GDPR – Much more than just 4 initials!
From now until its implementation in May 2018, The IASME Consortium will be running a series of articles around the General Data Protection Regulations (GDPR). Whilst businesses consistently face new legislation, this is arguably one of the most important and impactful laws for some time. The potential consequences of non-compliance are of such significance that this is certainly one topic that should be owned at a very senior level.
We are delighted that, for this series, we will be partnering with leading law firm Harrison Clark Rickerbys, who will help us all understand the legalities of the Regulations. Over the coming months we will be looking at the GDPR from a number of angles so as to help your business become GDPR ready.
We will also be inviting your GDPR related questions, the best of which we will include in coming blogs. Please email your questions to [email protected].
We kick start the series of monthly articles via a scene setting interview with Richard Morgan, Partner and Head of Litigation at Harrison Clark Rickerbys (HCR). More information on HCR can be found via www.hcrlaw.com.
IASME: What exactly are the General Data Protection Regulations?
RM: We’ll be looking at the regulations in more detail over the coming months. However, by way of the headlines, businesses should be aware that these regulations seek to strengthen data security and privacy whilst providing a consistent data protection framework across the EU. The initials GDPR are certainly ones we will hear more of as we progress throughout 2017 and into 2018.
IASME: With legislation for businesses filtering in constantly, why should businesses be particularly aware of this one?
RM: These regulations take account of a rapidly growing digital economy and consider that businesses operate and store data internationally on a greater scale than at any point in the past.
HCR have dealt with numerous recent cases involving data security breaches by unknown “hackers” leading to very significant financial losses, and can illustrate many of the challenges and pitfalls by reference to actual events.
The sanctions for non-compliance are far more stringent and significant than the current Data Protection Act requires. Should a business fail to comply, the potential consequences could be of a magnitude that the business may not recover! With director accountability, potential fines of up to 20 million Euros or 4% of global turnover and a requirement to report a breach, these regulations truly should be discussed in the Boardroom as it is the Boardroom that will feel the impact.
Directors also need to be aware of their potential personal liability for these issues to the companies they serve, by virtue of their statutory duties, and the important role of directors and officers insurance and legal expenses insurance.
IASME: With the Brexit vote, do we really need to be aware of EU legislation?
RM: The Information Commissioners Office outlines that if you fall under the scope of the Data Protection Act, you will also fall under the scope of GDPR. Government has already declared that the UK’s decision to leave the EU will not affect the introduction of GDPR.
There may be questions as to how the regulations will apply post Brexit however, all the signs from Government and the Information Commissioners Office are that we will either continue to adopt the Regulations in their entirety or, introduce an alternative that is equally as stringent. Either way, Brexit should not be used as an excuse and is unlikely to be a defensible circumstance.
IASME: We welcome Harrison Clark Rickerbys partnering with IASME for this series of blogs. What was it that interested you in this particular project?
RM: We have already outlined the importance of these Regulations. As the aim of GDPR is the security of data, enhanced privacy and greater information assurance, these all fall in line with the business certification schemes at the core of The IASME Consortium portfolio.
Under the current Data Protection regulations, should a company be unfortunate enough to experience a breach, the Cyber Essentials certification can leverage mitigating circumstances. The GDPR is a significant enhancement of the current regulations and it will be even more important for businesses to have the right safeguards in place to protect their digital information and assets.
The Cyber Essentials scheme is like any other business certification scheme in delivering good processes and best practice. The five technical pillars of Cyber Essentials are not difficult and they represent the very basics all businesses should be addressing as a very minimum. Cyber Essentials is a government approved business certification scheme and proven to prevent 80% of on-line born attacks. The very fact it is an embedded pre-requisite in many Government and MoD contracts, and is often required throughout the supply chain, this is a true endorsement of the effectiveness of the scheme for protecting sensitive and valuable data. It is additionally worth noting that Cyber Essentials is still required in many public sector contracts even if a company already has the Information Security Management Standard ISO27001.
IASME: What can we expect from these blogs over the coming months?
RM: The partnership between ourselves and The IASME Consortium is a natural combination for GDPR. We can provide the legal interpretation whereas IASME can deliver on the technical aspects.
Over the coming months we’ll be looking at areas such as preparing a business for GDPR, timelines, sources of advice, enforcement of the regulations and consequences of non- compliance. We’ll also be exploring the potential business opportunities as the GDPR undoubtedly provides some.
IASME: So tell us a little about Harrison Clark Rickerbys and your experience of GDPR to date?
RM: Harrison Clark Rickerbys was formed through the merger of two long established law firms, Harrison Clark and Rickerbys. Both firms are listed as first tier in the prestigious legal directories Legal 500 and Chambers & Partners. Both are Lexcel accredited which is the Law Society’s rating for excellence in client care and practice management.
We have over 400 staff and have a considerable wealth of expertise with many staff drawing from previous careers in leading city firms in London, Birmingham and Bristol.
Harrison Clark Rickerbys have a keen interest across many sectors including Defence and Security. We have sponsored and organised the Defence and Security Expo which will be taking place on 01 Feb at the Courtyard Theatre in Hereford.
In terms of GDPR, we have a team of experts who have already provided invaluable advice to businesses. Our commercial lawyers deal constantly with data protection issues in relation to contracts and investigations by the Commissioner and Financial Conduct Authority, and our litigation teams have deal with numerous cases of financial loss (up to £1 million in one case) arising from breaches of data security, ransom demands by hackers, claims against directors and insurers to recover losses, and search orders and injunctions to restrain use of unlawfully obtained commercial data.
See more about how IASME can help you with GDPR preparation here
Please note, this blog may contain guidance and information that is outdated.
On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements