cybersecurity, Data Loss, Data Protection, Information Security, insidertrading

How to ruin the reputation of your (118 year old) company, lose your job and your liberty

Unfortunately there are so many cases I can use to illustrate this. Most topical at this time at the start of autumn (fall) 2017 is Equifax.

They provide credit scoring services to the public and businesses in 14 countries, including Canada, UK and USA. Many financial organisations use them to assess the credit-worthiness of individuals and companies.

This company has been around for more than 100 years, they have an operating revenue of over 3 billion USD and over 9000 employees.

Their bread and butter is information. Personal information. Including name, addresses, social security number, income and loans amongst others. Stuff classed as sensitive PII by most if not all data protection agencies.

They hold data on more than 820 million individuals and 91 million businesses.

In May 2017, they lost the details of which 145 million people in the USA, at least 400000 in the UK and 100000 in Canada.

Heads Roll

Within Equifax, the chief information officer Susan Mauldin and chief security officer David Webb were retiring and within two weeks Richard Smith, the CEO said he was stepping down after having to explain the breach to a US Congress committee in October.

The market is not impressed

Their share price was trading around 140 USD, then plunged to a low of 94 USD a few days after the disclosure, which is comparable to Talktalk’s share price drop.

The actual financial impact to Equifax is unknown at this time, as it’s still so recent.

It gets worse

During a congressional hearing, it transpired that the CIO, Jun Ying had sold 950k USD of company shares. June 2019, he was found

guilty of insider trading and sentenced to 4 months in prison

and ordered to pay restitution amounting to 120M USD, as well as a 55K USD fine.

As of 13/05/19: This incident has cost the firm 1.4 B USD so far

 

IT Pro article

Moneysavingexpert article

Data Protection, GDPR

GDPR – How do we go about it ?

Think I’m on a roll, this is my 5th GDPR themed post.

Here’s a more practical article that’ll help you towards alignment with GDPR.

 

Content for this web log.

  1. Essentials for success.
  2. Information Security Management Systems
  3. What to do with old or archived PII

Essentials for GDPR Success

Educate

The C suite, the board and your employees must be made aware of the organisation’s obligations and their obligations.

Design

Ensure that your on-boarding, training, strategy, policy and procedures take into account the data protection demands of GDPR.

Accountability

Be clear on who is accountable for the data you hold and process. That you can prove that PII is correctly collected, processed, used and treated for the whole Data Life Cycle.

Red Herrings and dead-ends

GDPR is not a technology problem

You can not solve with tools alone, though they may make life easier for some tasks.
Don’t make the mistake of assigning the whole task of GDPR compliance to IT.
IT apply the controls, they’ll tell you where your data is and where it’s going.
It is not solely an InfoSec problem either, though it plays a significant role.
GDPR belongs right at the top, with the head honcho.
The CEO no less.

 

A significant structure like GDPR, isn’t self-supporting, it relies on good information security and well implemented  information technology.

(Unless you totally paper based and you don’t use any IT systems, for processing of PII, but information security part still applies)

Unfortunately unless your process and IT maturity is realistically rated as managed or above, there is work and improvement required on the underlying technology, so that it is properly designed and operated too.

For this, a good route to take is an already established information security management system (ISMS) such as ISO27001.

Isn’t it a monster ? We can’t afford it ? It’s too disruptive!

I hear you say. No, it is designed as a framework, it is scalable. Not all of it will apply to your organisation. You don’t have to go for accreditation immediately, but it’s extra kudos if you do, something to aim for in continual improvement.

Be clear I’m not saying ISO27001, COBIT, Cyber Essentials  etc  are  mandatory. You may be doing your own thing which is just as good or better. Although it is another level of control you may need to prove and justify.

Prioritise and Segment

Determine where your data or operations impact on the data subjects most. Deal with that first.

Old / Archived PII

Do you need to keep it for legal or regulatory reasons ?
Is there a clear and lawful reason for you to retain this information ?Do you have explicit consent to use the PII for your intended use ?

No ? delete it (properly).

If you want to keep it or re-purpose it, strip out the PII elements, so that you end up with anonymised data.

Otherwise anonymise it

Proportionality

You are not expected to spend a dis-proportionate of effort to achieve 100% data sanitisation. If the archives are properly secured it doesn’t mean you have to pull out every archive since year dot to scan for PII.

However, if it is recalled for any reason, you’ll need to ensure that the data on there is properly treated by removing the PII where necessary, for example removing people who have requested the right to be forgotten.

