Downloads: Free Remote Support: Click here  Remote Monitoring: Click here


GDPR Problems  Bull-IT-in No 3/2017


In this issue, we address the practical side of GDPR in its impact on businesses. This summary is based upon our first-hand experience to date in dealing with IT security and Cyber Essentials for clients. It is certainly not comprehensive but hopefully will serve as a good awareness guide and prompt an assessment of the action that you need to take.


-> GDPR introduces the first security standard for IT systems into the rules so many existing systems need to be adapted. Relevant security needs to be introduced to those with none to comply with standard.
-> Most operating systems have been designed around the functionality they were commissioned to provide with security not a priority.
-> Adding security often comes at an additional cost that isn’t seen as a justifiable extra.
-> Security is a specialised skill set that most software developers don’t have so it’s not always considered.
-> Some older IT hardware and software solutions inherently can't meet the new security standards forcing upgrades with associated costs and lead-times that need planning
-> Few businesses have an IT security policy in place which the new rules require.
-> The right to be forgotten is new concept and in almost every case current IT systems will be unable to identify Data to be removed.
-> Few businesses are yet aware of the impending legislation and only a few of those that are seem to be taking this seriously and getting prepared.
-> A general lack of detailed IT knowledge within some SME's is a barrier.
-> You remain responsible for any personal data passed onto to others for example storing data in the ‘Cloud’. Supply chain audits therefore are more frequently requiring details of IT security in place.
-> GCHQ / HM Government are already mandating Cyber Essentials Plus as a minimum security standard for those businesses or organisations wishing to deal with certain government departments and are putting pressure on other
          - government departments
          - local authorities
          - NHS
          - Health Trusts
          - Education
          - Academies
          - publicly funded organisations etc.
to only grant contracts to third parties that comply with GDPR rules.


The following statements are those most frequently made when raising GDPR with businesses and other organisations affected. Hopefully our comments on each will be helpful

-> "it doesn't apply to me”
If personal data is held or passed onto others it does as every business or organisation will automatically come under the jurisdiction of ICO and caught by the new rules

-> “I'll not get caught out”
Risky approach with ICO able to randomly inspect. Also anyone could complain at any time to ICO. You are also at higher risk of being attacked and exposed if your IT security falls short of the standard.

-> "I'll pay the fines it's cheaper”
The cost of compliance will be different in every case as it depends on the competence of existing systems and what's required to make them compliant. At 2-4% of global turnover fines are aimed at being a dis incentive to ignore

-> “I have someone that looks after my IT who'll sort it out.”
Most businesses have but only a very small percentage of those tested are compliant and an increasing number are getting Cyber attacked. Only a small number of IT companies can provide the necessary security standard certification so it is recommended you check they can sort it out. As a user, generally you only know whether your IT system is doing what you require of it so often you are not aware of the level of security built in.


Let’s face it most IT users are not technical and cannot physically see how IT works. So, if the system does what is needed from it most people are happy and think nothing else is required. GDPR’s standards means changes are needed in most cases.

Whilst emails and documents may be created it is important that when sending and storing these that they remain available only to those for whom they are intended. In their raw form and without security to the required standard sending emails is like posting a letter without an envelope and storing a document like leaving this on your desk in a building that’s never locked. When this is your personal data you have a right to be concerned which is the reason GDPR exists.


ITWiser is authorised through the Information Assurance for SME's consortium (IASME) for this purpose. IASME is also currently the only Accreditation Body to have an agreed process by GCHQ that can issue a 'GDPR ready certificate' that follows on from the Cyber Essentials certification. Contact us for more detail on both or either Cyber Essentials or GDPR ready certifications through any of the contact points.

The Register