Organisations in the UK that handle personally identifiable information (PII) have much to consider when it comes to data protection. Two areas in particular warrant further scrutiny: the EU’s new General Data Protection Regulation (GDPR), and the UK Government’s Cyber Essentials scheme. One mandates security measures for all organisations that gather, process or store EU residents’ PII; the other sets out a baseline of cyber security that all organisations can implement to help prevent up to 80% of common Internet attacks.
GDPR – New data protection regulation that will affect every organisation that processes EU personal data.
If your organisation processes EU residents’ personally identifiable information (PII), you will be required to comply with the EU General Data Protection Regulation (GDPR) from May 2018.
Organisations that fail to do so and suffer a breach can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency and, in some cases, closure.
Brexit and the GDPR
Former head of the civil service Lord Kerslake recently said at a Scottish Parliament event that there is little prospect of the UK leaving the EU before 2020. As the GDPR will be enforced long before that – from May 2018 – all UK organisations are therefore strongly advised to begin their compliance projects sooner rather than later.
As if this weren’t enough of a motive for UK organisations to comply, the Information Commissioner’s Office has strongly advised the UK Government to implement data protection reforms regardless of the GDPR’s direct applicability in the UK. An ICO spokesperson said: “If the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
Brexit or no Brexit, it’s well worth understanding the core principles of the GDPR and what your new obligations could be. Download EU GDPR – A Pocket Guide for a concise guide to the Regulation.
Cyber Essentials – UK government-backed scheme that sets a baseline of cyber security and helps win new business
Mandatory for central government contracts and useful as a baseline of security for all other UK businesses, the Cyber Essentials scheme is designed to provide UK businesses small and large with clear guidance on basic cyber hygiene.
The scheme is backed by major industry players including BAE Systems, Lockheed Martin, Barclays and Hewlett-Packard. The Information Commissioner has stated that he “supports the Cyber Essentials Scheme and encourages all businesses to be assessed against it”.
The scheme requires organisations to implement five key controls:
- Secure configuration
- Boundary firewalls and Internet gateways
- Access controls and administrative privilege management
- Patch management
- Malware protection
Cyber Essentials is increasingly popular within the private sector: more than 1,200 organisations have adopted it to date. Insurance firms have recognised that Cyber Essentials certification is a valuable indicator of a mature approach to cyber security too, and, according to a government report, Cyber Essentials certification contributes to reducing risk.
To find out more about the scheme and its requirements, download our non-technical guide, Cyber Essentials – A Pocket Guide.