See Articles 35, 36 and 83 and Recitals 84, 89-96

Any other business ?

There will be more follow-ons from this one that’ll build upon what’s been said above. Examples of other things you should know and should be doing are :

  • What do you have in your software estate ? Shadow IT has the means of scuppering your GDPR efforts. Seek out the old MS Access databases ….
  • Vulnerability management
  • What does your network look like ?
  • How does your data flow ?
  • Are all those rules necessary on your firewall ?
  • When was the last time the firewall rules were audited ?
  • Can you show why that rule is in place and trace it back to the change request and associated approval ….?

Plenty to mull over and discuss, but that’s enough for today.

cybersecurity, Data Loss, Hacked, Information Security

The value of patching, The cost of not patching

(One) Major cause of data breaches

Over 50% of data breaches are due to published exploits where fixes or patches are available.

The actual percentage varies to which study you refer to. The vulnerabilities may be through the OS, platforms like Java and Flash or applications.

Secure Configuration is essential, one such aspect is patching. Making sure that you’ve employed the most up-to-date software.

The reality is that many organisations do not adequately patch their software and hardware. For many it is an onerous task. They may be worried about introducing issues to their production services or it may be the lack of resources.

The risk is real, whether it is risk to production from using different (updated) software or from crackers exploiting vulnerabilities.

Regression and user-acceptance testing is essential here. There are other mitigation schemes where a staged patching is adopted, where a proportion of servers or instances of the software is patched and then used in production. It could be a test or development units.

I’ve just talked about the value and reasons for patching.

The other considerations are the cost of not patching.

There are many examples, but I’ll just share a couple with you.

Talktalk looses data

Talktalk, a communications company in the UK mobile telephone, TV and broadband market. They lost 157000 customer details in 2015. The vulnerability was on a website that had not been patched for 3.5 years. In the aftermath they lost of more than 150000 customers. Their share price dropped 30%.

Promotions and incentives cost them 35M GBP. Their 2016 profits dropped by 56%. They were also fined 400000 GBP by the ICO. Under GDPR the fine imposed could’ve been more than 70M GBP.

Equifax looses even more data

Moving to a more recent data breach, Equifax. They provide credit scoring services to the public and businesses. Many financial organisations use them to assess the credit-worthiness of individuals and companies.

They hold data on more than 820 million individuals and 91 million businesses.

In 2017, they lost the details of which 145 million people in the USA, at least 400000 in the UK and 100000 in Canada.

Heads Roll

Within Equifax, the chief information officer Susan Mauldin and chief security officer David Webb were retiring and within two weeks Richard Smith, the CEO said he was stepping down after having to explain the breach to a US Congress committee in October.

The market is not impressed

Their share price was trading around 140 USD, then plunged to a low of 94 USD a few days after the disclosure, which is comparable to Talktalk’s share price drop.

The actual financial impact to Equifax is unknown at this time, as it’s still so recent.

The breach was likely to be from a vulnerability that had been publicised and known for months and not mitigated.

The fallout from this incident is yet to settle. There are likely to be class action law suits in the USA and Canada. The respective regulators are likely to be sifting through the post mortem reports and deciding on what punitive measures to take.

Further reading and references

 

GDPR

Do you know what you have ? Do you know what you doing ?

My 4th GDPR themed article. It’s designed to encourage debate and discussion, hopefully help you on the journey to GDPR compliance

 

Do you know what you have ?
Do you know what you doing with it ?

Two very simple questions.
Two very important questions.
If you were asked that, how would you answer ?
You can go down the philosophical route, etc.
I’ll leave that angle for another day.
This is about the nitty gritty around data protection and GDPR, so really it’s

Do you know what data you have ?
Do you know what you doing with it ?

For the organisations that can, hand on heart say,

“We are fully compliant with the Data Protection Act 1998”,

you know, the one that’s been around for nearly 20 years.
You are in a very good place.
You already comply with a substantial part of GDPR.
You have some work to do to bring it up to scratch for GDPR, but it isn’t onerous.
Well done
For the rest …

Unfortunately this probably isn’t the case.
This isn’t about a particular company or organisation; I’ve had exposure of enough commercial entities to confidently say that GDPR is likely to be a thorn in the side for many.

For some organisations, they may be able to turn it round to be a  competitive advantage, a differentiator.

