With EU-wide GDPR legislation being introduced in May 2018, it is worth considering how manifesto commitments in the current election may further impact data security policy over the next five years.
DATA SECURITY MANIFESTO PLEDGES SUMMARY
Neither Labour or the Conservatives make direct reference to Cyber Essentials or to GDPR legislation in their manifesto. However, both do mention cyber security and by virtue data security. The Liberal Democrat don’t mention anything about data security from what I can find.
Labour has committed Labour to “maintaining strong data protection rules to protect personal privacy”. No further information is given and this commitment could well be fulfilled by the GDPR.
The Conservative manifesto commits to “make Britain the safest place in the world to be online”. They have dedicated a substantial amount of the manifesto to Data Security that appears to go beyond GDPR and current data security legislation requirements.
DATA SECURITY LEGISLATION CHANGES
Much of this covers digital marketing, responsibilities of social media platforms and those handling data for the under 18’s. This won’t have a direct impact on most businesses. Digital Media and Marketing companies will certainly be affected by stronger rules regarding the gathering, processing, accessibility and deletion of “data subjects” data. What form this will take and if data security will go beyond the implementation of GDPR isn’t discussed by Labours manifesto.
The Conservative manifesto seems to indicate that it is committed to further legislation and stronger statutory controls. It pledges to form a Data Use and Ethics Commission that will provide a regulatory steering group. How this will work with the current ICO is not explained.
In addition, the National Data Guardian for Health and Social Care will be given statuary powers of enforcement. How far this extends – for example for anyone handling patient records such as solicitors remains to be seen.
DATA SECURITY BEYOND GDPR?
The most intriguing element is the Conservatives commitment to bringing “forward a new data protection law”. Without detail, it is hard to draw too many conclusions however it would seem that as well as GDPR the UK will have its own set of legislation.
For organisations that have both EU and UK data subjects this inevitably require additional resources and compliance management. It would also seem logical that any UK legislation would closely mirror that of the GDPR even though a Conservative Government may choose to repeal the GDPR for organisations with only UK data subjects.
Whichever party wins the General Election on June 8th it is clear that data security is now very firmly on the political agenda. As a result preparing and implementing data processes, policy and ongoing management now will prevent the inevitable rush for compliance expected next May.