Data Protection Bill [HL]

Written Evidence submitted by ISACA (DPB42)

1 About ISACA

1.1 ISACA is an independent non-profit association serving more than 20,000 information and cyber-security, audit, risk and technology governance professionals throughout Europe, and more than 160,000 around the world. ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organisations.

1.2 ISACA have five active chapters in the UK with over 5,000 members and also have active relationships with a number of universities and companies across the country.

2 Summary

2.1 ISACA welcome The Data Protection Bill is an important piece of legislation, meeting an essential need to update the UK’s data protection framework in advance of the General Data Protection Regulation (GDPR)’s implementation date of 25 May 2018. It will also ensure that the UK intelligence and law enforcement communities can use data appropriately in their work.

2.2 The GDPR puts privacy and data security at the heart of business strategy as "boardroom issues". This is to be welcomed – especially given that the Government’s recent "cyber health check" found that one in ten FTSE 350 companies said they operate without a response plan for a cyber incident (ten per cent) and less than a third of boards receive comprehensive cyber risk information (31 per cent). [1]

2.3 ISACA’s own global research paints an even more concerning picture. [2] Only 55% of organisations believe their leadership team and board are "doing everything they can" to safeguard digital assets and data. So this is not just a UK problem.

The GDPR imperative

2.4 Government and industry have an important role to play in ensuring that sufficient safeguards are in place to keep data secure. Whilst we believe the Information Commissioner’s Office (ICO) have made good progress in spreading awareness of the GDPR and Data Protection Bill, more needs to be done.

2.5 The Cyber Health Check and ISACA’s own research reinforces this. Whilst the Health Check demonstrated that nearly all firms (97%) were aware of the GDPR requirements, only 6% were fully prepared for it, with 71% admitting they were only "somewhat prepared." Just 13% said that the GDPR was regularly considered by their Board.

2.6 ISACA’s international research found that only 32% of organisations were satisfied with the progress they had made for the GDPR, with 40% taking a wait and see attitude.

2.7 Separate government research has found that charities are as susceptible to attacks as businesses. [3] They need to be as mindful as other organisations of the measures within the Data Protection Bill and GDPR.

2.8 There is also a common misconception that data stored in a cloud is the responsibility of the cloud providers. Originating companies are still responsible for ensuring cloud provider is taking the right actions.

2.9 Indeed, a number of organisations are likely to find implementation more of a struggle than others and ISACA remains concerned that many are behind the curve in taking appropriate action. Small businesses, charities and some public sector organisations are of note here; but it is also worrying that many larger companies still need to take decisive action. The message from government and the ICO needs to be that the GDPR and Data Protection Bill are coming soon – and that they are board-level responsibilities that cannot be left to CIOs.

3. Appropriate Response

3.1 Flowing from this, organisations need to ensure they have appropriate cyber-security systems in place and are taking adequate measures to safeguard the skills needed for implementation.

3.2 In ISACA’s view, the Government should be considering three things in particular.

3.2.1 Encouraging audits of technology organisational performance and readiness by companies to complement the audits the ICO can be expected to undertake.

3.2.2 Continuing to spread awareness of the requirements of the Data Protection Bill and GDPR across organisations of all types and sizes.

3.2.3 Ensuring the UK has an appropriate long-term skills pipeline.

3.3 With relation to the skills pipeline, the GDPR and Data Protection Bill will result in an increased demand for Data Protection Officers, who will be playing a more important role inside organisations. A 2016 study by the International Association of Privacy Professionals has estimated that at least 28,000 Data Protection Officers will be needed internationally to meet the requirements of the GDPR.

3.4 Not only do companies need to invest significantly in data protection officers to meet the requirements of the GDPR; they also need to ensure that the individuals looking after that data are appropriately skilled, and that staff are highly familiar with both IT governance and cyber-security.

3.5 Global research from ISACA has shown that two thirds of chief executives of major corporations don’t have confidence in their workforces to deal with anything beyond the simplest data breach. [4] Clearly this needs to change, as does the amount of cyber-security and data security training budget allocated to employees at all levels of the organisation.

4. Recommendations

4.1 Within the Data Protection Bill, Government have clearly laid out the data protection and security standards that organisations are to meet to be fully compliant with the principles of GDPR and existing UK data protection laws.

4.2 Government should take this a step further and establish a certification process to validate and enshrine these standards in the training provided to organisations and personnel, thereby encouraging data protection skills development and adoption at a practical level.

4.3 Any certification process should be considered in collaboration with existing industry standards and training mechanisms and should recognise existing industry certifications where applicable.

March 2018