Downloads: Free Remote Support: Click here  Remote Monitoring: Click here

           



Cyber Essentials Bull-IT-in No 2/2017


The new GENERAL DATA PROTECTION RULES (EU 2016/679) (GDPR)

Our first issue introduced Cyber Essentials. In this issue we summarise the current main proposals of the new GDPR rules and their reliance on Cyber Essentials. GDPR is the European initiative Created in response to global concern over ‘Cyber-Attacks’. UK's GCHQ has been main driver so UK are adopting regardless of Brexit.

Details were announced May 2016 becoming effective May 2018. The two year lead time being considered a necessary period for business to prepare. Recognises at long last the importance and need for secure IT systems and is the first real piece of legislation that takes this seriously and makes this a priority by setting a minimum standard.

SUMMARY OF MAIN REQUIREMENTS

As things currently stand it is proposed with certain specific exceptions only that ALL businesses or organisations (‘Registered Businesses’ for the purpose of this Bull-IT-in) holding personal data will be automatically enrolled and under the jurisdiction of the ICO.

Article 4 defines Personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly; in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

Registered businesses
Have an obligation to maintain a competent IT system that meets the minimum standards of security in order to keep personal data secure or face a fine up to the greater of 2% of global turnover or 10m Euros

The requirement to report ANY loss of data to ICO within 72 hours has been extended to all registered businesses. The ICO will then

-> require a full report assessing extent of the data lost and who is potentially affected
-> require the Registered business concerned to notify everyone individually whose data has been potentially compromised
-> have the power to carry out a full investigation into the circumstances
-> levy an appropriate fine up to the greater of 4% of global turnover or 20m euros
-> publish details of the circumstances action taken and fine levied on the publicly available 'name and shame' list detailed in our previous Bull-IT-in.

GDPR also includes the following changes from the current Data Protection Laws

-> increases the territorial scope
-> requires valid consent which might be valid today but not tomorrow
-> right to access information
-> more rules concerning data portability
-> requires the appointment of data protection officer and appropriate controls over and appointments for data controllers and processors
-> a more comprehensive penalty regime
-> and most importantly introduces the Individuals right to be forgotten under certain circumstances


INFORMATION COMMISSIONERS OFFICE (ICO)

-> Administrator of the current Data Protection Laws and is being given the responsibility for GDPR.
-> Has increased investigative and enforcement powers.
-> ICO will carry out random inspections to check for compliance. Failure to comply can result in fines of up to the greater of 2% of global turnover or 10m euros outlined above.
-> It also has the power to investigate any breaches and to determine the extent of the fine up to the greater of 4% of global turnover or 20m euros outlined above.
-> ICO is currently 80%. funded by H M Government but this is being withdrawn shortly so with ICO currently recruiting additional staff to cope with its additional responsibilities it must become more proactive with investigations to raise fines for non-compliance or breaches to cover its costs.


GDPR and CYBER ESSENTIALS

-> GCHQ has been one of the main contributors to GDPR and has created CYBER ESSENTIALS with this in mind as a practical security standard for the SME market. The more complicated and expensive ISO27001 remains the yardstick for most other organisations.
-> Any business Securing the Cyber Essentials certification will therefore demonstrate compliance with the requirement to ensure there is competent IT security systems in place under GDPR. This can only be obtained through certification bodies such as ITWiser.

HELP AVAILABLE

ITWiser is authorised through the Information Assurance for SME's consortium (IASME) for this purpose. IASME is also currently the only Accreditation Body to have an agreed process by GCHQ that can issue a 'GDPR ready certificate' that follows on from the Cyber Essentials certification. Contact us for more detail on both or either Cyber Essentials or GDPR ready certifications through any of the contact points below.


The Register