Data Protection Management & the first steps to GDPR Compliance
Cyber Essentials & IASME
Cyber Essentials is a scheme designed by the Government to make it easier for you and your business to protect against cyber criminals and data breaches.
Cyber Essentials requires your organisation to have five technical controls in place:
- Boundary firewalls
- Secure configuration
- User Access control
- Malware protection
- Patch management
Cyber Essentials offers a certification process so you can demonstrate that you have taken the essential precautions. It will provide evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber-attacks.
Why get certified?
Certification against both IASME governance and the Cyber Essentials will indicate a good level of all-round information security. This will be particularly true if you also pass the GDPR assessment questions and indicate that you have made efforts to ensure your company is ready for the introduction of the regulation. For small business, looking at obtaining the Cyber Essentials with IASME governance certification will help provide guidance, assurance and show your customers and suppliers that you take security seriously.
Where does GDPR fit in?
By certifying to the IASME governance standard including the specific GDPR questions, you show your organisation has a wider governance system for management of the controls protecting personal data. The IASME governance standard adds a number of topics to Cyber Essentials which will be required for GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues. The cost and effort of putting your company through GDPR compliance is negligible compared to the cost of a data breach.
GDPR is intended to strengthen and unify data protection for all individuals within the EU. Coming into effect on May 25, 2018, it is the most important change in data privacy and security regulation in 20 years and affects all businesses & organisations within the EU.
Some of its key points are:
- Increased fines.
Fines can be up to 4% of global turnover or €20M, whichever is higher.
- Opt-in consent.
Users must give clear, unambiguous consent for their data to be collected and processed. And you must have proof of how, why and when the consent was given.
- Breach notification.
The ICO must be informed within 72 hours of any data loss and users informed “as soon as possible”.
The Cyber Essentials scheme offers a big step towards being compliant with GDPR and most likely will put you ahead of competitors, many of whom will be dragging their heels. Organisations that also chose the IASME compliance, upon successful completion, will be provided with a “GDPR Ready” badge to display.