We recently discussed the changing threat landscape and the need for all organisations to adopt a cyber resilience approach. This is essentially the combination of cyber security measures to prevent data breaches and business continuity measures to respond quickly when incidents can’t be stopped.
The main benefit of cyber resilience is that it enables your organisation to address its security concerns as effectively as possible. You are allocating plenty of resources to breach prevention but aren’t taking an all-or-nothing approach.
But that’s not the only reason to adopt it. Cyber resilience is referred to broadly throughout the GDPR (General Data Protection Regulation), meaning its framework will help you achieve compliance, protect your customers and prevent disciplinary action.
What the GDPR says
The GDPR requires data controllers and processors to implement “appropriate technical and organisational measures” to secure personal data, including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.
In this context, resilience refers to an organisation’s ability to continue operating during a disruption and its ability to restore its systems to an effective state.
You are expected to resolve the issue and return to business as usual in a “timely manner”. This is deliberately vague because a reasonable length of time for recovery will depend on the circumstances of the incident.
What you consider ‘timely’ should therefore be defined by your MTPD (maximum tolerable period of disruption) and RTO (recovery time objective).
An MTPD is the estimated point at which the level of disruption to a product, service or activity becomes unacceptably large. It sets the boundary for the RTO, which is the period of time within which you aim to recover from an incident.
If you justify and meet your RTO, supervisory authorities should accept that your response is ‘timely’.
Want to know more?
Our website contains a host of resources to help you achieve cyber resilience. We go into more detail about how it works, how it relates to the GDPR and the NIS (Network and Information Systems) Regulations, and the four stages to becoming cyber resilient.