How Can Identity Powered Zero Trust Support Data Privacy Compliance in the UK?

In a complex, post-Brexit regulatory environment, this blog explores how an Identity powered approach to Zero Trust can help UK organisations stay on top of data privacy compliance.

When the General Data Protection Regulation (GDPR), first came into force across the E.U., it was widely heralded as the world’s strongest set of consumer privacy and data protection rules. Within the next few years, the GDPR had inspired a bevy of “copycat” regulations around the world, including the California Consumer Privacy Act in the U.S., and China’s Personal Information Protection Law (PIPL), which threatens hefty fines for violators that do business in China.

The GDPR applies to all entities registered or doing business within E.U. member states, which meant that it was initially relevant for U.K. companies. On December 31, 2021, however, with the final stages of the U.K.’s departure from the E.U. complete, British organisations were no longer formally subject to the GDPR. Nonetheless, the shadow of this landmark piece of legislation continues to loom large over the data privacy and security landscape. 

While the specific tenets and provisions of U.K. data privacy law may evolve, popular awareness of the importance of consumer data protection — and digital trust — is much greater than it was before the advent of the GDPR. As a result, brands that want to win and retain the loyalty of their customers must continue to invest in building digital experiences that are consistent, reliable and trustworthy. Identity continues to be at the heart of digital trust, and the market will almost certainly reward companies that provide consumers with seamless, frictionless and highly secure online experiences.

The More Things Change, The More They Stay the Same…

Although U.K. companies are no longer required to comply with the E.U.’s data protection regulation, they’re now subject to a new homegrown version of the law. Known as the United Kingdom General Data Protection Regulation (UK-GDPR), the new regulation took effect on January 31, 2020. It will be enforced in tandem with the Data Protection Act of 2018 and the Privacy and Communications Regulations (PECR) to govern all processing of personal data belonging to individuals located within the United Kingdom. 

In its current form, the UK-GDPR is nearly identical to the E.U.’s GDPR. There’s reason to think that this might change, though. Following Brexit, the government announced its intention to revise the regulation to promote business growth and innovation by making compliance less burdensome. Proposed amendments to the rule include switching to an opt-out model for online tracking (in place of the current requirement to obtain consent before collecting third-party cookies) and simplifying the rules around the use of data for scientific research purposes. The changes that have been put forward have ignited intense debate, with proponents suggesting that the revision will make the law simpler, clearer and easier for businesses to comply with. More than 30 civil society organisations, however, including the Open Rights Group, have voiced opposition to the bill, arguing that it doesn’t go far enough to protect citizens’ privacy rights. A final version of the bill has not yet been introduced into Parliament.

Regardless of the specifics of any upcoming changes to the UK-GDPR, U.K. companies doing business in Europe — or offering digital services to European users — will still need to conform to the original European GDPR. In June 2021, the E.U. adopted an adequacy decision for the U.K., essentially determining that the UK-GDPR’s protections are equivalent to those provided by the GDPR. This adequacy decision will be reviewed every four years and may not be renewed in 2025 if the European Commission feels that the revised rules are too lenient.

What does all of this mean for organisations in the U.K.?

Earning and Retaining Digital Trust Still Matters

The GDPR is a powerful regulation because of its stringency and specificity, but it’s also important because its enactment has greatly increased the public’s awareness of data privacy issues. Within Europe and the U.K, most citizens are familiar with the GDPR and recognise its significance. More than four out of five U.K. respondents to a recent survey said that they had heard of the regulation and nearly half strive to read the terms and conditions whenever using online services. In addition, a clear majority of participants in a survey we recently conducted voiced active support for data protection regulations.

We cannot predict what the final version of the UK-GDPR will look like. Nor can we say with confidence that the European Commission’s adequacy decision is likely to be renewed in 2025. Given these realities, security and compliance stakeholders must continue to navigate significant uncertainties.

However, it’s still possible to find clear-cut guidance. Regardless of future regulatory decisions, individual businesses will need to assess their risks and risk appetites. Protecting customer data will remain synonymous with protecting brand reputation and adhering to industry standard best practices (such as implementing multi-factor authentication (MFA) to safeguard accounts) will continue to enable companies to earn their customers’ trust. 

The UK’s National Cyber Security Centre, for instance, publishes advice and detailed guidance on securing modern enterprises and cloud-first architectures. It advises that organisations move towards Zero Trust adoption, particularly as the prevalence of remote work increases and cloud adoption grows. Adherence to these guidelines is, of course, not mandatory in the way that UK-GDPR compliance is. Nonetheless, they represent a set of best practices that establish a solid foundation for user account and information resource protection, no matter what regulatory changes are to come.

Identity Remains the Foundation for Zero Trust

As is the case in other internationally-recognised Zero Trust architectural frameworks (including the one published by the National Institute of Standards and Technologies (NIST) in the U.S.), understanding and managing user and device identities and behaviours is central to the NCSC’s recommended approach to Zero Trust. 

In particular, organisations are advised to:

  • authenticate and authorise everywhere. When authentication and authorisation decisions are contextual and risk-aware, they can incorporate multiple signals such as device location, device health and user behaviour to evaluate the risk associated with every individual access request. This protects sensitive user and customer data against unauthorised access and theft.
  • focus monitoring on users, devices and services. In a Zero Trust architecture, monitoring strategies should shift away from a focus on the network to instead establish and verify the health of devices, services and user behaviours. This enables consistent enforcement of policies you have established to protect your organisation’s information assets.
  • choose services that were purpose-designed for Zero Trust. Those that were not built to support Zero Trust may require additional resources to integrate and more support overhead. 

The globalisation of digital business models will only accelerate as we move into the future. While regulatory requirements may become more complex, adhering to internationally-accepted standards and best practices will always set a solid foundation upon which to build a compliance program.

Okta has demonstrated its commitment to digital trust and data privacy compliance by adhering with the EU Cloud Code of Conduct.

For more information on how Zero Trust adoption is transforming industries and security worldwide, read our latest State of Zero Trust Report.

To discover how you can start your Zero Trust journey with Identity, read our eBook.