The world is at a “critically important moment” for data protection, according to UK information commissioner Elizabeth Denham.
“It has been a rather busy few weeks at our office,” she told the closing session of the CyberUK 2018 conference in Manchester.
“The UK is playing a central role in a very public investigation of the allegations of data misuse by Cambridge Analytica involving Facebook user profiles of 87 million people across the globe, and allegations of the misuse of personal data in our elections.”
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
According to Denham, the Information Commissioner’s Office (ICO) is investigating this “serious issue”.
“Our investigation will be thorough, comprehensive and fair, and at the end of the day, it will be up to us to decide whether or not to take enforcement action,” she said.
Addressing the topic of privacy for the audience of cyber security specialists from across government, industry and law enforcement, the information commissioner said data security and data privacy have always been linked.
“Privacy depends on security,” said Denham. “All modern data protection principles include an obligation to protect personal data. And security has been recognised in every significant codification of data protection, including the current Data Protection Act and the EU’s General Data Protection Regulation [GDPR].”
But the pace and scale of the UK digital economy, combined with the new legislation, is reshaping the digital landscape in which the ICO operates, she added.
“Over the past year, my office has increased its focus on cyber security, to the extent that we now view it as the spine running through all of our work,” said Denham.
She added that there is a raft of new local and international data legislation that requires organisations to be transparent in the way they handle data and makes “data protection by design” a legal requirement.
“This means building data privacy and security into every part of your information processing, from the hardware and software to the procedures, guidelines, standards and policies that your organisation has or should have,” said Denham.
Next, the information commissioner emphasised that security is a boardroom-level issue.
“We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings,” said Denham.
“If left solely to the technology teams, security will fail through lack of attention and investment. These companies may have the best policies in the world – but if those policies are not enforced, and personal data sits on unpatched systems with unmanaged levels of employee access, then a breach is just waiting to happen.”
While the ICO accepts that cyber attacks are a criminal act, Denham said organisations have a responsibility to take steps to protect themselves against cyber criminals.
“Had TalkTalk and Carphone Warehouse implemented rudimentary protections, attackers would not have gained access to their systems. If NHS systems had been patched and up to date, they would have been protected from WannaCry,” she said.
Building a security community
On the conference theme of “building a security community”, Denham said the ICO plays a role in building and maintaining four equally important communities of practice and interest.
These are the international community, where the ICO works with other countries to enhance privacy protection for the UK public; the UK protective community, where the ICO works with other regulators and official bodies to ensure the UK is the safest place online; the UK protective community, where the ICO works with other regulators and official bodies; and the internal community of the ICO and organisations.
Commenting on Brexit in the context of data protection, Denham said the final legal relationship between the EU and the UK is “one for the politicians” – but “there is no doubt that achieving a treaty arrangement or an adequacy decision with the EU represents the simplest way of ensuring the continued frictionless flow of data between the EU and the UK”.
She added: “There is equally no doubt that having domestic laws that achieve a high standard of data protection and are broadly consistent with EU ones will be a significant advantage.”
As the UK’s independent data protection regulator, the ICO works alongside the National Cyber Security Centre (NCSC), the NCA’s National Cyber Crime Unit, DCMS, Action Fraud and other agencies, said Denham, commenting that “government and regulatory bodies are working together in a way which, I believe, is unmatched anywhere in the world”.
“We are aligning our playbooks and testing them through the national exercises,” she said. “We are coordinating our communications, guidance and incident responses with them, so that we can respond to large-scale data breaches appropriately.”
Turning to some of the “data protection myths” the ICO has been working to dispel, Denham said keeping individuals safe online should not invoke panic.
“I have spent a lot of the past year busting some data protection myths, and reassuring organisations that our approach as a regulator is not to fetter innovation, while making sure it’s still hard for criminals and chancers to thrive online,” she said.
Despite challenges such as tight budget constraints and fast-moving technology changes, Denham said data protection law need not be onerous if organisations adopt privacy by design and sound cyber security at the outset of projects.
One of the myths the ICO has worked hardest to dispel, she added, is around data breach reporting under the GDPR.
“Organisations will not need to report every single personal data breach to the ICO,” said Denham. “But you will have to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. And you must do that within 72 hours of discovering it.
“You should all by now be developing a sense of what constitutes a serious incident in the context of your data and your own customers. You also need to consider whether a breach triggers notice, not just to the ICO, but to affected individuals as well.”
On the topic of breach reporting, Denham urged organisations to contact the ICO as soon as possible.
“Our focus will be on working with you, and bringing in whoever else we need to involve, to help you make the right decisions in those crucial first few days,” she said. “Tell it all, tell it fast and tell the truth. Work with us and you will find the ICO to be a proactive and reasonable regulator.”
As a proactive regulator, Denham said the ICO recognises that innovation is essential in the digital economy.
“We are establishing a ‘regulatory sandbox’ for you to develop innovative digital products and services, while engaging with us to make sure the right safeguards are in place,” she said, adding that this service is scheduled to launch in 2019.
According to Denham, the digital economy is the fastest-growing area of the UK economy. “But, while new technologies bring new opportunities, it’s the people designing, creating and managing them that count,” she said.
“Low-tech breaches are frustratingly common in our enforcement work. So many of the breaches we investigate are down to human error. And it’s here that building your internal community can really pay off.”
Denham added that organisations’ chief technology officers and chief information security officers should never be strangers, and boards should approach every decision with an awareness of its impact on the security of the organisation’s technology and information assets.
In conclusion, she said that data protection is about increasing the public’s trust and confidence in the way their data is handled.
“The revelations of recent weeks involving Facebook and Cambridge Analytica and others have been a wake-up call,” said Denham. “People care about what happens to their data. Defending their information from attack is your battle – it must be one you are prepared to fight.”