General Data Protection Regulation – Brexit changes everything! Or does it…

On 23 June the UK voted to leave the European Union (EU), this vote will change the UK's relationship with the EU but how will it specifically affect the much anticipated General Data Protection Regulation (GDPR). Karen Bainbridge, LRQA Information and Communications Technology Management Systems Assessor, discusses what the referendum result means for the GDPR in the UK.

What is the GDPR and what does it set out to achieve?

The GDPR is concerned with the protection of natural persons with regard to the processing of data and on the free movement of such data.

What does BREXIT mean to UK organisations with regard to GDPR?

As the UK has voted to leave the EU there is no legal obligation to implement GDPR. However, the Information Commissioner's Office (ICO) has made it clear the current Data Protection Act 1998 (DPA98) may have to be revised to bring it in line with the EU Regulation 2016/679 to ensure that the UK is able to trade and work with members of the EU and other partners that sit within the European Free Trade Area (EFTA).

The ICO had prepared plans for the event of the UK leaving the EU which includes revisions to the DPA98 that will bring it in-line with the GDPR requirements.

The Regulation 2016/679 framework would be the ideal model to provide a positive driver toward trade and free movement of data. Changes and implementation of any new data protection legislation in the UK would need to be effective by May 2018, which gives little time for the UK to implement changes.

As a framework, the Regulation 2016/679 could be adopted by organisations now, within the UK, thus ensuring that they are, although not legally bound, in the best possible position to provide an assurance of sound procedures related to the protection of personal data come 2018.

With the 25 May 2018 set as the commencement date for GDPR, the UK will have little time to consult, draft and put into place an Act that is proportional to the GDPR. With this scenario in mind, the Information Commissioner could advise Government that the current GDPR is already a focal point for UK organisations and that the timeline for the new data protection act should be reduced to ensure that it meets the timelines of GDPR.

Another possible scenario is that a mechanism similar to the EU-US Privacy Shield (when fully ratified) could be negotiated for the UK. As the EU published two directives at same time as publishing the regulation in April 2016 this is a less likely scenario. One of these directives focused on data privacy and sharing law enforcement agencies across the EU, and one focused on the Passenger Name Registration (PNR), which requires EU member states to put legislation in place to facilitate the needs of both directives. The UK therefore must ensure that it is able to share data between law enforcement agencies in the EU, but by doing so it must meet the needs of the GDPR on which both directives are based.

To this end, the UK is more likely to adopt legislation that is directly linked to the GDPR but the timelines for commencement will no doubt be a challenge that drafters and the Regulator will have to consider.

How does GDPR differ from the Data Protection Act 1998?

There are considerable differences between the DPA98 and GDPR. The GDPR is explicitly risk based (mentioned some 75 times throughout the regulation), the risk being to the fundamental right of a person with regard the processing of personal data – data controllers and processors must manage that risk.

In contrast the DPA98 implies management of risk mentioning it 3 times only.

Article 32 of the GDPR is quite specific on the requirements that Data Controllers and Data Processors must achieve with regard the security of processing with large fines in place for non-compliance.

What are the data protection principles set out in GDPR?

GDPR states 6 principles related to processing personal data. Central to these principles is the explicit requirements for 'accountability'.

GDPR 6 Principles

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Collected for specified, explicit and legitimate purposes and not further
  • processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and where necessary kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose
  • Processed in a manner that ensure appropriate security of the personal data
  • including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

What must an organisation do to comply with GDPR?

  • Determine if the legislation is actually applicable. In all likelihood it will be.
  • Break the GDPR down into Recitals and Articles;
  • Ask the question; data controller, joint data controller and or data processor?
  • Identify the pertinent data and information assets.
  • Determine criticality and sensitivity – is there a classification scheme in place,
  • Conduct a gap analysis against the framework of the Recitals and Articles.
  • Review Risk Assessment process to ensure that it takes into account the requirements of the Regulation.
  • Apply measures.
  • Review.
  • Communicate and co-ordinate across the organisation.
  • Ensure policies and procedures are in place to reflect the requirements of GDPR,
  • Train staff,
  • Ensure there is a lead Data Protection Officer.
  • Be prepared to be audited by a 3rd party Certification Body, against a Certification
  • Mark that may be implemented by the Regulator,
  • Ensure all key internal and external stakeholders are away of the positive approach the organisation has adopted.
  • Ensure governing boards are fully aware of the likely fines, Chapter VIII Article 83.

When does GDPR come into force?

The Regulation was made public on the 27 April 2016 and shall apply on 25 May 2018 and on this date the Directive 95/46/EC will be repealed. It was this Directive (dated 1995) that instructed member states to put in place legislation around the protection of personal data – within the UK this became the DPA98.

The timeline for GDPR gives organisations 2 years to review the requirements and implement the necessary measures.

It also gives time (2 years or less) for member states to set up a supervisor body (likely to have been the ICO) overseeing the requirements set out in the Regulation. Coupled to this was the suggestion that member states implement a mechanism to create a Certification Mark to enable organisations to demonstrate compliance to the framework. The ICO had started work on this mechanism some 2 years ago.

For the UK much of this is redundant to some degree. However the words of the ICO should be viewed very seriously:

"If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018." 

"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO's role has always involved working closely with regulators in other countries, and that would continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary." 

ICO

How can ISO 27001:2013 help organisation become GDPR compliant?

ISO/IEC 27001:2013 is a framework (the ISMS) that in essence requires a risk based approach to the management of critical (time bound – availability) and sensitive (privacy – confidentiality and integrity) data and information (primary assets) and their associated supporting assets.

The GDPR is about managing the risk to the fundamental right that a natural person has regarding personal data.

Both are risk orientated and require the identification of risk, and planning and implementation of the necessary controls to modify levels to an acceptable level. The applicable controls are those outlined in Annex A of the standard coupled with any sector orientated controls. The driver (or at least one of them) for sensitive and critical data and information is the GDPR.

ISO 27001 includes encryption of personal data and as part of the business continuity planning the ability to restore and recover information and data in a timely manner. These are also key to GDPR compliance, other key clauses in ISO 27001 directly related to GDPR compliance are:

  • Internal Audit (9.2)
  • Management Review (9.3)
  • Needs and expectations of interested parties (4.2)

How can LRQA help?

Information is essential in all organisations and it is becoming increasingly important to protect your data – the GDPR will make this even more vital.

According to the 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small businesses have suffered some form of information security breach.

Implementing an Information Security Management System (ISMS) and gaining certification to ISO 27001 will present a number of benefits to your organisation and your customers.

We can help you achieve ISO 27001 certification through our training and gap analysis services.

ISO 27001 can help prevent an information security beach occurring it can:

  • Minimise the risk
  • Ensure minimal impact
  • Ensure best practice
  • Reduce costs
  • Ensure legal compliance
  • Give a competitive edge

LRQA's range of ISO 27001 courses provide insight and guidance on how to successfully implement an ISMS which will help mitigate risks including those associated to the processing of personal data.

Introduction to ISO 27001:2013 requirements ISO 27001:2013 Implementation ISO 27001:2013 Internal Auditor ISO 27001:2013 Certification ISO 27001:2013 Lead Auditor