Your goal, is to be able to say

We know :

  1. Who is the business risk owner for that service and it’s dependent, constituent parts (article 25).
  2. Who owns and is accountable for the data processed for that service (article 24).
  3. Exactly the profile of data being processed.
  4. The amount and type of PII (personal identifiable information) in this data.
  5. What we do with PII is legal, fair and transparent (article 12).
  6. We don’t hoard PII unnecessarily.
  7. We know the impact of the processing we apply to PII (article 33 for high risk processing)
  8. We don’t transfer PII outside of the EEA without consent or other safeguards (article 44,45,46).
  9. Who has access to the data (article 24).
  10. Where this data is going (article 24).
  11. Where (all) this data is stored (article 24).
  12. Whether we have the clear legal purpose to use the PII for that purpose and not just rely on consent (article 6,7).
  13. That it can be checked for accuracy and amended by the data subject (article 16).
  14. That we do check the data for accuracy.
  15. We have an easy to use mechanism to remove PII for a particular person (article 17).
  16. We make it easy to take PII to another service provider (article 18).
  17. We use the appropriate technical controls and techniques to ensure the confidentiality and integrity of PII (article 24,25).
  18. We enforce a properly designed life cycle is applied to our data (article 25).
  19. We have the means to report data breaches without delay and within 72 hours (article 55).
  20. We can prove that we do the above (article 24,25).
  21. Also ensure that our business partners, service providers, data processors and controllers do the above.
  22. We have a Data Protection Officer, as we have rely on significant data processing of PII.

(The above isn’t complete … there is more)

In short we protect the rights and privacy of EU data subjects in compliance to EU GDPR.

That doesn’t seem too bad ?

Data protection, data privacy is a concept, that has to be baked into strategy, into policy and most importantly into the culture, in GDPR parlance, it has be designed (in) by default.

This is the overarching structure for data protection in the EU (and UK post Brexit).

 

 

cyberhygiene, cybersecurity, howto, Information Security

Effective Cyber Security for the work place and home …

I have summarised a few tips that’ll help you along that route. It isn’t set and forget, it’s a continual process.

Business Essentials for successful Cyber Defence

Simple to say …

  • Top-level commitment to good information security management system – ISMS.
  • Information Security baked into company vision for success.
  • Robust policies backed up by process.
  • The right people and sufficient resources to run the ISMS.

Further reading for businesses

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

10 Step Summary

10 Step Executive Summary infographic

From the America Bar Association

Good Cyber Hygiene At home

  • Keep passwords simple to remember and difficult to guess, write them down if necessary.
  • Don’t reuse passwords for important services.
  • Switch on auto-update on your devices.
  • Email is a common method to spread malware, be aware of phishing.
  • Malware and confidence scams are also sent by SMS text, other messaging services and by plain old telephone.
  • Challenge telephone calls from people who purport to be from your bank, the council etc. Get their name and obtain the number from an independent source. Phone them back.
  • Shred documents containing important information (anything that identifies you, your family, your home, financial details).
  • Check your credit history regularly.

More Consumer Advice

https://www.getsafeonline.org/

 

Availability, Data Loss, Hacked, Malware, Ransomware

Massive Attack

There have been very public examples of cyber attacks, affecting organisations on a global scale. Despite prominence given to recent outbreaks, such as Wannacry in May 2017 and NotPetya in June 2017, the first recorded global malware outbreaks started much earlier.

Some history

John von Neumann wrote a paper on “Theory of self-reproducing automata” published in 1966 which described self-replicating artificial forms, how they would spread, mutate and be self-deterministic.

The first examples

1981 saw one of the first computer virus designed to infect Apple II PCs by Richard Skrenta. Five years later in 1986 saw one of the first PC virus, known as Brain as well as other monikers, this was written by Basit Alvi.

Why ?

There have been many more malware in the intervening years, the main difference between these and current malware infections is that the earlier instances were programmers showcasing their skill and ingenuity mainly for bragging rights and inter-peer competition. They were often created as proof of concepts and sometimes were released by mistake.

Interconnected

Another aspect worth mentioning is that the world has moved on since the 1970s. Personal computers then were not generally interconnected, they were stand alone and strictly the domain of hobbyists.

The Internet

The origins of the internet started in the 1960s as a USA government project, which was made a commercial prospect in 1983 with few private users. By 1995 there were 16 million users, by the turn of the new century more than 300 million users. A decade later, 2000 million users. We are on course for 4000 million users in 2017. Exponential growth in action, the effective network  proximity means that something that happens on the otherside of the world, can affect you milliseconds later.

There are not many commercial or governmental organisations which are not internet connected. Domestic connectivity has also mirrored this growth, which has been taken into the mobile and IoT space as well.

Ransomware

The first recorded instance of a ransomware was in 1989 written by Dr. Joseph Popp for PCs called the AIDS Info Disk which was a malware that demanded 189USD to be paid for license fees.

Ransomware is now a commercial enterprise, organised crime has seen the potential for great ROI (return on investment) for little risk.

There have also been rumours of nation state involvement in malware, which has been loosely substantiated by leaks, revelations and evidence from whistleblowers. They have been carefully crafted and targeted attacks. One such example is such Stuxnet, designed to damage centrifuges used by Iran in a uranium enrichment programme.

SWIFT

Attacks on the global interbank transfer service, SWIFT netted more than 80M USD in 2016. A similar heist was reported in Ecuador and an attempt at defrauding a bank in India this year.

More recently Wannacry and Petyta in May and June 2017. The last two has leveraged stolen malware, allegedly originating from USA’s National Security Agency (NSA).

So we are beginning to see a muddying of the waters between what is likely to be nation state campaigns and what is used by organised crime for their money raising efforts. Even the lines between nation state and organised crime may be blurred, as the two most recent global ransomware events have been attributed to various countries.

Who did it ?

Be mindful that attribution is not an exact science; this is where clues may be left to confuse and misdirect and definitely an area where

plausible deniability reigns.

So what does this all mean? Apart from plenty of mystery, intrigue, 007 and general dodginess all round.

How does it affect me and you ?

For the population at large and commerce, it means further disruption caused to our digital environment from a myriad of sources, be it an attack to demonstrate technical control for political purposes or for monetary gain, the fallout or collateral damage is likely to affect the rest of us.

What can we do about it ?

Many of these exploits take advantage of poor cyber hygiene. If basic guidelines on the use of internet based services, system maintenance and configuration were followed, the susceptibility to these attacks by organisations would be significantly lower and even if an organisation were to succumb to a cyber attack, recovery would be significantly quicker and be less damaging on operations.

Follow-up – “How to protect yourself from malware”

References

List of viri from Comodo

Wannacry – Symantec

Wannacry – The Independent

Petya or not ???? – Reuters

Destructionware, not ransomware – The Verge

More on NotPetya – TechCrunch

 

Data Protection, GDPR

UK GDPR – Flies in the ointment and devils in the detail

This is the third article on GDPR, the first dealt with Brexit and GDPR, the second confirmation that UK will be implementing stronger Data Protection.

Complications

There may be some “gotchas”, possible “flies-in-the-ointment”; the question of adequacy due to differences in equivalence and the effects of divergence.

Equivalence – EU GDPR

Overtime, you get divergence in any system if there isn’t a common control factor. Which is likely to test compatibility in the future, but for now, more importantly, what will 2019 bring us ?

The Supervisory Authority enforces the GDPR (and DPA98), the European Court of Justice (CJEU) has the final say. Post-Brexit, this is unlikely to be the case and will likely be the UK’s Supreme Court.

There are other UK laws, such a Regulation of Investigatory Powers Act (RIPA) 2000 which are not compatible with the current EU directive, so are not going to work in harmony with GDPR. GDPR allows investigations for crimes, RIPA’s definition are looser.

There is also a political element too, will the other 27 EU member countries be generous in their assessment of UK Data Protection 2019 and grant her equivalence with a few choice derogations ?

So what’s going to happen?

No one knows for sure – this is my take on it :

UK (and globally others) will have to comply with EU GDPR, by May 2018 (it’s actually in force now, but not enforced till May 2018, EU 95/46/EC was repealed in April 2016).

Post-Brexit UK businesses will have to comply with UK GDPR and EU GDPR.

What happens to the contentious bits of UK law or UK interpretation / implementation ?

UK will have to negotiate acceptance of her derogations or compromise on some aspects of internal laws.

Without this, we will not have equivalence, which may lead to data processed in another more compliant EEA member state instead, which is something we’d all prefer to avoid.

… next article

More practical aspect of GDRP – How to approach  GDPR and  towards the goal of compliance

Further reading

The Future of UK data protection laws post-Brexit

Data Protection, GDPR

The Queen’s Speech, GDPR & Post-Brexit

Following on from my initial article on GDPR and Brexit in September last year, there is no doubt that the UK will continue with strong data protection laws when the UK leaves the European Union (Brexit), this was confirmed in the Queen’s speech in June 2017, which introduced a bill to repeal the 1972 European Communities Act and replace it with the Repeal Bill 2017.

