While many of us would expect public sector institutions to be adept at keeping the data of citizens safe, the reality can often be quite different. Information reported by the ICO shows that UK healthcare organisations accounted for 43 per cent of all reported data security incidents in the last three years, while central and local government made up 11 per cent. Not figures to inspire confidence in our institutions’ ability to safeguard data.
What’s more, the ICO can only provide data on incidents that are reported, so the situation could be far worse. In fact, in 2016 the National Audit Office (NAO) found that the 17 largest government departments recorded 8,995 data breaches in 2014-15. Only 14 of those were reported to the ICO. But the requirements for reporting data breaches will soon drastically change, as will the penalties for failing to adequately secure that data.
Public sector organisations have a lack of awareness
The penalty for non-compliant companies – public sector or otherwise – could be enormous. In fact, failure to notify regulatory authorities of a data breach that puts sensitive information at risk within 72 hours could see organisations facing fines of up to four per cent of its annual turnover or €20m (whichever is higher).
Clients and service users also have an important role in all of this. Not only do organisations have to inform them of any risk posed to their data if a breach occurs (including the cause, impact and steps taken to mitigate the damage), but data subjects also have the right to bring suit against those that have compromised their sensitive information, with no limit on the amount of money that can be won through a successful claim – it’s a problem that’s potentially worth millions.
With reputation and financial stability under serious threat, you’d expect public sector bodies to be fully prepared for GDPR. Yet with under a year to go before the regulations are implemented, a third of public sector decision makers are not confident they will be ready, according to the Cloud Industry Forum (CIF).
What’s more, the research from CIF found that public sector professionals were among the least confident in their understanding of the new regulations. A concern, no doubt, for many. So, what do these organisations need to do to comply with GDPR?
Understand your data
Only when an organisation has established what data it holds and how sensitive it is, can it put the right measures in place to protect it. Key questions must be asked: where does this data reside? How is it shared? Is it protected at rest and in-transit?
Outsourcing is also a factor that organisations need to take into consideration, as the outsourcing of data is not the outsourcing of responsibility. Organisations remain the data owners, even when data is stored in the cloud, for example. As such, they need to have assurance that any hosting provider is fully certified and has the right procedures in place to protect that data to the level it requires.
>See also: GDPR still stands for UK businesses
Control and report
Data is at its most vulnerable at the point of being shared, and with the GDPR requiring organisations to respond to a breach within three days, it’s crucial that they can prove all the correct policies and systems were in place to mitigate the effect of a data breach incident. In fact, the GDPR favours the use of encryption so much that applying such protection can limit the scope for reporting a data breach and reduce a potential fine.
These checks fall into two categories: technical, and policy and procedural. The first is to ensure the right technologies are in place to stop an attack, including classification, Data Loss Prevention (DLP) and end-to-end encryption.
The second set of controls focuses more on staff engagement – in the form of e-learning tools and comprehensive staff training – and organisations that can prove it has made security part and parcel of staff members’ daily work routine and have incentivised the practice will fare better with regulators in the event of a breach.
Future-proof your approach
Legislation will be paramount to how organisations operate for the foreseeable future and any approach must therefore have longevity. Technology evolves at a rapid pace, so any potential changes must be taken into account, and public sector organisations will need to prepare for these changes.
For example, a large number of organisations are transitioning to cloud-based platforms, such as Office 365, in the next two to five years. Those working in the cloud need to make sure it has the adequate levels of integration, assurance and security in place for when the legislation eventually kicks in.
Is Brexit a ‘get out of jail free card’?
The GDPR will fundamentally change the process and approaches to data security for the majority of UK and European businesses – in both public and private sectors.
And those who think the Brexit will soften the blow will unfortunately have to think again. Not only will the UK still officially be part of the EU when the GDPR comes into play next year (and therefore must conform), but any UK-based organisation handling EU citizens’ data will still be answerable to the legislation even after it exits the European Union.
On top of this, the ICO remains committed to holding up the highest possible standards for data protection and so, even if a new ruling is made post-Brexit, it is likely to mirror the EU GDPR. Everyone, including public sector organisations, must now prepare, otherwise data protection failures will have a more devastating impact than ever before.
Sourced by By Tony Pepper, co-founder and CEO of Egress
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here