New EU Data Protection Regulations – What Can the Channel Do to be Ready?

data protectionAt our second UK Channel Community meetup of the year, which took place in Birmingham on the 15th of June, a whole range of issues were discussed to provide our members with all the materials they need to be prepared for the challenges that lie ahead for the industry. One of the topics that was covered was the impending EU General Data Protection Regulations (GDPR), which Richard Nicholas, a Technology Lawyer at Browne Jacobson LLP & Greg Shanks, Commercial Director at insurance broker Techdis Financial, covered in detail in one of our breakout sessions.

GDPR is a topic that is leaving businesses, both end users and suppliers, scratching their heads as to how it will affect them and what they need to do to be prepared once the law is implemented on the 25th of May 2018. Richard confirmed that the regulations will be affecting ISPs, saying that whereas previously it was only data controllers who were responsible for information, data processors now bear the burden of responsibility as well. This means service providers will have to ensure they are meeting GDPR standards, as they are processors of their clients’ data.

The new regulations are going to be like nothing we have seen before and a significant change from the current Data Protection Act that businesses must abide by. Richard pointed out the 10 main points that GDPR will cover:

  • Increased accountability
  • The need for certain businesses to hire a Data Protection Officer
  • Greater transparency of data
  • Clearer consent for individuals
  • Limitations on processing children’s data
  • New types of data will count as sensitive
  • Increased rights for individuals
  • Notification of breaches
  • Restrictions on data transfers
  • Greater Liability

There may be some who think that with the upcoming referendum, if Britain chooses to leave the EU then they will not have to comply with the regulations. Richard was quick to dispel this myth, saying that because GDPR applies to individuals within the EU or the European Economic Area (EEA), companies outside these zones will still have to meet the standards if they want to continue using data from citizens in the area.

The next topic raised was insurance. Greg Shanks was on hand to describe how insurance policies could change once GDPR comes into effect. First, he stated how as the regulations require every business that has had a data breach to report what has happened, there is going to more of an emphasis on liability and who is to blame as more hacks come to light.

Greg went on to explain how there are currently two options with regards to insurance, Professional Indemnity Insurance, which does not cover many areas from a cyber perspective; and Cyber Liability Insurance, which is not currently of a high enough standard. Greg believes that there needs to be collaboration between the IT sector and the security industry to create a clear, concise policies that can keep end users and suppliers safe.

It’s not all doom and gloom however, said Richard and Greg, sharing their top tips for ISPs to make sure they are ready with the big day arrives.

  • Map what personal data you process and who for
  • Check your policies, contracts and notices
  • Develop an accountability framework
  • Determine if you need a Data Protection Officer
  • Plan for complying with individual rights
  • Review cross border flows
  • Plan for breaches

Finally, Richard said that the channel should treat GDPR not as a threat, but as an opportunity. Clients will be relying on their providers to help them meet regulations, which is a great opportunity to build on your relationships, all while creating new business with current and potential end users.

You may also be interested in reading our report “International Trends in Cybersecurity”

For more information about the benefits of CompTIA membership – Click Here  

 

Leave a Comment