In Part 1 of this two-part blog ‘series’, I played the part of a security expert (which I do most days), and examined how privacy is changing the face of the security industry.
In Part 2, I have enlisted the help of a lawyer, data protection and contracts expert, who is basically to blame for me getting into this ‘privacy stuff’ in the first place. She also happens to be my sister; Angela Boswell.
No, this is not a political statement, though I couldn’t resist a play on words that also takes a poke at nationalist imbeciles on both sides of the Atlantic.
Instead, this is about the UK’s pending/potential/who-the-hell-knows-when/if exit from the EU and its effects on international transfers of personal data to/from the UK to/from the EU. Amazingly this is still confusing to a significant portion of the population, if they have even looked into it at all. You must understand that unless you have absolutely no intention of doing business whatsoever with your soon-to-be-ex EU counterparts, it’s the UK businesses that will need to be pro-active. Well, pro-active was three years ago, but you simply must make it easy for EU-based businesses to work with you regardless of the Brexit result.
You’ll notice I said ‘when’, not if, because if you have personal data online you will, eventually, be breached in some way.
I know this because the GDPR’s definition of ‘personal data breach‘ (Art. 4(12)) does not just mean ‘hacked by a bad guy’, it means: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”. This therefore includes every unauthorised action that happens to the data, including the inevitability of human error. Nothing malicious, just a simple mistake, but it’s still a breach.
I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.
The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.