Public Services > Central Government

Heavyweights speak out on cyber security and data protection

David Bicknell Published 14 September 2017

CBI event sees Hardie call for EU transition deal on data, ICO Elizabeth Denham discuss GDPR data breach reporting and NHS readiness, and NCSC’s Ciaran Martin urge the importance of the user

 

Three heavyweight speakers on security and data protection yesterday highlighted the importance for public and private sector organisations, and government of getting to grips with cyber security and data protection.

CBI deputy director general Josh Hardie, Information Commissioner Elizabeth Denham and National Cyber Security Centre chief executive Ciaran Martin all laid out at the CBI’s National Cyber Security Conference how closely they were working together and how their thinking was similar.

Adequacy

Discussing future data protection laws and the relationship with the European Union, Hardie described data as the currency of our modern economy. 

“The UK government has taken the right steps by introducing the new Data Protection Bill and committing to the EU General Data Protection Regulation (GDPR),” he said.

“But in the long-term, we need an ‘adequacy decision’ with the EU, where the UK can prove our data laws and business environment meet EU standards.”

He continued, “Adequacy is the gold standard for data flows and is proof that a country has a business environment that really protects data.  But unless the Brexit negotiations find another way, getting such a deal would mean first becoming a ‘third country’. In other words, we’d need to leave the EU before that process could even begin. 

“The last major data deal between the EU and a third country was with New Zealand and that took four years.  We don’t have four years.  We can’t afford to wait for that deal to be made because businesses are facing decisions today.”

He added, “We currently have clear data laws based on clear agreement with the EU. But with no deal on Brexit, that certainty disappears.

“Without a firm legal basis for data processing, we risk leaving business leaders scratching their heads, facing fines on one hand and extra costs to comply on the other. 

“With Brexit on the horizon, the UK is approaching a data cliff-edge. GDPR comes into force on 25 May next year - just 44 weeks before we leave the EU. So, when the clock strikes midnight on March 29 2019, we need a bridge to the new future which keeps things simple, minimises disruption and maximises continuity.

“We need to get the right transition deal on data in place that will protect our data-driven businesses, that is part of a wider transition deal.  A deal that allows businesses to carry on doing what they do best, creating jobs for real people in communities across the UK.”

Denham concurred, saying, “That was a powerful message, Josh. There’s not much light between us in terms of what I’ve been advocating for as well which is uninterrupted, safe, data flows between the UK and the EU. And you won’t be surprised to know that there is no light between Ciaran and I as well.”

Discussing cybersecurity and data protection, Denham said the two topics were inextricably linked.

“Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorised third parties. As a result, all modern data protection principles include an obligation to protect information and security has been recognised in every significant codification of data protection, including the EU General Data Protection Regulation and the Data Protection Act.”

Denham said she had concern for UK citizens “who feel like they’ve lost control of their personal information.”

She pointed to new figures from the annual ICO survey that show that only a fifth of the UK public report having trust and confidence in companies and organisations storing their personal information.

“That’s 80 percent of potential customers that don’t trust private companies, businesses like yours, with their details.  That shocks me and I suspect it shocks you. As the UK’s data protection regulator it’s my job to protect the information rights of citizens and ensure that privacy works hand in hand with innovation in today’s evolving digital economy.”

GDPR’s enhanced rights for individuals

Denham argued that the new Data Protection Act, a bill for which will be published tomorrow, and GDPR were a “massive opportunity for cybersecurity and for everyone in this room.”

“Not only does it bring the issues into the boardroom, “ she said, “but we believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.

She also signalled that worrying about big fines and ‘crippling financial punishment” for GDPR misses the point. “GDPR is about enhanced rights for individuals,” she said.

Denham insisted that she appreciates the challenges organisations are working under.

“Budgets are tight, technology is moving fast and there’s the race to keep up with competitors. But data protection law needn’t be onerous if you adopt privacy by design and sound cyber security at the outset of a project. Don’t treat them as an afterthought. Don’t bolt them on,” she warned.

