With the Data Protection and Digital Information Bill currently being reviewed in Parliament, Netwrix vice-president of research and development Michael Paye explains how businesses can amply prepare
Parliament is considering a Data Protection and Digital Information Bill designed to update and simplify the UK’s data protection framework. In particular, the bill includes several changes to data and user tracking requirements for UK organisations.
UK businesses must now review their current internal data and security practices, to comply with the legislation or risk substantial reputational and financial consequences. They should keep in mind that as they are updating their controls and processes, they will be more vulnerable to cyber threats, since significant changes can expose or create weaknesses that attackers can exploit.
This article details several steps that organisations can take to ensure a smooth transition in meeting the new standards imposed by the bill.
Clearly define compliance roles
First, it is vital to assess the job roles associated with compliance throughout the organisation, including legal, IT, security, and other business teams. The goal is to ensure that the responsibilities of each role are clearly defined and that they align within the criteria specified in the bill. This step will help the organisation implement a consistent and complete approach to new data processes across the business.
Prioritise changes to data processing and management
Although an organisation’s current data management practices may be in compliance with GDPR standards, they may not satisfy the requirements of the new UK bill. Accordingly, organisations need to identify which data processing and management workflows are likely to be affected by the new regulation, and key stakeholders and senior-level management will need to prioritise the adjustments those processes.
Reviewing these processes offers an additional benefit, since it presents an opportunity to identify and mitigate any inefficiencies or vulnerabilities in them. A data discovery and classification solution can help organisations identify regulated data and ensure it is handled and secured appropriately.
Assess and revise compliance practices
Third, organisations should assess whether their existing compliance practices meet the new requirements. They should view this as a chance to assess their cyber security status and mitigate any gaps to improve security as well as compliance. After all, the risks of a data breach extend far beyond fines for compliance failures — a successful cyber attack or data breach can result in customer distrust; penalties from contractors and partners; revenue losses; payouts to threat actors, and much more.
Prepare for questions from customers
Finally, businesses should also be prepared for customer queries about what to expect from the bill, and whether and how it will affect the organisation’s services. Consider establishing an official statement concerning the coming legislation as soon as possible, and making it available to both internal employees and customers. Doing so will help ensure consistent messaging and communication across the business.
Enactment of the proposed Data Protection and Digital Information Bill should not be seen as a hinderance for UK organisations, but as a chance for them improve the management and security of their critical data. By complying with the requirements of this bill, businesses can improve their data processes, get a faster return on investment (ROI) for a data discovery and classification solution, and help leadership make more informed long-term technology decisions.
A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.
Tech leader profile: how the CMA uses data to protect us — The CMA is the consumer champion when it comes to digital. Yet its work also extends to tech business mergers, investigating algorithms and, increasingly, how Web 3.0 will affect all of us.