Paul, tell us a bit about your role at Nuix: what does your day to day routine look like?
As part of my role, I am the ambassador, spokesperson and leader for the Nuix team in this region. I work daily with the various regional teams including sales, marketing, technical and operations to ensure that we are all focused and aligned to grow a successful regional business.
One of the best parts of my role is meeting and speaking with our customers; I use my expertise in eDiscovery and Investigations to enable them to get the best from our technologies and solutions.Once Britain has left the EU, will it still have to comply with the GDPR?
The results of Britain’s decision to leave the EU will take months or even years to play out. While that’s going on, many businesses in the UK are now asking if they need to continue working toward complying with the EU’s General Data Protection Regulation (GDPR).
The UK’s Information Commissioners Office said in a statement that the UK’s Data Protection Act “remained the law of the land irrespective of the referendum result” and that “if the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK.” However, the statement went on to stress that if the UK wants to trade with the single market on equal terms, UK data protection standards would have to be equivalent to the EU’s GDPR framework, starting from 2018.
So now when UK has left the EU, businesses will still need a similar framework in place. That’s why it’s important to continue to prepare for the standards set out in the GDPR and begin planning now to meet these standards.
What are the risks of UK companies stalling their GDPR compliance plans because of uncertainty around whether it will apply to them?
Because so many businesses in the UK operate across borders, our access to the EU single market will require us to match the data protection reforms laid out by GDPR. If we don’t, UK businesses could lose out in the growing digital economy.
In addition, data breaches can cause massive reputational and financial damage. Good information governance is the only way to minimise that damage. No referendum will change that.
What should UK companies be doing now to ready themselves for the regulation?
The new laws won’t be enforced until at least the first half of 2018. However, this is a relatively short time for businesses to understand the new requirements, evaluate existing security measures and practices, and become fully compliant.
Businesses should make privacy concerns part of the fabric of the organisation. Every relevant stakeholder needs to be involved from the outset. The key is to set out clear privacy policies in transparent and unambiguous language, which everyone in the organisation can access.
When deploying new products or implementing new processes, businesses should ensure that they establish secure privacy policies from the start.
The first step is understanding where your organisation stores its important data, especially private customer data. If you can say for certain that this data is only stored in a number of specific locations on your network, and you suffer a data breach, you only have a limited number of targets to start investigating that breach. The faster you can identify and fix a breach, the less it’s likely to cost.
The key principle is making sure the only people who can access high-risk data are those who need to for their day-to-day work. To achieve this, information security, information governance and records management specialists need to become ‘good shepherds’ of their data. They should know where all their sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe.
Information governance technology can locate data ‘in the wild’ and move that data to controlled, siloed repositories protected with encryption, access controls and retention rules. This technology can apply policies to ensure only authorised staff members have access to important information using devices appropriate for the type of data.
Businesses that store personal data must demonstrate legitimate grounds to retain it. The burden of proof lies with you to demonstrate that you have legitimate grounds to override the interests of data subjects. You also need to be prepared to respond to individuals who have unrealistic expectations of their rights. Implementing privacy by design can demonstrate compliance and create a competitive advantage for organisations.
How will the regulation affect how UK companies approach data?
Businesses must consider what data processing they undertake. They often assume that they need to obtain the consent of subjects to process their data. However, consent is just one of a number of different ways of legitimising processing activity.
It’s also not ideal because the subject can withdraw their consent.
If your business relies on obtaining consent, you should review whether or not your documents and forms of consent are adequate and check that consent is given freely and specific.
GDPR or no GDPR, should UK companies still pursue hiring a data protection officer?
The role of the Data Protection Officer is still critical to help businesses comply with GDPR or whatever equivalent regulations the UK ends up with.
This role needs to bridge the gap between technology and legal departments as well as human resources and public relations.
The person operating in this role will be necessary for bringing together the skills and knowledge that are needed to comply with the law and to implement policy, educate employees and manage IT processes, data security and any other issues concerning the possession and processing of personal and sensitive data.