All data collection, storage, and management must prioritize end user privacy rights. Any organisations that deals with high-risk data processing must protect that data, allow end users to remove and transport their data.

Worryingly, only one in 10 FTSE 350 companies (10 percent) do not currently have a response plan for dealing with a cyber incident. Less than a third of organisations’ boards have a comprehensive cyber risk plan. Only 6% of UK businesses completely prepared for new data protection rules, which makes the Data Protection Bill and GDPR deadlines even more important.

Bottom line: businesses must ensure their data is secure, private, and well managed or pay the price.

Unlike the GDPR, the UK law sets the national data protection regulator as the Information Commissioner’s Office (ICO). The ICO will have the power to defend consumer interests and issue higher fines. Organizations that do not properly protect personal data or fail to report security breaches can be fined up to £17 million or up to 4% of their global turnover. Previous laws set the maximum fine at £0.5 million.

From the Government, the Data Protection Bill intends to:

• make it simpler for users to withdraw consent for the use of personal data;
• allow people to ask for their personal data held by companies to be erased;
• enable parents and guardians to give consent for their child’s data to be used;
• require ‘explicit’ consent to be necessary for processing sensitive personal data;
• expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
• update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
• make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;
• make it easier for customers to move data between service providers.

An Evolution of Digital Security
The DCMS has evolved from the Department of National Heritage (DNH), into the Department for Culture, Media and Sport (DCMS) was renamed in 1997, to today’s Department for Digital, Culture, Media and Sport on 3 July 2017. PM Theresa May’s government updated the name to reflect the department’s increased activity in the Digital sector.

On 7 August the DCMS released a “statement of intent” to update and strengthen data protection laws. A new Data Protection Bill will mirror the EU’s General Data Protection Regulation (GDPR). Like the agency, the original Data Protection Act first came into law in 1984, then updated again in 1998. The proposed 2017 law will bring the EU’s GDPR into UK law, so data security will remain a priority regardless of Brexit.

How is the Data Protection Bill is similar to GDPR?

The Data Protection Bill is designed to enact the GDPR into UK law. The Bill is very similar to the GDPR – it includes the famous “right to be forgotten” data removal requirements, “explicit consent” for collecting new data, and “data portability” for moving data between providers.

Another key similarity is the concept of “privacy by design/default.” Organisations must build applications and systems with data privacy protection built in.

What can you do today to prepare?

Reevaluate access controls for IT teams and other departments. With cloud-based systems, it should be easier to implement strong password and authentication programs. With access management tools IT teams can also gain insight into what users require access to each service or application and apply the rule of “least privilege” required for each.

Add encryption in-transit to any existing encryption best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

Prepare with security, but plan for a data breach. GDPR requires all organisations report any data breaches involving personal information within 72 hours of discovery. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.

VNS3 and data protection

VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.” For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

But, don’t just take our word for it! Use VNS3 in any cloud environment with our Free Edition. Try it today from the AWS Marketplace or Azure Marketplace.

Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.