Goodbye GDPR, hello Data Protection and Digital Information Bill

Technology

The five-year anniversary of GDPR has just passed. Matt Cooper at Vanta explains why privacy regulations still pose a challenge to UK organisation and how businesses can navigate changing legal requirements

The UK’s Data Protection Act 2018 incorporated the EU’s GDPR into UK regulation. The fifth anniversary in late May passed by with far less media sensation compared to the fanfare around its introduction half a decade ago - a furore largely stemming from huge business stress. The successor to the Data Protection Act of 1998 was sorely needed - but little understood.

GDPR set a global gold standard for data privacy. In the early days, EU-US Privacy Shield afforded participating US companies with “adequacy” which allowed for the free flow of personal data between the EU and US. But following Schrems II and the invalidation of Privacy Shield as a transfer mechanism, international transfer to the US became a major problem.

Businesses of all sizes faced painful processes as the regulations are not simple to comply with. Even large, sophisticated technology companies face problems complying with localisation requirements.

Over time, businesses gradually gained the understanding to shape their processes and the days of non-stop consent emails thankfully ended. The fact that around 1600 organisations have been fined a cumulative €3,987,143,873 as of May 2023 is actually reflective of regulators not seeking to punish organisations too aggressively over the past five years.

Perhaps partly due to this, there’s much less business conversation around compliance now. However, this silence still masks much business toil and pain in achieving and maintaining data privacy and protection standards.

Soon UK businesses will bid “farewell” to the Data Protection Act 2018, as the Data Protection & Digital Information (DPDI) Bill makes its way through parliament. With the next compliance milestone on our horizon, I explore below the trials of managing compliance, the benefits of automation and how best to prepare for DPDI.

Managing compliance will never be light-touch

Gaining, maintaining, and proving compliance remains a challenge to organisations. No business attains and then remains in compliance over time without sustained focus and effort.

Everything - the business, customer data, technology, partners - evolves and, therefore, the organisation’s compliance program must continually evolve in tandem. Compliance is no ‘tick the box’ exercise, and the Data Protection and Digital Information Bill is set to shake up the process again.

Despite the Bill promising less paperwork, business customers who demand proof of security, privacy, and compliance from their suppliers (in other words, asking them to demonstrate trust) each have their own security requirements, questionnaires, and timescales. Companies traditionally had to approach providing this proof anew each time - a massive burden on smaller businesses.

Adding a new wrinkle, there is uncertainty as to how AI tools, such as the generative ChatGPT, will affect both regulatory compliance and data security. Importing, processing, and exporting data, such as through APIs, can offer both great business efficiencies as well as new customer offerings.

But all that personal, financial, and business information must not be allowed to mix, be freely accessible, or leak. One potentially impactful change in the DPDI bill is the relaxation of requirements around the use of personal information for “research.”

I expect the interpretation and implementation of this provision by AI companies will be closely watched by regulators and may end up being one of the more controversial changes to the law.

Automation removes the sting

Security and compliance have, until recently, been highly manual. Workers track metrics on spreadsheets and, if the business were big enough, Governance, Risk, and Compliance (GRC) professionals reviewed these to confirm standards were being met.

Proving compliance involved submitting those spreadsheets along with dashboard screenshots. All of which was only a point-in-time proof of compliance, going out of date immediately. There was and is a pervasive risk that organisations are performing ‘security theatre’ - getting compliant enough, or going through surface level actions that did not actually address their business risk.

This may be part of the reason behind constantly high rates of business malware infection and data breaches.

Trust management platforms are a new technology category that centralise, streamline, and automate everything from getting compliant and managing risk to demonstrating security - growing alongside automation improvements.

Trust management software allows business users to cut out tedious legwork from checking and gathering information from devices and dashboards to prove their security status to auditors or customers. They offer the business complete risk visibility by showing the holistic ‘chief information security officer’s view’ of both assets and systems.

This allows firms to address risks early and stay in compliance continuously as they look to make sales and propel growth. And while fast-growing firms are often very tech savvy, they cannot afford to pay for scarce IT talent to do mundane compliance tasks.

Software that continuously monitors the network and activity - and sorts the data into a view of tracked progress towards various compliance standards - hits multiple targets: start-ups can take steps to reduce risk, work towards compliance, and demonstrate their security when customers demand it - all without taking over-stretched employees away from meaningful work.

Preparing for new regimes

As the UK begins to consider the shift to its data regulatory regime, businesses must prepare accordingly. And for those that sell outside the UK, the requirements to comply with GDPR and other regulations will not go away, instead they are only growing by the continuous addition of privacy regulations around the globe.

Mitigating the rising costs of compliance with automation is one available time and labour-saving method. Another, for data processors, might be a data localisation strategy. This is not a total solution but may simplify the sales process and help in proving compliance within jurisdiction boundaries, like the UK, or EU.

With start-ups, particularly in the technology sector, often looking to move quickly and exploit an opportunity to beat established companies, rapidly proving their trustworthiness in dealmaking is critical.

With democratised access to technology and IT skills with the cloud, innovation and speed are standout markers of successful businesses. Part of that speed is demonstrating to customers that you are a reasonable, reliable, risk managed business.

For those using the latest trust management automation, the details of the new DPDI bill won’t matter as much when they have the capability to near-instantly incorporate them into their trust management process. The same goes for any new regulations addressing the use of generative AI or related data.

Every connected business system and its data must be incorporated into a comprehensive framework that takes minimal business overhead to manage - especially given the increasingly complex nature of technologies that businesses rely on to compete in the modern digital economy.

Matt Cooper is Senior Manager, Privacy, Risk and Compliance at Vanta

Main image courtesy of iStockPhoto.com