Part 3 of 3. This is the third in a series of blog articles where Ascentor discusses some of the recent UK Government Information Assurance changes – and what they mean for you.
Written to be concise, they explain the essential “need-to-know” facts and implications with links to read further should you wish.
This time our lens has a European focus as we cover two EU regulations that could have a significant impact on the protection of UK data.
In part 3 of the series, we look at:
- Safe Harbor and Privacy Shield
- The EU General Data Protection Regulation (GDPR)
- The Certified Cyber Security Consultancy (CCSC) scheme
Safe Harbor and Privacy Shield
What’s changed?
EU privacy law forbids the movement of its citizen’s data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. For 15 years, there was an arrangement in place between the European Commission and the US government to facilitate data transfer to the US – called Safe Harbor. This ended in October of 2015.
Following the revelations about US surveillance made by the whistleblower Edward Snowden, The European Court of Justice ruled that the Safe Harbor agreement was invalid because it did not comply with EU data protection law. It ruled that US data protection was not equivalent to the fundamental rights and freedoms guaranteed with the EU.
The past five months have seen a state of uncertainty as to the basis for a replacement arrangement, but there is finally a plan in place with the announcement of “Privacy Shield”. However, this is only a framework at this stage and a decision on whether to accept it probably won’t be made until the end of April.
Why do you need to know?
Many organisations transfer data from Europe to the US, including UK government departments that may use (or have suppliers using) US servers. If you are one of them, the scrapping of Safe Harbor suggests you may need to source an EU-based alternative.
At the time, the Information Commissioner’s Office said that the Safe Harbor issue was a reminder of the “important obligation on organisations to protect people’s data when it leaves the UK.” And that “Businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law.”
The new Privacy Shield agreement includes a commitment that the US will not conduct “indiscriminate mass surveillance on personal data”, and imposes new obligations on American companies to protect European’s data. But, while greater co-operation between the US and EU on matters of data transfer are seemingly back in place, the finer points have yet to be made clear.
As the Privacy Shield is new, understanding what organisations need to do to comply with their legal obligations will be key, especially when there will be a cost of non-compliance – not just in terms of fines but also the growing scrutiny of customers and the general public. As the Privacy Shield states, “Any (EU) citizen who considers that their data has been misused under the new arrangement will have several redress possibilities.” It is, therefore, always good practice for organisations to review their data protection processes and standards.
How do you get further information?
Privacy Shield has only just been announced, so aside from the EU press release there is little information available. However, this article gives an early assessment from a UK perspective Privacy Shield: How businesses should navigate the new cyber security regulation. In addition, our consultants are happy to discuss both Safe Harbor and Privacy Shield in more depth.
The EU General Data Protection Regulation (GDPR)
What’s changed?
Keeping with the EU theme, the General Data Protection Regulation (GDPR) is a new law that could see a fundamentally changed landscape for the protection of data – if it is ratified by the European Parliament.
Organisations will soon be required to comply with tougher rules to prove they actively protect and more explicitly ask to collect personal data. But that’s by no means the full extent of the changes. The most controversial aspect of the GDPR is the “right to be forgotten”.
Why do you need to know?
If you are an organisation that handles data, and all Government organisations are, then you need to be aware of the implications of GDPR.
Take the “right to be forgotten”. For most organisations that handle customer data, this effectively means the right to have it erased. A particular headache is that it could apply to data collected back in the data subject’s childhood. If this data is now stored elsewhere, then it will still need to be erased. How far back does your data storage go? Could you access records that could be decades old?
As with the Privacy Shield, big changes in the regulations surrounding the way we store data inevitably put the spotlight on compliance – and the cost of compliance. It’s no different with GDPR.
Another proposal in the GDPR concerns the time given to respond and comply. A Data Protection Officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours. What would this mean for your staffing and accountability if your organisation were asked to comply?
How do you get further information?
Ascentor has included information about GDPR in our blog article Data Protection – your “need to know” list is getting longer. We also reference a more detailed article from SC Magazine.
The Certified Cyber Security Consultancy (CCSC) scheme
What’s changed?
This is a new scheme, launched in June 2015 and developed to certify services provided by consultancies, rather than individual consultants. By introducing CCSC, CESG aims to establish the wider credentials of consultancy companies to deliver high-quality, tailored and expert cyber security advice.
Why do you need to know?
If you are in government, the wider public sector and industry, the CCSC scheme has been designed to help you obtain the right cyber security consultancy services and by doing so, help you protect your information and conduct business online safely.
Speaking at the time of the launch, Ciaran Martin, GCHQ’s Director General for Cyber Security said: “This new scheme will significantly enhance the pool of trusted cyber security advice available from private providers”.
The first cohort of suppliers was announced in mid-February 2016 and will provide consultancy to government and industry under the Security Architecture, Risk Management and Risk Management service categories. However, one name you won’t see amongst them is Ascentor, at least not yet.
Whilst CCSC continues to develop, we will be focusing our time and effort on delivering IA excellence to our clients. But, rest assured, as and when CCSC is suitably mature and being requested by our customer base, we will take part.
How do you get further information?
Full details of the CCSC scheme and the first cohort can be found on the CESG site as follows: New CESG Certified Cyber Security Consultancies and the Certified Cyber Consultancy . The new scheme was also covered in more depth by Ascentor in our post CLAS Consultancy is dead – long live the CCSC scheme?
For further information
If you have found this article interesting, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.
