Happy Birthday GDPR

Author: Gary Hibberd

Date: 25 May 2020

It’s been two years since the General Data Protection Regulation (GDPR) came into force. So you could say we’re into the ‘terrible twos’ stage of development.

Many of us will recognise this time, as a time of sleepless nights, teething troubles, tantrums and frustration.  It’s a time when young ones’ are finding their feet, their voice and learning about the world around them.

Happy Birthday GDPR (are you 2 or 4?)

Of course, most of us know that in truth, this regulation came to life in 2016, giving organisations two years to implement any additional controls or improve their processes. So perhaps it’s those that still see the 25 of May 2018 as being the ‘birthday’ that are only just finding their way, and still feeling frustrated?

What have we learned

So what have we learned over the last 2 to 4 years about the GDPR and about ourselves? Actually, quite a lot. Speaking as someone who has been a Data Protection Officer since 1998 I knew that come May 2016 many organisations were going to struggle with the new regulation.

And struggle they did… eventually. There wasn’t much movement in 2016, but come 2017 and 2018 and organisations began to wake up to the idea that a new regulation was coming. 

The ICO – The Toothless Tiger.

The Information Commissioners Office (ICO) has come under a lot of criticism over the last few years, and a lot of it is justified. At times they come across as effective and even ‘agile’ in their response to events that hit the headlines. 

When the Pandemic began to affect us all, they were quick to give advice about remote working. They swift to provide guidance for organisations that might need to relax rules on the sharing of information. And they were quickly provided advice and guidance to organisations developing Apps for ‘Track and Trace’ technologies.

As a training and advice organisation, they’ve done really well. But as a body which are meant to be enforcing the rules surrounding Data Protection, they’re like your lazy uncle shouting orders across the room, with threats of action which you know will never happen because they’re too slow!

Since 2018 there have been so many large data breaches, I’ve lost count.  But point to any major Data Breach in the last two years and look for the ‘swift action’ from the ICO, and you’re likely to see a comment such as “The ICO is investigating this” or “The ICO has stated that…”.

Words mean a lot when it comes to offering advice (as a Consultant, I should know!). But when it comes to enforcing the GDPR, we need more than words. We need action. 

In recent days the ICO has been described as a ‘toothless tiger’; Looks menacing but threatens no harm. 

It was reported last week that EasyJet had suffered a Cyberattack, resulting in the illegal access to 9 million records. But when did this happen? January 2020.  Yes, a full 3 months since the attack, and only now are we hearing of this. 

That’s 9 million men, women and children put at risk from EasyJet.  Has the ICO charged in with sweeping criticism and condemnation? No.  Silence. Much like the stunned of every Data Protection and Cybersecurity specialist across the country!

Maybe they were busy investigating Serco, the outsourced company that is managing the Pandemic Tracking and Tracing app? They had just had a relatively minor, but worrying breach where one of their staff exposed the personal details of 296 people who are testing the app.

No. ICO are silent on this one too.  Serco has stated they don’t intend notifying the ICO, as they don’t believe it’s a significant breach.

But of course we can trust Serco. Can’t we?

After all they’re only the same company which found themselves at the centre of a public and political storm in 2013 when it emerged that they (and G4S) had been overcharging the Government for electronically monitoring people who were either dead or in jail, or had left the country.

They were stripped of their responsibility for tagging criminals in the UK later that year, and it led to a £22.9 million settlement by Serco with the Serious Fraud Office, on top of a £70 million fine from the Ministry of Justice in December 2013.

But I’m sure the ICO is all over this, and ‘taking a serious look at this matter’.

If the GDPR is to succeed, then any breach which occurs and is reported needs to be acted upon. The ICO needs a shakeup.  

There are (still) NO experts

When the GDPR came into force (25^th May 2018), it didn’t take long before a new breed of ‘GDPR Expert’ was born. Where people, who had zero knowledge or interest in the topic before, suddenly started handing out advice like the ‘Child Snatcher’ in ‘Chitty-Chitty-Bang-Bang’! No interest, no concern and no idea on what they were doing ignited and fuelled the fear, uncertainty and doubt that was growing across Europe.

“Will Brexit affect GDPR?” “What does ‘necessary’ mean?” “When do I need to gain Consent? And how can I evidence it?”

These are just some of the questions and concerns I heard and saw answered so abysmally across Social Media and in webinars and seminars.

Some of the answers came from lawyers with no practical experience of Information Security, and some came from Information Security practitioners with little to no knowledge of the regulatory landscape surrounding privacy (10 points to anyone who can tell me what Article 8 of the Human Rights Act relates to (No Googling allowed!))

But I believe there are no STILL experts in Data Protection.  I may get called this, from time-to-time, but I don’t class myself as such. This is because things in this area are constantly changing, and industries and sectors differ broadly on different aspects of these regulations.

Conclusion; There’s still a lot to do

I am still talking to organisations who don’t understand the basics when it comes to Information Security and Data Protection. I am having conversations with Security experts who don’t think there is any difference between Security and Privacy.

These organisations are controlling and processing our data. These experts are advising organisations on how to do that. 

If we’re to improve our ability to protect data, we need to understand Data Protection Regulation(s), Technical security controls and standards, Behavioural design, Psychology, sociology and criminology.

But all of this shouldn’t be difficult.

Remember that GDPR simply means ‘Giving Data Proper Respect’. It doesn’t need to be overly complicated. Get advice from someone with a broad understanding of Cyber Security and Data Protection to make sure what you put in place is proportionate and appropriate.

Maybe next year we’ll be celebrating GDPR’s birthday with a new perspective and outlook on Data Protection.  Given that we’re currently in lockdown, I sincerely hope so!

Unfortunately, I think there is still a lot more education and cross-discipline learning that needs to happen. As a Cybersecurity and Data Protection Specialist, my job is to have as broad an understanding of Security and Privacy as possible.  I believe anyone advising in this space needs to have that same approach.