UK Privacy and Security Policy in Flux
New data privacy and security regulations are on the way - something UK security professionals view with mixed feelings.
- The UK government is rewriting its data privacy law and security rules for the Internet of Things.
- UK companies are generally skeptical that new regulation means better security.
- Meanwhile, compliance risk surges amid regulatory uncertainty.
Cybersecurity and data privacy were part of the pomp and circumstance when the UK Parliament kicked off a new session in May. The Queen’s speech, which sets the legislative agenda for the coming year, promised a new Data Reform Bill addressing data privacy and a Product Security and Telecommunications Infrastructure Bill covering the Internet of Things (IoT). Both will be fleshed out and debated in the coming months alongside other security measures to implement the National Cyber Strategy, which was published in December.
The government’s initiatives come as three-quarters of UK security professionals [kl1] expect their organizations to suffer a negative business impact from an email-borne cyberattack this year, according to Mimecast’s State of Email Security 2022 survey.
However, the survey also revealed that UK cybersecurity professionals have relatively little faith that regulatory measures such as minimum security standards will help. Less than a quarter [kl2] of those surveyed said such a measure would significantly decrease the risk of cyberattacks impacting their organizations, and about a third said they’d expect a moderate improvement. Most UK survey participants indicated that regulation would increase the cost of protecting their organizations while limiting their freedom to determine their own best course of action.
UK Privacy Regulation: A Moving Target
Details of the proposed Data Reform Bill are not yet available, though a government background document that accompanied the Queen’s speech indicated that the bill intends to reduce UK businesses’ compliance burden by “designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than ‘tick box’ exercises.”
The new law would replace the UK’s current Data Protection Act and General Data Protection Regulation (UK GDPR, modeled after the EU GDPR), which the backgrounder characterized as highly complex, prescriptive laws that create excessive paperwork. Under these current laws, companies are required to protect the personal information of customers, employees, and others from data breaches, as well as limit its collection, retention, use, and sharing. Individuals have the right to ask companies to correct or erase their information.
The government estimates that the new bill’s more flexible regulatory approach can achieve the same consumer privacy objectives while saving businesses more than £1 billion (US$1.25 billion) in compliance costs over 10 years, and another €27.8 billion (US$34.7 billion) a year in productivity and competition benefits. Yet some UK businesses worry that if the new law strays too far from the EU GDPR model, the need to comply with both UK and EU privacy regulations could actually make compliance more complex and costly for companies doing business across Europe.
Reregulating Security for IoT, Apps, and More
A draft of the Product Security and Telecommunications Infrastructure Bill, released late last year, would require manufacturers, importers, and distributors of smart devices to meet minimum security standards.
There were 1.5 billion attempted attacks on connectable products in the first half of last year, the government reported. “Personal data has been lost, and compromised devices have been used to launch attacks on businesses, governments, and critical infrastructure,” according to the backgrounder on the Queen’s speech. “This bill is a vital lever that will help protect these organizations from such attacks.” The UK National Cyber Security Centre published draft security principles for device manufacturers in May and said it will produce draft guidance for device users later this year.
Separately, under its National Cyber Strategy the Department for Digital, Culture, Media, and Sport (DCMS) began a public consultation in May on a voluntary code of security practices for app store operators and app developers. “A code would provide the government with an opportunity to mandate the requirements in the future should the risks arising from malicious and insecure apps not be mitigated through stakeholder action, or should the risk and threat landscape evolve such that this is necessary,” the department said in its call for feedback on the proposal.
Also in line with the national strategy, the DCMS recently released its Cyber Security Breaches Survey 2022, measuring the traction to date of existing government initiatives. The findings on a government-endorsed Cyber Essentials certification program, certifying companies that implement best practice in areas such as malware protection, revealed a low level of awareness and uptake.
Still, the survey found that cybersecurity is now a higher priority than ever among companies’ boards and senior management, 82% of whom rated cybersecurity as a fairly high to very high priority in 2022, compared with 77% in 2021. The underlying cause of their concern: Almost four in 10 UK businesses experienced a cyberattack in 2021, usually involving email phishing.
Coping With Changing Cyber Regulation
Building a flexible framework is key to managing compliance amid various and shifting regulations such as data privacy rules, according to a Mimecast-sponsored report from Osterman Research. Otherwise, companies could incur high costs due to inflexible data privacy controls as regulations continue to evolve. Other recommended steps to prepare for changing data privacy rules include:
- Budget for the time and effort required. This would include catching up for companies not yet compliant with existing regulations.
- Broaden organizational participation in achieving compliance. “Every employee has a role to play,” according to Osterman.
- Deploy new solutions to improve compliance posture. Examples include data archiving and discovery capabilities.
- Reinforce protections against data breaches. Data cannot be private if it is not protected.
- Strengthen third-party protections. Partners and other outside organizations with access to your company’s data are increasingly a cause of data breaches.
- Train employees. This can reduce the likelihood of mistakes and deliberate data theft.
An overall cyber resilience strategy can improve compliance with various privacy and security regulations, as underscored in the State of Email Security report. Nearly a third [kl3] of UK security professionals surveyed revealed that a lack of cyber preparedness had caused a negative impact on their regulatory compliance.
The Bottom Line
Cybersecurity and privacy regulations continue to evolve in the UK. As they do, the uncertainty is leaving companies with significant compliance risk. Read more about the risks companies face worldwide and the steps they are taking to mitigate them in Mimecast’s State of Email Security 2022 report.
 “Laying the New Foundations for Enterprise Device Security,” UK National Cyber Security Centre
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!