Thanks to Ciaran for those great remarks. You will not be surprised to hear that I fully endorse Ciaran’s points and my team at the Information Commissioner’s Office is working closely with the NCSC to ensure that everyone here receives the benefit of a joined up message from both of us.
It is a pleasure to be here today standing alongside the CBI and the National Cyber Security Centre to talk about what’s probably one of the most important issues affecting British businesses right now.
Cybersecurity is attracting more attention than ever—not just in headlines, but among policymakers, industry leaders, academics, and the public. Successful cyberattacks are becoming more frequent and threatening as adversaries become more determined, and more sophisticated.
Only last week we saw Equifax - a huge company and gatekeeper of personal data, hit by a cyberattack.
The recent WannaCry ransomware attacked more than 300,000 computers in 150 countries.
And Yahoo, in the midst of its sale to Verizon, reported that 1.5 billion user accounts had been stolen.
It is no wonder that cybersecurity raises important issues for personal privacy and the data protection tools we use to protect it.
Cyber security and data protection are inextricably linked
Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorized third parties. As a result, all modern data protection principles include an obligation to protect information and security has been recognized in every significant codification of data protection, including the EU General Data Protection Regulation and the Data Protection Act.
Sixty one percent of businesses in a 2017 survey said that they now hold customer data online.
But my concern is for UK citizens - who feel like they’ve lost control of their personal information.
New figures from our annual ICO survey show that only one fifth of the UK public report having trust and confidence in companies and organisations storing their personal information.
That’s 80 percent of potential customers that don’t trust private companies, businesses like yours, with their details. That shocks me and I suspect it shocks you.
As the UK’s data protection regulator it’s my job to protect the information rights of citizens and ensure that privacy works hand in hand with innovation in today’s evolving digital economy.
Innovation in the digital economy relies on the trust of consumers to generate the social license that companies need to break new frontiers with data. Growth built on a healthy foundation of trust is sustainable. Growth built on mistrust is vulnerable to the reputational damage of a data breach.
Cyber security and data protection are inextricably linked and both have been moving rapidly up the boardroom agenda.
Gone are the days where cyber security was an IT issue, where data protection was a backroom function.
In today’s interconnected world, privacy depends on cyber security.
The regulations
The Government has pledged to make the UK one of the safest places to be online. In its Cyber Security Regulation and Incentives Review, Government looked at the UK’s laws around managing the growing threat of cyberattacks.
It came to the conclusion that the way forward for cyber security is the breach reporting requirements and penalties under the new law represent a significant call to action which businesses can use to improve resilience around cyber security.
And that’s where I come in. As the UK’s regulator of the new law.
The Government has announced that a new Data Protection Act will take the place of the 1998 legislation, bringing all processing of personal data into one coherent regime.
It will start making its way through Parliament tomorrow.
The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime.
I will be providing my own input as necessary during the legislative process.
I also think we need to be as close to Europe as possible with our laws. I have been advocating for a legal arrangement post Brexit that provides for uninterrupted data flows.
The Government’s data protection partnership position paper, announced last month, is a positive step but the legal arrangement to provide for essential equivalency is critical for companies, law enforcement and for individual data subjects.
Boardroom issue
The new Data Protection Act, including the GDPR is a massive opportunity for cybersecurity and for everyone in this room.
What happens if you consider investments in cyber security and data protection as an investment in your customers?
Not only does it bring the issues into the boardroom but we believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.
It gives a different perspective to company executives’ concerns around our new enforcement powers.
While focusing on big fines makes for great headlines, thinking that GDPR is about crippling financial punishment misses the point.
GDPR is about enhanced rights for individuals.
ICO supports organisations
The ICO appreciates the challenges organisations are working under today because we face the same challenges.
Budgets are tight, technology is moving fast and there’s the race to keep up with competitors. But data protection law needn’t be onerous if you adopt privacy by design and sound cyber security at the outset of a project.
Don’t treat them as an afterthought. Don’t bolt them on.
The new data protection reforms can be summarised in three main areas - transparency, control and accountability.
The new law requires you to be transparent and tell people what you will do with their data.
You then have to stick to what you said.
Finally, and this is the strengthened part of the law, you should be prepared to account to the regulator and your customers for what you have done.
Businesses will need to be able to show reporting structures, risks assessments and mitigation measures, who is responsible for what within the business and these records need to be up-to-date and accurate and comprehensive. They need to be available for the ICO if an incident occurs.
We understand that there will be attempts to breach your systems. We fully accept that cyberattacks are a criminal act.
But we also believe you need to take steps to protect yourself against the criminals.
A huge number of data security incidents are not sophisticated attacks. Low tech breaches are frustratingly common in our enforcement work with many due to human error.
One relatively simple technique, an SQL injection, takes minutes, can be done by amateurs and can wreak havoc when a company hasn’t carried out sufficient and regular testing.
Good cyber security hygiene is as important for cyber security as it is to data protection. Training and awareness are critical for your organisation’s staff, protecting your networks with regular monitoring and testing and robust incident management.
GDPR – data breach reporting
Some of you may have already noticed I’ve been blogging to bust some of the myths that have grown up around the GDPR.
My most recent blog was around data breach reporting.
I can tell you right now that businesses will not need to report every, single personal data breach to the ICO.
However it will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms.
Pan-European guidelines will assist organisations in determining the threshold for reporting, but all of you can start now to develop a sense of what constitutes a serious incident in the context of your data and your own customers.
You will also need to consider whether a breach triggers notice to affected individuals.
Another myth we’re looking to dispel is that the law is all about punishing organisations.
Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches.
The public need to have trust and confidence that a regulator is collecting and analysing information about breaches. It will help organisations get data protection right now and in the future.
Conclusion
What is absolutely clear is that cyber security and data protection go hand in hand. We’re committed to working with the NCSC and Government to provide more certainty, assurance, and guidance to businesses for cyber security legislation.
Look to the NCSC for guidance on dealing with cyber security management and then come to the ICO for issues around data protection. You’ll probably find that if you have robust cyber security measures you’re well on the way to securing your personal data.
I’d encourage you to use these new regulations as an opportunity to focus on data protection and data security. Ensure your board of directors understand the new obligations under the laws, the need to invest in safeguards to build and retain customer trust.
Data protection law reforms are long overdue but now they are here, they will provide the best incentive for companies to get security right.
Thank you.