Cyber Essentials and GDPR
The GDPR, or General Data Protection Regulations, are new EU regulations which will make the current Data Protection regulations much stronger. The GDPR comes into force in May 2018 and, if breached, could result in a fine of up to 4% of global turnover.
The regulations will still affect UK organisations despite Brexit. The UK government and the Information Commissioners Office (ICO) have indicated that, even if they don’t continue with GDPR after Brexit, they will be looking for something equally as robust. Similarly, if you are processing the information of EU nationals or trading across the EU, then you will need to abide by its regulations.
Every organisation processing personal data must carry out safeguards against loss, theft and unauthorised access. Respect for privacy, security of data and awareness of breaches will be key. There is a duty to report a breach within 72 hours. If that breach is potentially of high privacy risk, then affected individuals should also be advised of the data breach. This is a significant change to the current Data Protection regime in the UK.
The definition of personal data has been extended and includes anything that could be used to identify an individual. This includes, for example, genetic data and even IP addresses. The GDPR will be more robust in its protection of data than anything we have previously seen and businesses will be more accountable.
More detailed information can be found on the Information Commissioners Office website
So what should I do ?
Certification to Cyber Essentials is a great first step. It can already mitigate ICO fines if a company suffers a breach. Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber attacks.
GDPR will require more than just the Cyber Essentials basic technical controls. By certifying to the IASME governance standard as well you show your organisation has a wider governance system for management of the controls protecting personal data. The IASME governance standard adds a number of topics to Cyber Essentials which will really help with GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues.
You can see an overview of GDPR requirements, Cyber Essentials and IASME governance at the Terabyte blog here.
If you want to know more about Cyber Essentials and IASME Governance and see how these standards can help support you then IASME has a UK network of Certification Bodies who can support you. To find the one nearest to you, please follow this link.