The additional data security requirements within the GDPR may require businesses to reassess their own cyber security measures. The “10 steps to Cyber Security”, published by the National Cyber Security Centre, provides detailed guidance on how organisations can protect themselves from cyber security threats, and is a good starting point
Businesses may also wish to adopt the Cyber Essentials assurance framework. Cyber essentials can protect your business against infection through users clicking on malicious e-mail attachments or website links, (Phishing); and from the exploitation of known vulnerabilities in internet connected servers and devices (Hacking).
The Assurance framework provides for two levels of certification awards that provides comfort to your clients that you have implemented basic cyber security controls. Firstly, Cyber Essentials certification is based on a self-assessment questionnaire, verified by an independent Certification Body who evaluates whether the required standard has been adopted. Cyber Essentials Plus provides additional assurance by independently testing that the measures are in place.
The EU General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and the requirements are significant. Even if you currently comply with existing regulation, you may need to update your current policies, develop new ones, and ensure that these are properly documented. Key tasks to undertake NOW include:
Responsibility – Allocate responsibilities and resources to manage the changes.
Information – Conduct an information audit and document all the personal data that you hold, where it comes from and who you share it with.
Procedures and documentation – Review your current procedures and documentation to ensure you can adequately meet the enhanced rights of data subjects, update your privacy notices, and comply with new consent requirements.
Data security – Review and update your data security measures, including a breach management policy that adequately documents all breaches. Consider the adoption of the Cyber Essentials scheme and its assurance framework.
High risk processing – Do you process high risk data, for example, processing of sensitive personal data on a large scale? If so, consider how you will approach the requirement for a privacy impact assessment.
The requirements of the GDPR are extensive and meeting them by the deadline of 25th May 2018 may be onerous. If you haven’t already started to review and update your processes, procedures, and documentation, you should do so now. If you would like any assistance in preparing your compliance plans for GDPR, we have a health check programme against which you can test your progress and identify existing gaps that require further action. If you would like any further information, please contact Peter.Ennis@assureuk.co.uk or call 020 7112 8300. To read part one click here.