Rick Goud explores the data privacy issues that are likely to arise post-Brexit.
Recently we witnessed what could go wrong with regional data agreements when the EU’s highest court, the Court of Justice of the European Union, invalidated the EU-US Privacy Shield, deeming that it does not sufficiently protect EU data subjects.
Why is this relevant for UK data protection? Because this incident could potentially impact future data adequacy decisions countries - including the UK - seek with the EU.
GDPR post-Brexit transition
For the remainder of the Brexit transition period, taking us to 31 December 2020, UK organisations must continue to comply with the EU’s General Data Protection Regulation (GDPR), and should plan to do so indefinitely if they collect data on European contacts such as customers.
From 1 January 2021, however, the current GDPR will no longer be binding in the UK and new data protection legislation will be introduced. This transition can be done smoothly if the regulations are functionally similar. British lawmakers were, after all, involved in crafting the original GDPR, so any deviations should, ideally, be minor. And with organisations having enough on their plates nowadays, dealing with the challenges and uncertainty caused by Covid-19, lawmakers can help by limiting any changes to GDPR regulations in the UK to those that are strictly necessary.
Evolving data privacy standards
When it comes to data protection legislation, many of us tend to think purely in terms of the GDPR or UK Data Protection Act (DPA). But there is much more to be aware of than that, as regulations continue to evolve - in some cases, becoming sector specific. Industries such as healthcare and legal, for example, are rapidly adopting their own standards to facilitate secure digital communications for their individual needs.
We’ve seen this recently in the Netherlands, where a new standard for exchanging ad-hoc digital communications in the healthcare sector, known as the NTA 7516, was introduced earlier this year. Impacting health and public sector institutions that need to email data or transfer files securely, this standard outlines several measures to ensure privacy-sensitive, health-related information can be safely exchanged, digitally.
Also in the Netherlands, there was an emergency ordinance issued in the Spring stating that all law firms and bailiffs are now allowed and recommended to use secure email for communication, instead of faxes and letters, for at least the duration of the Coronavirus pandemic.
The good news is that establishing sector-specific standards can help organisations transform how they interact with their contacts, while creating new opportunities and cost savings potential. You can expect to see more of this in the UK, the rest of Europe, and beyond, in the coming years.
Future-proofing data protection compliance
There are several steps organisations can take to help future-proof compliance in line with evolving data protection regulations. These include:
- Increase security awareness among users: A core requirement of standards including the GDPR, is the need to regularly train all staff on best practices for data handling and cyber-security hygiene. This should be done several times per year, at a minimum, to ensure it stays top of mind. Ideally this should be a combination of training and hands-on tools that help employees on the job.
- Apply measures to prevent human errors: The number one cause of data breaches consistently comes down to mistakes people make when emailing. Errors include sending the wrong attachment or emailing the incorrect recipient. These incidents may seem relatively harmless, and practically everyone is guilty of making such a mistake occasionally, but the impact can be highly consequential – incurring a financial penalty, for example, and damaging reputation. Being aware of the root causes of most data leaks (human error), can help organisations to identify appropriate solutions to enhance the security of their digital communication.
- Ensure the use of appropriate encryption and key management: GDPR is all about preventing unauthorised access. Encryption is one of the most recommended measures to ensure that. However, the challenge with encryption is key management. Make sure you are aware of who has access to keys to decrypt your data. Applying encryption but not protecting or limiting access to your keys defeats the purpose.
- Protect access to data with two-factor authentication: Next to encryption, two-factor authentication (2fa) is the only way to ensure that just knowing someone’s password is not enough to get access to their data. That goes both for an organisation’s employees, as well as ensuring that those who employees’ share data with, outside of the company, are required to use 2fa to access sensitive data.
- Secure outbound communications with a remote workforce: With so many people now working from home, enhancing overall communication security is becoming a top priority for organisations of all sizes. New risks must be effectively managed when so many more users are accessing the company network remotely, and often from their own personal devices, which can increase the likelihood of data leaks. Deploying a user-friendly secure email and file transfer solution can remedy the security gaps created by home working.
With the current pandemic causing extra data security risks, and the end of the Brexit transition period fast approaching, data protection and IT security professionals in the UK face many challenges in their efforts to comply with regulations such as the GDPR and DPA. By following the guidelines outlined above, however, they will be well-equipped to adapt to ever-changing data protection standards, as they continue to evolve.
Rick Goud is the CIO of secure communications company Zivver. Before co-founding Zivver, Rick spent six years as a healthcare consultant for Gupta Strategists. While there, he noticed a wide range of sensitive data – such as patient information, company performance, and legal documents - being frequently handled by employees. He realised there was a strong need for a secure communication solution to safeguard and manage such data (including for GDPR compliance) - and shortly afterwards, Zivver was born. https://www.zivver.com/
Main image courtesy of iStockPhoto.com