A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.

What does this mean ?

It means less uncertainty to what data protection laws will apply to UK businesses post-Brexit and more importantly, less certainty to the run-up to Brexit.

Many organisations have delayed their GDPR programmes or at least given less attention to it due to the lack of clarity.

For UK citizens, the commitment to enhanced data protection incorporated into law gives parity in this domain to GDPR.

For business, this confirms that the UK should continue to be an attractive location of data rich organisations.

Soon – the “UK GDPR – Flies in the ointment and devils in the detail”

Further reading

Queen’s Speech 2017

 

 

Availability, BCP, DR, Outsourcing

A for Availability – BCP and DR failures

DR/ BCP effectiveness

A look into the A part of C I A. Namely A for Availability.

Often overlooked and not always tested with rigour. Closely coupled with Change management, Resource management and long term strategy.

Although this article talks about a power outage, the short-comings of the recovery and lessons learnt can be applied to all types of outages.

Recent BCP failures

Delta Airlines suffered an outage in August 2016 that cost them 150M USD, this was followed by another two day outage on the 29th and 30th January 2017, with 280 flights cancelled.

British Airways (BA) had a serious outage which coincided with the late May public holiday, 28th May 2017. Power problems to the data centre resulted in delays and cancellations 3 days later, affecting 75000 travellers. BA’s parent company IAG (International Airlines Group) shares fell 4%. Compensation is expected to cost in the region of 150M GBP.

Woman waiting for her flight at Heathrow T5, London, UK.

(c) Reuters

BCP/ DR failure in general

I’ve seen quite a few similar failures in various enterprises, large and small. They range from poor application of the disaster recovery (DR) process to the use of out-of-date processes.

The situation is usually exacerbated by poor communication between operational staff and decision makers. Often people on the ground are afraid of invoking business continuity plans (BCP) or DR plans.

There are many more contributing factors, such as unfamiliarity with the restore process, key people being away, changes made (such as system updates) whilst key people are away, unauthorised changes or poor configuration made to the failover or synchronisation mechanism of production systems .

Wonder what happened at BA ?

Reading between the lines and speculation on my part. Of course take with a pinch of salt etc. as I don’t have an inside view of IT operations there.

How it started

The catalyst for the outage was the power failure which was recovered from in minutes. Assuming the standard robust  architecture, it should have the resilience to withstand system outages to n+1, n being the number of parallel sites or systems.

Resilience and Diversity

This type of operation will have geographical and service diversity, so another instance of the database is running elsewhere and **should** be run in a failsafe synchronised mode, so both instances are updated at the same time and the change committed when both agree.

When one of the databases goes down, due to communication or power issues, the other should be able to detect and run independently and be the sole primary. When the other database comes back online, it should be able to determine it’s been offline and start a re-synchronisation with the other one.

Trust issues

Now they couldn’t trust the backup instance, that infers that the synchronisation wasn’t working or switched off. They had to rely on a full restore, which was likely to be at least 1 day old, so all the changes after the backup were lost, which was guaranteed to cause subsequent operation issues.

Was it a loss of corporate memory ?

Support system and corporate memory does have a bearing on the effectiveness of non-BAU (business as usual) tasks, so when there are no problems, indeed anyone or any team can look after it. It’s a different matter when things don’t go to plan. This is when in-depth knowledge and experience counts. Outsourcing has a reputation for not being able to capture or retain such valuable information, in reality only a proportion of knowledge is reflected in documentation.

When people leave, they always take some of that experience and knowledge with them.

Of course there are the black-swan type events, the one in a million incidents that occur and for those, recovery will still take longer than expected.

(For the power engineers, I’ve seen the root cause analysis of a power failure, where the windings of one the DRUPS units shorted, causing a cascade failure of PDUs downstream, although the other DRUPs were operating fine, the protection units in the PDUs detected it as a fault condition and disconnected the rest of the supplies. This was a situation that the client couldn’t really plan for, but the recovery was hampered by organisational short-comings, even though the DR was tested less than 12 months prior, which meant a 15 minute outage (the fault circuit was isolated and the other PDUs put online manually) lasted half a day.)

