Cyber Essentials and GDPR

GDPR Readiness certificate

IASME offers a certification route to demonstrate that you have prepared for the introduction of GDPR.  This certification is available as a verified self-assessment or as an on-site audit.

If you pass this assessment you will receive a certificate and also a website / email badge to show you have passed the "GDPR ready" assessment as well as Cyber Essentials and IASME Governance which are all embedded in the one assessment.  You will be able to use these to demonstrate to you customers that you have put things in place to prepare for GDPR.  

About GDPR

The GDPR, or General Data Protection Regulations, are new EU regulations which will make the current Data Protection regulations much stronger.  The GDPR comes into force in May 2018 and, if breached, could result in a fine of up to 4% of global turnover.

See our regular blog on GDPR here

The regulations will still affect UK organisations despite Brexit.  The UK government and the Information Commissioners Office (ICO) have indicated that, even if they don’t continue with GDPR after Brexit, they will be looking for something equally as robust.  Similarly, if you are processing the information of EU nationals or trading across the EU, then you will need to abide by its regulations.

Every organisation processing personal data must carry out safeguards against loss, theft and unauthorised access.  Respect for privacy, security of data and awareness of breaches will be key.  There is a duty to report a breach within 72 hours.  If that breach is potentially of high privacy risk, then affected individuals should also be advised of the data breach. This is a significant change to the current Data Protection regime in the UK.

The definition of personal data has been extended and includes anything that could be used to identify an individual. This includes, for example, genetic data and even IP addresses. The GDPR will be more robust in its protection of data than anything we have previously seen and businesses will be more accountable.

More detailed information can be found on the Information Commissioners Office website 

So what should I do ?

Certification to Cyber Essentials is a great first step. It can already mitigate ICO fines if a company suffers a breach.  Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber attacks.

GDPR will require more than just the Cyber Essentials  basic technical controls. By certifying to the IASME governance standard including the specific GDPR questions, you show your organisation has a wider governance system for management of the controls protecting personal data. The IASME governance standard adds a number of topics to Cyber Essentials which will be required for GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues.

If you want to know more about Cyber Essentials and IASME Governance, including the GDPR specific assessment questions, and see how these standards can help support you then IASME has a UK network of Certification Bodies who can support you.  To find the one nearest to you, please follow this link.

You can download the full set of assessment questions, including the Cyber Essentials and GDPR specific questions here.  If you pass this assessment you will receive a certificate with a "GDPR Ready" badge which you can use to demonstrate to you customers that you have put things in place to prepare for GDPR.