The UK Government recently released the first draft of the much anticipated Data Protection Bill (DPB) which aims to replace the much outdated Data Protection Act of 1998. The DPB firmly demonstrates the UK Government's intent to implement the much hyped about GDPR within the context of UK. For many, this comes as no surprise, and they are welcoming the streamlining and enforcement of policies, processes and security surrounding individuals' data privacy. But for others who thought Brexit would exempt them from GDPR (despite a great deal of indication to the contrary), this is likely to be a shocking realisation that they can no longer ignore GDPR and have to begin the painful steps towards compliance.
Almost immediately after the release of the draft DPB, social media was on fire with negative comments, feedback, and opinions (perhaps giving the GDPR a small relief from scrutiny). Some of the more prominent views focused on how badly the document has been written (despite it being a draft), how the wording is difficult to understand (despite it being a legal document), especially for the average person.
What to focus on
Following the nitpicking and microscopic analysis of DPB, it is worthwhile to keep the following points in mind:
● Focus on what is being said, not how it is being said. Similarly, look at the big picture of what GDPR and DPB are trying to achieve: Data protection.
● The GDPR and correspondingly, the DPB, describes what needs to be done for compliance, but is not prescriptive in how it should be done. This is actually a good thing, since no two business are the same, and as such will not manage their compliance in the same way.
● Data privacy and associated best practices are nothing new. Best practice policies and procedures have been suggested as part of the larger Enterprise Risk Management for many, many years. Following on from this, modifying and updating organisational policies and procedures to adhere to the new mandates should not be the end of the world.
● Compliance to GDPR and/or DPB - or any other regulation for that matter - is not a tick box. One cannot buy compliance. There is no silver bullet. Compliance is an ongoing, cyclic process which requires work and effort from all stakeholders. Each organisation must effectively have a good look at themselves and understand what they do, how they do it, and why they do it.
● Compliance with GDPR, DPB, or otherwise, is actually a good thing, even (or maybe especially) for the businesses being affected. It ensures their policies and procedures are up to scratch which reduces risk, and ultimately cost.
The big picture
The DPB is a draft, and is going to change. Organisations should start preparing for it (if they haven't already by virtue of the GPDR), but being bullied by fear mongering and misinformation to purchase all kinds of IT tools to “make” a business GDPR or DBP compliant is futile. Especially if the business does not understand why, where, and how these tools should be deployed. These tools only assist and help in the ongoing compliance cycle, and even so, will not be effective until the why, where and how questions have been identified and answered.
In summary, Data Privacy compliance is here to stay. Data privacy compliance will ultimately benefit all stakeholders. Focus on the big picture of what GDPR and DPB are trying to achieve, and not the minutiae of a document. The idea of the GDPR and DPB is to show that your organisation is working towards compliance, and to provide supporting evidence. Remember the adage, Rome was not built in a day.
Contributed by Marco Dos Santos - Security Engineer, Neupart GRC
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.