GDPR four months in – what has changed?
More than four months have passed since the European Union began enforcing its General Data Protection Regulation (GDPR). But nearly one-fifth of organizations aren't confident they could pass their first GDPR audit, according to a recent survey from cybersecurity company Imperva.
Compliance continues to be a point of concern, especially with the recent fine from the UK Information Commissioner's Office (ICO) on health insurance company Bupa for £175,000 over “systemic data protection failures," after a rogue employee extracted data of more than half a million customers and put it up for sale on the dark web.
Although the incident happened before GDPR came into force and was under the UK Data Protection Act 1998, it once again raised the question: What would have happened if that wasn't the case, as ICO now has the power to issue fines of up to €20m or four percent of a firm’s global turnover for the previous year (whichever is greater) under GDPR?
“You have to remember why GDPR caught so many headlines initially,” said Saif Abed, European Commission cybersecurity expert and founder of health IT consultancy firm AbedGraham. “If you take a step back and look outside of healthcare, a big part of it was around the scope of the fines, how large they could potentially be and also the range of expectations involved in terms of consent around people’s data, how it’s being used, what happens if it’s misused.
“Now, if you apply that to healthcare, I would suggest that healthcare organisations have been relatively proactive in trying to address what is their scope of responsibility and what should be their approach to becoming compliant to GDPR. Would I suggest that every organisation is perfectly compliant? Well, I think that would be extremely unlikely and unfair to expect that."
In April, the NHS IT agency introduced a new online self-assessment tool – the Data Security and Protection Toolkit. It allows organisations with access to NHS patient data and systems to measure their performance against the National Data Guardian’s 10 data security standards, including a tool that providers can use to report a notifiable personal data breach within 72 hours of discovery, as required under GDPR.
NHS Digital released data last week that indicated more than 9,600 organisations across health and social care have started using the new toolkit, with 272 organisations completing and publishing their self-assessment.
“What’s really important about this is that it’s aligned with the Caldicott [National Data Guardian] standards, and that is much bigger than data confidentiality, it is a lot more contextualised, it’s a lot more relevant, it’s based on reporting and reviews, security and information governance practice within the system over many years,” Abed said, emphasinsing that the most important focus is ensuring people are aware of how their data is being gathered, used and shared.
“I think that’s actually the most important part of GDPR: It’s the sheer level of transparency creation that it is aiming to generate,” he added.
Meanwhile, a recent ICO survey found that although 90 percent of people in the UK were aware of GDPR, nearly 30 percent said they “had heard but did not know anything” else about it.
"GDPR needs to be made relatable for each industry that it is a relevant targeted to. Information awareness campaigns that are easier to digest could be very important," Abed said. "I don’t know how many people have fully read GDPR, if you have, it is a sizeable document, and I would suggest that most people did not read it."
These campaigns have to come not only from the ICO and central government, he argued, but also from leadership at individual organisation level: “It’s a leadership and communication challenge, but it needs to manifest from the local level all the way up to national regulatory body level.”
But it’s not all doom and gloom. The regulator’s analysis indicated people were most likely to have confidence in the NHS or their local GP when looking at the storage and use of personal data, although Information Commissioner Elizabeth Denham said there was still “a long way to go."
“Personal data has become the currency by which society does business, but advances in technology should not mean organisations racing ahead of people’s rights. Individuals should be the ones in control and organisations must demonstrate their accountability to the public,” Denham added at the time.
Last month, the ICO announced that it was awarded a £537,000 grant from the Department of Business, Energy and Industrial Strategy to set up a Regulators’ Business and Privacy Innovation Hub to provide data privacy expertise to other regulators. Meanwhile, a consultation on the role and objectives of the UK’s Centre for Data Ethics and Innovation ended last month, launched to identify the measures needed to strengthen the way AI and data are currently “used and regulated.” In June, Roger Taylor was announced as the chair of the new centre.
Focus on Cybersecurity
In October, we take a deep dive into security strategy and pressing threats.