Beyond Brexit: Cyber Security and Data Protection
The modern Cassandra Complex – By Daniel Aldridge Senior Policy & Programmes Manager at BCS, The Chartered Institute for IT
- Published on March 12, 2021
I’m never one to shy away from a niche topic, especially one at the vanguard of politics and technology, so I was happy to speak at the Holyrood Connect event last week on cyber security and data protection post Brexit. Public Sector Cyber Security Northern Ireland Especially as increasingly I feel that we in the IT and digital communities are are suffering from a modern Cassandra complex where we know there are existential threats that need action, but its so often being put in the too-difficult box.
On the panel, I was joined by fellow BCS member, lawyer and Data Protection Consultant, Tara Taubman-Bassirian of Data Rainbow; Joseph Byrne, Privacy Solutions Engineer at OneTrust and the event chair, David Lee, formerly of The Scotsman.
I spent 6 years working in Scottish public policy and campaigns and I’m no stranger to Holyrood Connect as a force for good in addressing the critical digital issues of our times and its place as a strong voice for devolved administrations. Also, the Chartered Institute has sizeable active membership in Scotland, Northern Ireland and Wales and it’s been personal commitment of mine to drive greater engagement and collaboration across the UK’s rich tech landscape so the future of IT and digital technologies
The Chartered Institute is primarily a network of its people and over the past 12 months it’s been amazing how our members and the wider IT and digital communities have continued to make IT good for society whilst we all face huge and unprecedented threats.
IT workers really are the unsung heroes of the pandemic.
It’s important to note that in the context of rapid service and product delivery changes etc; organisations trying to keep people in jobs, diverting resources and skills on unprecedented scale, that we don’t have things like Schrems2, changes to international data transfer regulations and standard contractual clauses entirely front and centre of our organisations risk register!
But the problem for many of us working in this area is that so many of our organisations are caught up in this perfect storm without even the awareness they need legal advice and expertise, let alone having it in house.
A big bug bear for me and my colleagues is the absence of CIOs or equivalent at the highest levels of organisational decision making and risk management.
We hear often about an encouraging rise in the amount of boards with a dedicated person with responsibility for cyber and data security and protection; but in many situations, it does feel very much like when boards were encouraged to appoint a diversity champion, the person was often not appointed based on real knowledge or expertise and were asked to ‘take on’ the brief. In both cases, the board member often relies almost exclusively on the briefing of the IT team with much lost in translation and debate.
When we look at how many Boards include a CIO or equivalent, the picture is problematic, only 10 -20% of NHS organisations for example have a CIO or equivalent at the highest level of decision making and risk management[1].
However, the demand is there though for better, tech led decision making!
The past decade has seen a cottage industry grow up around supporting technologists to speak effectively with boards and decision makers; this is why we are so keen to drive professional standards and professional development across the IT world to drive up this capacity to support innovation and mitigate risk.
A new data regime ushered in by the UK’s Data Strategy will reiterate the need for effective data maintenance and governance while removing obstacles and impediments to innovation, an opportunity to basically clean up our digital processes and make them fit for a more dynamic digital infrastructure. Indeed the new information commissioner’s job specification[2] requires a drive to do just that.
This aside, despite the sabre rattling from both sides over the past few months, most of the signs indicate that the UK and EU want to cooperate on a number of key areas such as enforcement, cyber security, copyright infringement, IP, tech sovereignty and certain areas of competition. This may well mean that the ICO will turn its attention more meaningfully to scrutinising data governance procedures, while also calling out over-burdensome procedures.
Despite no clear public desire to needlessly interrupt trade, it’s unclear how long an adequacy agreement, if finally ratified by EU states, can be sustainable. As a third country, the UK will be susceptible to judicial review similar to Schrems 2 and outside the EU, we’ll be held to a higher standard.
To be competitive the UK needs to show it is dynamic and has a commercial edge over the EU in certain areas, data will be one of those areas; the political and legal challenges are however huge!
Make no mistake, privacy campaigners have the UK in their sights and will seek to make this the next battleground, so depending on where and how we plan to flex our independence on things like human rights legislation etc, there will be a need for preparatory action.
So what can we do…
- listen to and champion your IT and data protection people to help get our houses in order
- Continue to drive up professional standards and champion the mitigation of risk across the economy and civil society
- Raise the issues you care about with your elected officials, I don’t think there is enough literacy at national, devolved or local government level for us to reap the benefits, we should be aiming to thrive, not just survive
We’re all learning ‘on the job’ on this so let’s continue to have these conversations, mainstream the issues and make sure we’re ahead of the game.
[1] Networks issues open letter to get CCIOs and CIOs on NHS boards