Published: 1 Nov 2018

Is GDPR alone going to shape the future of data protection, or do organisations need more structure to ensure compliance? Tom Martin-Ball investigates.

Let’s remind ourselves of the situation regarding data protection in the UK. Firstly, we have the General Data Protection Regulations (GDPR) – the EU regulation on data protection and privacy for all individuals within the European Union and the European Economic Area.

Secondly, there is the UK’s new Data Protection Act (DPA), a United Kingdom Act of Parliament that updates data protection laws in the UK. GDPR stole the limelight so this new legislation, which received Royal Assent in May 2018, hasn’t attracted as much attention.

At the moment DPA and GDPR are very similar in application, but the main difference is DPA is a UK legislation while GDPR is a European regulation. This difference means the DPA is subject to British Case Law, whereas the GDPR is not.

You may be forgiven for thinking you’ve seen the requirements of both of these before under the guise of earlier legislation. It’s true that many of the requirements of GDPR and DPA are similar to previous data protection rules, but there is a big difference in approach. The regulators are a lot tougher. For a start, the fines are potentially massive – up to 4% of global turnover.

Should Uber ever face charges over data breaches as exposed in 2017, with a global turnover of $6.5 billion,this would amount to a fine of $260 million.

The number could be even more eye-watering if charges came up against Facebook – the company made a profit of US $4.26bn in 2017.

The lesson could be serious for small and medium-sized businesses that may not have the legal resource to fight any charges.

So, how does any business without an in-house team of lawyers and data protection specialists manage to understand a document that has 99 articles (rules) and 173 citations? How do you know what applies to you, and what do you need to do?

Thankfully, there may be a simpler solution to managing your data protection challenges, in the shape of a British Standard which has slipped under the radar.

BS 10012:2017 Personal Information Management System is a rewritten version of an earlier standard that is specifically designed around GDPR. Many of the clauses and requirements directly refer to the regulation.

It’s mercifully shorter than the GDPR regulations and, if you implement the system, you should be well on your way to providing your organisation with solid foundations in your quest to achieving GDPR (and DPA) compliance. There’s no guarantee, but right now, it’s the best system out there.

For those who already have ISO management systems (such as ISO 9001 or ISO 27001) the structure is familiar and can be integrated into existing systems thanks to Annex SL, which facilitates the integration of different management system standards. Naturally, the standard works particularly well with the ISO 27001 Information Security Management System.

It should be pointed out that GDPR does encourage some form of certification. Citation 77 states:

“Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications.”

What these approved certifications will be hasn’t yet been finalised, and national accreditation bodies like UKAS haven’t agreed their position with respect to BS 10012.

However, some organisations have already sought and obtained certificates for BS 10012. Certification body Alcumus ISOQAR has taken some clients through Stage One and Stage Two resulting in certification and will be carrying out first surveillances. The main motivation behind these organisations seeking certification was to assist with GDPR compliance.

While no standard (or certification) can guarantee you compliance with any regulation or law, BS 10012 does at least provide structure to an organisation. Also, if you find yourself under investigation, you can point to a systematic approach.

A caution or a small fine is a lot better than crippling costs. A management system also gives you a structure to put into place your recovery and improvement plans.

About the author: Tom Martin Ball is Information Security Sector Scheme Manager at Alcumus-ISOQAR