With under two years until the UK Data Protection Act 1988 is replaced by General Data Protection Regulation (GDPR), businesses need to get access to the right information about this new legislation to properly assess the impact it may have. It takes time to ensure a business is GDPR compliant, and many companies may need to consider substantial upgrades to their security and data storage systems in a short period of time.
As the second most targeted country for data breaches worldwide, UK organisations cannot afford to ignore the risks associated with data breaches. Regardless of the outcome of the Article 50 negotiation process and the UK's departure from the European Union, businesses need to take note of the implications of GDPR.
However, given the potentially lengthy process ahead of us – and often complicated data protection rules – many myths have arisen around the impact GDPR may have. By addressing them now, business owners can be as informed as possible when it comes to assessing their present security and understanding the steps they have to take going forward.
Myth 1: GDPR will become irrelevant to British businesses once the UK leaves the European Union
Following the result of the Brexit vote it was initially unclear whether the UK government would implement GDPR. However, despite this now being confirmed as the case, the uncertainty of when Article 50 may be invoked has led to businesses making slow progress toward becoming GDPR compliant.
Regardless of the outcome of Brexit negotiations, GDPR will apply to businesses that deal with customers within the EU and businesses are advised to review their compliance sooner than later.
Myth 2: Responsibility lies with cloud and security providers – not the business
Any business that handles personal data will have to ensure it is compliant with the new regulations. This means that any business which processes data – regardless of whether it stores the data – will be impacted. Previously, businesses may have assumed that they could pass on the responsibility to their cloud and security providers to enable their compliance with data security regulations, but the onus is beginning to shift towards both providers and their customers to actively consider the security measures that are necessary to protect their data.
Myth 3: German data can't leave its borders
A myth that has re-emerged since GDPR was approved is that German data cannot leave its borders. But this is inaccurate – data can leave German territory if the correct process is followed. There are always restrictions on where data can go, how it can be used and who has access to it, but as long as a business is compliant with EU regulations as well as any country specific legislation, then Germany shouldn't be treated differently to other EU countries. For example, in the case of tax data, this may be stored outside of German borders so long as a copy of the original data still exists within Germany and the stored data is accessible by the applicable German tax authority.
Myth 4: Powerful countries like the USA can demand access to data in other countries
The myth that powerful governmental bodies can demand access to data stored in foreign countries is a very common one, but is inaccurate. For example, the US government recently demanded that Microsoft should hand over the data it stored in Ireland in relation to a specific customer, but like all countries, the US had to follow due process when Microsoft filed an appeal against this. The US courts decided that the legislation on which the US government was relying when making the request was not designed for the purpose demanded by the US goverment. Although this leaves a wider issue to be debated, it's clear that governments cannot operate freely outside of their own jurisdiction.
This myth feeds off the worries around data localisation where customers are naturally concerned when they do not know where their data is being kept. As news of large businesses and governments requesting access to foreign data becomes more frequent, the demand for clear legislation and regulation will help reassure customers that only those that have been granted permission maintain control and access to their data.
Myth 5: My business encrypts its data, so I'm compliant with security regulations
It has been known for some businesses to assume that by simply deciding to encrypt data it's therefore secure. Unfortunately, encryption alone may not be sufficient and may not necessarily prevent accidental loss to data. Businesses need to consider the value of their data as a whole and determine how to treat that data to both enable their own profitability while ensuring its safety for their customers. Encryption should be regarded as one of many standards available with alternative mechanisms also being considered in securing minimising loss or misuse of data.
As more customers become security-savvy, and ask about security measures beyond encryption, businesses need to consider alternative methods to enable them to secure data. Simply deleting data that is no longer needed is an obvious mechanism that many businesses tend to overlook.
Contributed by Lillian Pang, senior director of legal and data protection officer, Rackspace