What you need to know about GDPR and Cyber Security

Business Insights

Organisations in the modern world use data at the very core of their being. Without data and its associated processing, storage and reporting, there would be no business. As with all things in life – especially for businesses, there are rules that need to be followed. What are these rules?

One set of rules to be observed are those of the General Data Protection Regulation (GDPR) that was enacted in May 2018. This is just the latest piece of legislation that covers data protection, and builds on the Data Protection Act of 1998. The Data Protection Act is UK law and incorporates GDPR, but also includes other elements either not covered by the EU regulation or where there is lassitude. For example; immigration data and age of children’s consent. In actual fact, it wasn’t a dramatic change. What generated all of the attention was the level of fines that could be applied – up to 4% of turnover.

GDPR applies to all processing of personal data. This also includes Business to Business. It provides Data Subjects – those individuals whose data is being processed by another entity, with a number of rights. These include; provision of Information about what is held, access to such, rectification of errors, withdrawal of consent to continue to process and objection. The key point to understand is that the data belongs to the Data Subject, not the company processing it.

Under GDPR, a company needs to have a lawful basis for the processing of personal data. There are six lawful bases allowable. These are; Consent, Contract, Legal Obligation, Vital Interests, Public task and Legitimate Interests. Consent is the most difficult as it may be withdrawn by the Data Subject and records of the Consent need to be maintained.

Prior to 25th May, many organisations made the mistake of requesting consent, often when the individual didn’t even know that any data was held about them and in most cases then didn’t respond with an affirmative consent. This significantly reduced the available data in situations where only about 20% of individuals replied to the endless emails that they were bombarded with during the lead up to that GDPR deadline.

Legitimate Interests is a much safer option, albeit that this could be challenged by the Data Subject. You need to show that how you use people’s data is proportionate, has a minimal privacy impact, and that the Data Subject would not be surprised or likely to object to what you are doing.

One of the GDPR principles and that of previous data protection rules both in general and historically is that of security. This means that you must process personal data securely by using ‘appropriate technical and organisational measures’. This leads on to the third element in the equation - Cyber Security.

First and foremost, Cyber Security is a form of protection against threats to electronic equipment used by organisations and individuals. It is a defence against malicious attacks on hardware such as; computers, servers, mobile devices, electronic systems, and networks. It also includes protection for software and data processed and stored on associated hardware.

Cyber Security deploys technologies, processes and controls to protect against malicious (external) attacks as well as education, awareness, and adequate policies and procedures. The aim of cyber security is to reduce the risk of any cyber-attacks. Accreditation in terms of standards such as ISO27001 for Risk Management and Cyber Essentials will not only provide evidence of compliance but will prove to be a great advantage in winning business. Indeed, in the near future this will be stipulated requirement in contracts.

ISO 27001 is a specification for an information security management system (ISMS) which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

Cyber Essentials is implemented to guard against the most common cyber threats and demonstrate your commitment to cyber security through a formal independent assessment and accreditation.

In order to be confident that you are complying with the requirements of GDPR, PECR and Cyber Security, there are a number of steps that can be taken. The first is to adopt the understanding that compliance has two halves; the rules and the operations against which those are set against.

Understanding the rules can be outsourced to an expert or training acquired. In terms of operational activity, having an effective and efficient information management regime is crucial. It also provides business benefits in terms of reduced costs and better processing, storage and dissemination mechanisms.

Need more help? Give Hayes Associates Ltd a callon 07834 039328, Email: thayes@hayesltd.com or visit the web site: https://www.hayesltd.com/