Data and digital privacy laws don’t change very often but the online world has evolved a lot since the Data Protection Act of 1998. As such, an overhaul of the EU laws have been long overdue and new regulation is arriving in the form of the General Data Protection Regulation (GDPR).
The new GDPR will apply in the UK from 25th May 2018, more detail from the Information Commissioner's Office (ICO). In additional to the moral and ethical reasons to handle data responsibly, the penalty for a data breach has increased significantly. At the moment, the ICO can impose fines of up to £500,000 but the GDPR increases the penalty to €20m, or 4% of annual worldwide turnover.
My understanding of the intention of these changes is to support and encourage online trading. The digital economy is a high growth area and if we have confidence doing business online, this helps everyone to fuel growth in the market.
How does Brexit affect GDPR?
The UK will still be an EU member in May 2018; as such the UK government has confirmed the decision to leave the EU will not affect the applicability of the GDPR to UK organisations. However, there is some uncertainty on what will happen post-Brexit. The Great Repeal Bill will convert existing EU law into UK law and UK Parliament will subsequently chose any EU laws it will discard. This may or may not include the GDPR, however the regulation applies to organisations outside the EU that offer goods or services to individuals within the EU. As such, if businesses expect to continue trading with EU businesses and residents post-Brexit, they should expect to continue operating under the GDPR.
Where should I start?
It’s important to get the right people involved early and you may be required to appoint a Data Protection Officer (DPO), if you don’t have one currently. Microsoft have created a document that provides information on preparing for the GDPR. This contains a 5-step process to get started:
Discover – Identify what personal data you have and where it resides
Control – Manage how personal data is used and access
Protect – establish security controls to prevent, detect and respond to vulnerabilities and data breaches
Report – Action data subject requests and keep required documentation
Review – Analyse your data and systems, stay compliant and reduce risk
How can technology help?
Many customers store critical, sensitive data in their database platform and increasingly in the Cloud. As with many security initiatives, the technology is only part of the solution – much of becoming compliant focusses on defining correct processes and the people adopting and following these processes. Never before has a data culture been more important.
There are many features of the Azure platform and SQL Server product that can help secure your data and become GDPR compliant. These features include encrypting data at rest or encrypting data within applications using a driver. Additionally, many customers will be required to deploy auditing, which is supported for their SQL Server databases and Azure SQL Databases. Additionally, features such as database firewalls and leveraging Active Directory to ensure robust authentication will be vital. The Cloud offers sophisticated threat detection which can be used to meet the breach notification criteria of the GDPR.