One of the key themes of James Dipple-Johnstone’s September 2018 speech to the CBI Cyber Security Business Insight Conference was how much had changed in the data protection world in the period since last year’s conference.
The first point made by the Deputy Commissioner (Operations) at the Information Commissioner’s Office (ICO) was that data security and data privacy cannot be treated in isolation. Mr Dipple commented:
“Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorized third parties.”
Few in his audience would need to have been reminded that the General Data Protection Regulation (GDPR) and the associated UK Data Protection Act 2018 are now law. He highlighted that the ICO has drawn up a Regulatory Action Plan, explaining how the UK data protection watchdog will use its new regulatory powers, and that the Plan should be approved by Parliament before the end of the year.
Turning directly to the subject of cybersecurity, Mr Dipple remarked that there were four major things that the ICO would consider as being “appropriate security measures under the GDPR”. These are:
- Managing your security risk
- Protecting personal data against security attack
- Detecting security events
- Minimising the impact of breaches when they occur
When things go wrong, the ICO expects firms to engage with the authorities. The Deputy Commissioner highlighted the benefits of such an approach when he said:
“As our regulatory action policy explains, where you engage proactively to protect customers and the public the ICO will take that into account both in the type of regulatory response and also the scale of any enforcement action. This includes consideration of any mitigation where you have reported voluntarily to the [National Cyber Security Centre] and engaged their advice.”
The next section of his speech highlighted two key points: firstly, that directors and senior management need to take responsibility for data security within their firms, and secondly that the ICO does not always take formal enforcement action when things go wrong. Here, Mr Dipple said:
“As a regulator the ICO does not seek perfection even if to some it may feel like that. We seek evidence of senior management and board level insight and accountability. We seek evidence of systems that provide a robust level of protection and privacy. The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have many audits, advisory visits and guidance sessions. That is the real norm of the work we do.”
His next point was to dispel two myths: that GDPR requires every data breach to be reported, no matter how small; and that GDPR would lead to enormous fines for non-compliance becoming the norm.
Nevertheless, he did highlight deficiencies in the breach reporting of some firms. He asked his audience to note that the timescale for reporting a breach is 72 hours, and that this really does mean three days, and not “72 working hours”, as some organisations have interpreted the new requirement.
Mr Dipple highlighted that around 20% of reported breaches involved cyber incidents, and that almost half of these relate to phishing attacks.
In the last section of his speech, he mentioned issues such as:
- Issues over firms not following their own documented procedures
- Ensuring staff have regular refresher training on data issues
- The importance of firms making sufficient investment in security
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article