She continued, “The new data protection reforms can be summarised in three main areas - transparency, control and accountability. The new law requires you to be transparent and tell people what you will do with their data. You then have to stick to what you said. Finally, and this is the strengthened part of the law, you should be prepared to account to the regulator and your customers for what you have done.

“Businesses will need to be able to show reporting structures, risks assessments and mitigation measures, who is responsible for what within the business and these records need to be up-to-date and accurate and comprehensive. They need to be available for the ICO if an incident occurs.”

ON GDPR breach reporting, she said, “Some of you may have already noticed I’ve been blogging to bust some of the myths that have grown up around the GDPR. My most recent blog was around data breach reporting. I can tell you right now that businesses will not need to report every, single personal data breach to the ICO.

“However it will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms. Pan-European guidelines will assist organisations in determining the threshold for reporting, but all of you can start now to develop a sense of what constitutes a serious incident in the context of your data and your own customers. You will also need to consider whether a breach triggers notice to affected individuals.

She added, “Another myth we’re looking to dispel is that the law is all about punishing organisations. Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches.

“The public need to have trust and confidence that a regulator is collecting and analysing information about breaches. It will help organisations get data protection right now and in the future.”

The NHS’ lack of readiness for GDPR

After her presentation, Denham discussed the NHS’ efforts to ready itself for GDPR.

She said, “Well the NHS like many public sector organisations, is struggling with legacy systems and the private sector is struggling with them too. So I think that is a real challenge for government and particularly for the NHS.

“How ready do I think the NHS is for GDPR?  It’s not. It’s not entirely ready for it,” she said. “But there have been efforts that have been put in place to improve practice, to do education. Obviously the WannaCry ransomware was a massive wake-up call to the NHS and other public bodies.”

Asked about the three pieces of advice she would give to NHS executives, she said, “Training, basic cyber hygiene and cyber security. I think that’s really, really important. And also inviting in third parties to do audits. I know there’s a lot of work going on post-WannaCry. I think that’s a really good thing. I’ve had the opportunity to talk to the minister responsible and to some NHS trusts as well.”

In his remarks, Martin suggested that from the corporate perspective, compliance with the new regulations will be a very big priority in the coming year.

But, he added, “Let’s not lose sight of what we are learning about what makes for an effective corporate response. Companies are well used to thinking about risk and security in a very sophisticated way.  But when it comes to cyber, that clear headed approach seems to disappear. 

He continued, “Cyber security, we know, is still shrouded in mystique and conversations around it are designed not to dispel fear and panic.  This might be why over a fifth (22%) of organisations’ senior managers are never given an update on cyber security issues. 

“Here are some questions you might ask at your board, or if you are CISO, ones you should expect to be asked:  what is on our network that we most care about? How can the services that depend on it be disrupted? Who has access to it? Who administers it? Are they using the same Internet facing account to administer the system as they are to do normal Internet facing business? (If the answer is no, check. If answer is yes, count to ten and then do something about it). Is the data backed up? “

The importance of the user

Martin went to discuss the importance of the individual. “We haven’t always made it easy for our staff,” he said. “Only 20% of all businesses have had their staff receive cyber security training, or attend seminars, in the last year. And that isn’t a panacea.  A 2014 survey found that even though 75% of its respondents ran ongoing awareness programmes, only 15% of the delegates exhibited the positive behaviours and heightened awareness the programme was designed to create.

“So, let’s get serious about understanding the human being in all this. Let’s stop talking nonsense about humans being the weakest link in cyber security: it’s a bit like saying the weakest link in a sports team is all the players.

He added, “Academia is leading the way. I am an enormous fan of a study focusing on human factors by Shari Pfleeger, Angela Sasse and Adrian Furnham, which goes some way to addressing this.  

“Human factors techniques can maximise human performance while ensuring safety and security.  Their key principle is designing technology that fits a person’s physical and mental abilities: fitting the task to the human. The authors say you should aim to get employees to cope without training.  At the very least, they tell us that what we have put in place for our staff must be usable. And I think that is the most important shift in thinking over the past year or so, the wider recognition of the importance of the user.”

 

 








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.