22 Feb 2018
UK Businesses Rush to Comply with New European Data Protection Law
- Photo: With time ticking away, many UK businesses are still unaware of their GDPR obligations. (Shutterstock.com)
- Photo: Security: Now a board-level concern for many businesses. (Shutterstock.com)
- Photo: Cloud storage: Safer than keeping all your data on company premises, apparently. (Shutterstock.com)
With the long-mooted General Data Protection Regulation set to come into force as of May, many UK businesses are still struggling to ensure that all of their security and data-collection protocols will meet the proscribed standard in time.
One thing, above all, seemed to preoccupy exhibitors at the UK's inaugural Smarter Business Tech Live event – the looming enactment of the General Data Protection Regulation (GDPR). This particular tranche of EU legislation will come into force as of May this year, with UK companies obliged to comply with its requirements regardless of the Brexit process.
Essentially, these new requirements – which have been trundling their way through the labyrinthine EU legislative process since 2012 – will enforce a consistent standard of data security and access across Europe, with any non-EU business that retains data on EU citizens also obliged to comply. With 25 May marking the end of a two-year transition period, any business that fails to meet the incoming data security standards by that point could face fines of up to €20 million (US$35 million) or 4% of its worldwide turnover in the preceding financial year – whichever is the greater. Hence the preoccupation.
One of the many with clear views on the issue was Mark Ryan, Sales Director of Software Escrow Solutions (SES), a Cheshire-based specialist in safeguarding source-code access. Spelling out the key challenges of the new regulations, he said: "Essentially, it's all about how people use and collect data. If a company has a security breach, it'll now have to demonstrate that it did all it could to have prevented that breach.
"In the event of being hacked, companies will have to demonstrate that all of their applications have been regularly penetration-tested, with all of the required vulnerability assessments in place. In such a case, any fine would be minimal. If, however, nothing had been done, then far more extreme sanctions would apply.
"On top of that, GDPR will also have quite an impact on the way data is collected. Currently, when you fill in a form online, you might be asked to tick a box if you don't want to receive further information from that particular company or its affiliates. In the future, though, you will have to tick if you do want to receive information, as an individual's data cannot be collected without their assent."
Apart from offering insights into looming GDPR requirements, SES's daily business focuses on providing escrow services related to source-code security and accessibility to a range of international businesses. Among its current clients are Network Rail Infrastructure, the company responsible for maintaining the UK's rail tracks, and Arcadia, the company behind a number of British high street retail brands, including Dorothy Perkins and Top Man.
Outlining the changed environment the company now works in, Ryan said: "Security is a huge issue. While it always has been, previously people seemed to assume it was someone else's responsibility. Now, though, it's become a boardroom issue, with people being told what's got to be done.
"As we handle data on behalf of our customers, we ask the original software developers to encrypt it before it comes to us. That way, if there's ever a breach, we can't be held responsible as we have never had access to the data."
Another exhibitor with strong views on GDPR was Darren Kewley, a Director of Protos Networks, a Chester-based cybersecurity specialist. Assessing its impact on his own business, he said: "At the moment, our most in-demand service is a GDPR-readiness assessment. Typically requested by SMEs, we do an eight-hour site visit, looking at a company's whole set-up and offering a risk-based perspective on their data-protection requirements.
"Surprisingly, a lot of businesses seem to have been unaware of the bill. As the implementation date approaches and there is more and more publicity, we are getting more and more work. So much so that we have put our overseas expansion on hold as we will have more than enough work from the UK and Ireland alone to keep us busy for the next few years."
Apart from its GDPR-compliancy work, Protos was also looking to promote its cloud-based approach to data security at this year's event. Outlining the company's offering on this particular front, Kewley said: "We don't just provide firewalls and antivirus software, we are also a certification body for the government's Cyber Essential scheme. This sees us working with businesses and certifying that they have reached a particular standard of cyber-hygiene."
One of the bigger companies attending the event was Worldpay, a London-based payment-processing business. Previously known as Streamline, the company was rechristened following its acquisition by Vantiv, the leading US debit- and credit-card processor. With an eye on the global markets, the combined operation is now trading solely under the Worldpay banner.
Outlining the reach of the business, Regional Business Manager Colin Gibbons said: "Basically, we're the biggest card-payment company in Europe and we will soon be the biggest in the world. We already manage one out of every two terminals in Europe.
"Given the pace at which card-processing services are developing, there's going to be a lot of change over the next couple of years. Retina screening and facial recognition are among the next big things, as is fingerprint recognition."
Among the retailers already working with Worldpay are Asda, Tesco, Morrisons, Sainsbury's, Boots, Argos and TK Maxx. At present, it is looking at expanding its operations within the SME sector.
Apart from card processing, data storage was another sector where a number of the world's major players – including California-headquartered Oracle – were well-represented. Explaining the company's presence, Michael Brown, an HR Systems Consultant for Oracle UK, said: "We're here exhibiting our cloud products, with a view to being more visible in the mid-market. Historically, we've been seen as a large organisation that works with other large organisations. Cloud technology has changed all that.
"From a digital perspective, all of our customers are going through the same process of transformation. Either they've done it, they're in the middle of it or they're thinking about it. It's this transformation, from traditional on-premises storage, that needs a lot of support, regardless of a company's size.
"Overall, security is the biggest concern of many of the companies going through this process. Actually, though, cloud-stored data is more secure than any stored in a company's own premises. From a hacker's perspective, it's a lot easier to hack an internal system than to hack the cloud.
Smarter Business Tech Live 2017 took place from 15-16 November at the Manchester Central Complex. The event welcomed 120 exhibitors and more than 1,800 attendees.
Catherine Jones, Special Correspondent, Manchester