The UK Government has published its new Data Protection Bill, which aims to overhaul UK data protection post-Brexit.

According to The Department for Culture, Media and Sport (DCMS), the Data Protection Bill is designed to make data protection law fit for the digital age, safeguard the future of UK data security and empower people to take control of their personal data.

What is the Data Protection Bill?

The Data Protection Bill (DPB) is new government legislation that implements manifesto commitments to update UK data protection law. The DPB, set to be enacted from March 2019, will provide a comprehensive, modernised framework for data protection after Britain leaves the European Union.

The GDPR, due to take effect from May 2018, is the governing piece of data protection legislation for all EU member states. However, this will no longer apply in the UK after Brexit, and will be replaced by the DPB. This means that organisations across the UK are faced with the need to comply with both the GDPR and DPB. The good news, however, is that the key requirements of the DPB mirror those outlined in the GDPR.

“In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”  British Culture Secretary, Karen Bradley.

What are the cyber security requirements of the Data Protection Bill?

The DPB states that it will enforce GDPR standards upon all organisations that process any form of personal data. This means that UK organisations will continue to need appropriate safeguards in place to protect personal information post-Brexit, and must develop a process for regularly testing the effectiveness of technical and organisational data security measures.

Additionally, organisations must have the ability to detect and investigate data breaches and report them to a relevant authority without undue delay, and where feasible within 72 hours. Companies and private sector bodies that fail to do so will be subjected to a fine of £17 million or 4% of turnover (whichever is higher) – a straight conversion of the GDPR’s proposed sanction.

While almost all requirements of the DPB reflect those of the GDPR, the DPB does outline some exemptions, many of which are carried over from the Data Protection Act (1998). These modifications protect organisations whose important functions would otherwise be hampered by data processing restrictions. Examples include national intelligence agencies, sporting anti-doping agencies, research institutions, journalists and organisations seeking to expose wrongdoing or fraud.

How to ensure your cyber security is ready for Data Protection Bill

In order to understand and help prepare for the GDPR and DPB, organisations should consider enlisting, as a first step, the help of an independent security expert, who can assist in conducting data readiness and data protection impact assessments.

Secondly, organisations should consider achieving recognised cyber security certification, such as the government-backed Cyber Essentials scheme, which demonstrates that suitable data security safeguards are in place.

Commissioning regular penetration testing, which helps to identify and assist in the remediation of threats, will also help to satisfy the requirement to have processes in place to evaluate cyber defences.

Finally, an effective way to approach the GDPR and DPB’s strict breach identification and reporting requirements is to develop a proactive network and endpoint monitoring capability. This allows organisations to detect and remediate threats in their infancy, helping to stop attackers in their tracks, mitigate cyber risk and swiftly form an understanding of any intrusion.