How to mitigate these potential risks ?
With robust BCP and DR:

  • Well defined and up-to-date business and operation processes
  • Appropriate level of resilience built into the human resources, infrastructure, processes and culture
  • Clear channels of decision making which allow for decisions to be made on the ground
  • Careful and considered outsourcing
  • Current and accurate business impact analysis (BIA)
  • Properly rehearsed and updated playbooks (comprehensive and regular testing)

Further reading and Sources to the British Airways IT Outage

https://www.ft.com/content/15cab698-4372-11e7-8519-9f94ee97d996

http://www.independent.co.uk/travel/news-and-advice/british-airways-system-shutdown-heathrow-gatwick-your-riights-a7760536.html

http://www.japantimes.co.jp/news/2017/05/28/business/global-british-airways-systems-failure-creates-travel-chaos-power-issue-blamed/#.WS1SqTOZNE4

https://www.theguardian.com/business/2017/may/30/british-airways-ba-owner-drops-value-it-meltdown

Data Loss, Data Protection, GDPR, Personal Information

GDPR – Nothing to do with us; UK is leaving the European Union, so we don’t need to do anything.

screen-shot-2016-09-13-at-11-40-12

(GDPR – General Data Protection Regulations 2016)

Bit of history to put things into perspective, in 1950, the Council of Europe created an international treaty to protect human rights and fundamental freedoms in Europe. Article 8 provides a right to respect for one’s “private and family life, his home and his correspondence”. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was published in 1980, this defined the data controller and personal information. A year later EU Treaty 108 was drafted which which espouses the Eight principles for protecting personal data. There are many other notable Acts of Parliament, including the Data Protection Act 1984 and Computer Misuse Act 1990. Let’s get to the present day.

GDPR is the culmination of efforts to update the EU Data Protection Directive, 95/46/EC that was ratified in 1995.

There are 99 articles and hundreds of recitals in the GDPR. I’ll present that in a GAP analysis in the future.

Bottomline

The Good news

  • The underlying reasons for having the GDPR hasn’t changed from the EU Data Protection Directive of 1995, the tenets are broadly the same.
  • Lawful processing, accuracy, appropriate technical controls etc still form the core of the GDPR.

However, as always, the devil’s in the details.

What has changed ..?

The reach of the new regulation is significantly extended.

The potential penalties are designed to be “effective, proportionate and dissuasive”. Based on a two-tier basis of 2%/4% of global turnover or 10m/20m Euros, whichever is greater.

Data Protection breaches will be taken more seriously.

Transparency. Accountability. Consent. Portability.
Breach notification. Certification. Data Protection Officer. Privacy by design.

Using tricks to opt people in will regarded in a negative light and is not in line with transparency.

The C suite will be accountable for Data Protection, not something which is loosely delegated to someone in IT.

Personal Data Breaches, the ICO must be notified within 72 hours.

Data Controllers must implement data portability in a commonly used format.

A Simple Checklist

  • Does your business collect, store or process personal data (anything that identifies an individual of the EU) ?
    (That includes customer lists, membership details, medical records, delivery addresses, cookies and other identifying markers)
  • Does your business have customers in any EU state ?
  • Does your business intend to retain or gain new customers in any EU state after Brexit ?
  • Does your business intend to partner with EU entities that serve EU customers between now and Brexit ?
  • Does your business intend to partner with EU entities that serve EU customers after Brexit ?

A “Yes” or may be means that your organisation will be better placed if it aligns it’s governance and policies soon, as it is likely to take time to adopt and implement.

This is not an IT exercise – this needs to be owned at C or board level and this must be demonstrable.

Also, don’t forget that the UK is still in the EU and it will take a minimum of 2 years for Brexit to complete, which takes us into 2019, a year after GDPR is in effect.

For non-UK readers (and companies), there are no geo-boundaries to this. Your company may be based in South Africa, but if you have EU customers (non-company), you need to comply.

Some questions that need to be addressed
Will the UK retain the GDPR after Brexit ? If it doesn’t, the UK will need introduce something broadly similar if she intends to trade with the remaining EU members. Which requires time and money.

My money is on the UK adopting the GDPR and applying some judicious derogations, enough to gain some flexibility, but retain compatibility.

On a similar vein, keep any eye on how the issue with US Safe Harbor/ Privacy Shield and Ireland Data Protection challenge of model contract clauses plays out in the near future.

screen-shot-2016-09-13-at-11-42-40

Further reading

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

http://www.twobirds.com/en/practice-areas/privacy-and-data-protection/eu-framework-revision