Brexit will make no difference to the need to comply with GDPR

Computer Weekly Online - Bob Tarzey

Most organisations will now be aware that the EU’s General Data Protection Regulation (GDPR) is already law and will be enforced from 25 May 2018.

All businesses that currently process and store data regarding EU citizens should review the need to continue doing so. Where the activity is to be carried on, then the processes and applications involved should be checked for GDPR compliance.

Perhaps the most important thing to note is that GDPR is as much about process administration as it is about data security. The mass of organisations that process some personal data are still considering how to respond to the regulations.

The primary target of GDPR is undertakings; the processing of personal data relating to EU consumers as part of an economic activity. An undertaking may not be your organisation’s primary activity, but a worthwhile one that you want, and as such must continue compliantly.

Brexit will make no difference

The UK aims to cease being an EU member on 29 March 2019. UK-based organisations will therefore face a 10-month period of compliance enforced by the EU itself. However, the terms of the General Data Protection Regulation will pass into UK law unless the government specifically repeals it.

GDPR enables data subjects to take back control of their data, so it would be hypocritical of Brexit advocates, who used the same slogan, to suggest UK citizens should have less control of their own data than their EU counterparts. Furthermore, the UK’s Information Commissioner’s Office took a lead in defining GDPR and, as it stands, supports its core principles.

Tool up for GDPR

With enforcement of GDPR looming, almost every IT supplier has something to say about it. This ranges from the highly relevant, such as data processors stating that their services and applications are compliant, to vague buy-me-too claims from suppliers with only peripheral relevance. The lists are long, so we have only included a few examples in this buyer’s guide, mainly suppliers that provided input. The first stop should be to consult the suppliers your organisation already works with.

Few organisations will be starting from scratch. Data protection laws have been in force in most EU countries for about 20 years. Many will have the basics in place. Many will also be complying with other regulations and standards which overlap with GDPR, for example the Payment Card Industry Data Security Standard (PCI DSS). For some, this will amount to what Quocirca terms a compliance-oriented architecture (COA). If this is the case, your organisation has a good starting point, and may not need many adjustments to comply with GDPR.

Standards organisations are also providing guidance. The ISO27000 forum provides a mapping of GDPR to the ISO27001 data protection standard. In the UK, the British Standards Institute (BSI) has a new edition of BS-10012, a framework for a personal information management system that is GDPR compliant.

Privacy by design and by default has a concept of minimisation at its core. This is that only the minimum amount of data is held to complete the task at hand. So, the first activity should be to identify all the undertakings an organisation has that involve the processing of personal data regarding EU citizens, and assess whether that data really needs collecting, storing and processing in the first place.

Where the processing of personal data is deemed unnecessary, it can be stopped altogether – and historic data deleted. For example, market research data may include the names of individuals where their company name will suffice, or home IP addresses may be collected unnecessarily by an internet of things (IoT) application. Stop the collection of personal data and the applications and processes become out of scope for GDPR compliance.

If it is concluded that the data processing must continue, the risk may be such that a data protection impact assessment (DPIA) needs to be conducted.

For info here: