CS Nov-Dec 2023

data privacy
Edward Machin, Ropes & Gray: it would
be surprising if privacy interest groups in
the UK don't mount their own challenge
to the UK Extension.
Robin Röhm, Apheris: sees the deal between
the US and UK as a positive step for
companies working in both jurisdictions.
the UK GDPR contains a list of criteria the
Secretary of State must consider when
carrying out an adequacy assessment."
If the Secretary of State decides an
adequate level of data protection is
afforded, then that country, territory or
international organisation, or a particular
sector in a country or territory, can make
regulations to give legal effect to their
decision. These adequacy regulations
allow UK organisations to transfer personal
data to a controller or processor located
in a third country or to an international
organisation. The transfer must adhere to
the particular scope of those regulations.
"For criminal offence data, there may be
some risks, even where this is identified as
sensitive, because, as far as we are aware,
there are no equivalent protections to
those set out in the UK's Rehabilitation of
Offenders Act 1974," points out the ICO."
Significantly, the UK Extension does not
contain a substantially similar right to the
UK GDPR in protecting individuals from
being subject to decisions based solely
on automated processing, which would
produce legal effects or be similarly
significant to an individual. "The UK
Extension contains neither a substantially
similar right to the UK GDPR's right to be
forgotten nor an unconditional right to
withdraw consent," states the ICO. "While
the UK Extension gives individuals some
control over their personal data, this is
not as extensive as the control they have
in relation to their personal data when
it is in the UK."
POSITIVE STEP
In response to the UK-US transatlantic
data adequacy agreement, Robin Röhm,
CEO and co-founder of Apheris, sees the
deal between the US and UK as a positive
step for companies working in both
jurisdictions. "But it does not solve the
long-term issues around governance,
security and privacy that prevents true
collaboration between organisations,"
he comments. "Data is one of business's
most important assets, so why would
businesses want to risk transferring
sensitive information and data across
borders? Developing better models to
securely access and collaborate with
sensitive data is the most appropriate
and pressing response to the problem
of working across organisational and
geographical boundaries, particularly in
the fields of machine learning and artificial
intelligence."
Nadia Kadhim, GDPR lawyer and CEO
of global automated compliance platform
Naq Cyber, warns that the defence
industry needs to do more to protect
classified data, as the number of attacks
on this sector has increased by nearly 50%
with an average of 1,661 according to a
global report by Check Point Research.
This increased risk has already led to
growing demand for additional
compliance measures from the defence
industry to ensure their suppliers meet
legal and regulatory compliance
requirements such as Cyber Essentials,
JOSCAR, DART, and MOD Risk Assessments,
she states. "The number of cyberattacks
within the defence sector is
expected to keep rising. While it is crucial
to ensure the MOD's systems are secured,
it is also just as crucial to ensure defence
suppliers have a strong cybersecurity
posture or risk putting the entire defence
supply chain in jeopardy.
"It's a pattern we see in other highly
regulated sectors, such as healthcare,
where attackers use suppliers to access
valuable and sensitive information. To
keep the UK defence sector safe, we must
focus on suppliers and ensure they are
meeting continuous compliance with the
cybersecurity requirements set by the
MOD and their primes."
34
computing security Nov/Dec 2023 @CSMagAndAwards www.computingsecurity.co.uk