GDPR – the end of the beginning…
Well, unlike some predicted, the sky did not actually fall in last Friday on 25th May when GDPR came into enforcement in UK law. But some significant changes did come into play that should not be ignored.
Some people (probably those buried up to their necks in sand) are sick and tired of GDPR by now and relieved that this is the end of it.
But is it the end? Or merely the beginning?
Over the past year or more we’ve been working with our range and breadth of customers to help them understand and act upon the implications of this new regulation and the steps they need to take.
There’s simply too much to cover all of the key aspects of GDPR in today’s post, but if you’re still completely lost you can find a raft of useful guidance on our news blog or on the Information Commissioner’s blog here.
You will know by now that GDPR relates to personal data (in terms of having and processing it). There are two key tenets as we see it that everyone must review and, where necessary, improve.
One of these is appropriate organisational measures that every business or organisation should take around the acquisition, processing and protection of personal data.
The second is appropriate technical measures that everyone should take to store, process and secure that same data. There are, naturally, several overlaps.
One of the key tools that any organisation can and should use to assess and improve those technical control measures is a Government Security Standard called Cyber Essentials. We’ve covered this a few times in our blog and over the past year our security consultants have aided many different types, sizes and shapes of company to use this standard to confirm their baseline technical security measures are thought-through and in place.
Cyber Essentials is a self-assessment or can also be objectively tested and reviewed by a third-party Certifying Body under the ‘upgrade’ called Cyber Essentials Plus. It focuses on some of the main doorways, weaknesses and access points that offer access to personal data on your systems and reviews whether and how you are keeping these closed or guarded using some security best-practice techniques.
You can find out more about the Cyber Essentials Security standard here.
It won’t make everything foolproof or bulletproof and it won’t ensure that hackers could never get in but it covers the key controls that every business of any size should have, and can afford to, put in place.
If you haven’t already done so, it’s a really good action point to tick off on your journey to complying (and maintaining compliance) with GDPR. Increasingly, many of the companies and organisations we’ve certified for Cyber Essentials and Plus are now compelled to certify because it’s a “must-have” for certain contracts, tenders and larger customers (or customers in their supply chain). And some are finding they can use it as a competitive edge over less professional, less diligent competitors who cannot readily demonstrate that they take data security quite so seriously.
Cyber Essentials is still only the beginning as it only covers the essential controls to prevent 80% of the more common threats and types of attack that are likely to result in a data breach. But do nothing, keep your head in the sand and the ICO is likely to be far less forgiving when investigating any causal reasons for a data breach than if you’ve made a proper start on improving how you handle, process and secure it. Certification costs from as little as £300 if you’re on top of security and ready to certify or a little more if you need some help to prepare.
May 25th was not the end but just the beginning. Cyber Essentials is also not a ‘silver bullet’ for GDPR compliance that achieves the end… but it is a beginning.
Find out more about the Cyber Essentials certification process or get in touch if you’d like to explore the options to get Cyber Essentials certification in place. It’s your next step to improving the way you treat personal data and one more step along your path to ongoing compliance with GDPR.
Contact us today on 0808 164 4142 to discuss Cyber Essentials and how it can help you with your GDPR preparation.