CS Nov-Dec 2023
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
data privacy<br />
Edward Machin, Ropes & Gray: it would<br />
be surprising if privacy interest groups in<br />
the UK don't mount their own challenge<br />
to the UK Extension.<br />
Robin Röhm, Apheris: sees the deal between<br />
the US and UK as a positive step for<br />
companies working in both jurisdictions.<br />
the UK GDPR contains a list of criteria the<br />
Secretary of State must consider when<br />
carrying out an adequacy assessment."<br />
If the Secretary of State decides an<br />
adequate level of data protection is<br />
afforded, then that country, territory or<br />
international organisation, or a particular<br />
sector in a country or territory, can make<br />
regulations to give legal effect to their<br />
decision. These adequacy regulations<br />
allow UK organisations to transfer personal<br />
data to a controller or processor located<br />
in a third country or to an international<br />
organisation. The transfer must adhere to<br />
the particular scope of those regulations.<br />
"For criminal offence data, there may be<br />
some risks, even where this is identified as<br />
sensitive, because, as far as we are aware,<br />
there are no equivalent protections to<br />
those set out in the UK's Rehabilitation of<br />
Offenders Act 1974," points out the ICO."<br />
Significantly, the UK Extension does not<br />
contain a substantially similar right to the<br />
UK GDPR in protecting individuals from<br />
being subject to decisions based solely<br />
on automated processing, which would<br />
produce legal effects or be similarly<br />
significant to an individual. "The UK<br />
Extension contains neither a substantially<br />
similar right to the UK GDPR's right to be<br />
forgotten nor an unconditional right to<br />
withdraw consent," states the ICO. "While<br />
the UK Extension gives individuals some<br />
control over their personal data, this is<br />
not as extensive as the control they have<br />
in relation to their personal data when<br />
it is in the UK."<br />
POSITIVE STEP<br />
In response to the UK-US transatlantic<br />
data adequacy agreement, Robin Röhm,<br />
CEO and co-founder of Apheris, sees the<br />
deal between the US and UK as a positive<br />
step for companies working in both<br />
jurisdictions. "But it does not solve the<br />
long-term issues around governance,<br />
security and privacy that prevents true<br />
collaboration between organisations,"<br />
he comments. "Data is one of business's<br />
most important assets, so why would<br />
businesses want to risk transferring<br />
sensitive information and data across<br />
borders? Developing better models to<br />
securely access and collaborate with<br />
sensitive data is the most appropriate<br />
and pressing response to the problem<br />
of working across organisational and<br />
geographical boundaries, particularly in<br />
the fields of machine learning and artificial<br />
intelligence."<br />
Nadia Kadhim, GDPR lawyer and CEO<br />
of global automated compliance platform<br />
Naq Cyber, warns that the defence<br />
industry needs to do more to protect<br />
classified data, as the number of attacks<br />
on this sector has increased by nearly 50%<br />
with an average of 1,661 according to a<br />
global report by Check Point Research.<br />
This increased risk has already led to<br />
growing demand for additional<br />
compliance measures from the defence<br />
industry to ensure their suppliers meet<br />
legal and regulatory compliance<br />
requirements such as Cyber Essentials,<br />
JOSCAR, DART, and MOD Risk Assessments,<br />
she states. "The number of cyberattacks<br />
within the defence sector is<br />
expected to keep rising. While it is crucial<br />
to ensure the MOD's systems are secured,<br />
it is also just as crucial to ensure defence<br />
suppliers have a strong cybersecurity<br />
posture or risk putting the entire defence<br />
supply chain in jeopardy.<br />
"It's a pattern we see in other highly<br />
regulated sectors, such as healthcare,<br />
where attackers use suppliers to access<br />
valuable and sensitive information. To<br />
keep the UK defence sector safe, we must<br />
focus on suppliers and ensure they are<br />
meeting continuous compliance with the<br />
cybersecurity requirements set by the<br />
MOD and their primes."<br />
34<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk