GDPR

Why is GDPR relevant to every business?

You will be well aware of the continued news coverage of damaging cyber security breaches for a wide range of organisations. However, you may not be fully aware of the impact of new legislation heading your way in May 2018 that will apply to virtually every organisation in the UK. This is a new Data Protection Act that incorporates GDPR into UK law.

When does GDPR come into force?

Each member state has until 25 May 2018 to comply with GDPR. The UK government has said that the new Data Protection Action will come into force then. However, other EU member states may elect to do it sooner; for example, Holland has already enacted their law. So, if you work across Europe, you may already be affected.

What is GDPR?

The General Data Protection Regulation (GDPR) was passed by the European Parliament in April 2016. Strictly speaking, the UK government doesn't have to pass a law for this to take effect. However, to ensure full compliance post-Brexit, ensuring continued data sharing with the EU, the government has decided to make the regulation UK law.

Although here we are discussing the cyber security elements of GDPR, you should also be aware that GDPR covers more than cyber security. It covers what personal data is, how and when you are allowed to collect it, and what you can and cannot do with it.


What could be the impact on your business?

There are two headline grabbing impacts from the new law.

Firstly, you cannot keep breaches of personal data secret and just deal with them internally. Instead, there will be a legal requirement to report a breach to the Information Commissioner's Office (ICO) within 72 hours.

Secondly, under GDPR, potential fines from the (ICO) increase from a current maximum of £400,000 to up to 4% of global turnover or €20m (whichever is greater).


Can I still put my data in the Cloud?

There are some interesting provisions in GDPR. For example, the EU may designate certain countries or international organisations as 'non-compliant' and ban data from being shared with them. So, simply trusting your data to a Cloud provider with no information regarding where your data is or the security protecting it will not be an option.


Am I safe if I have outsourced my IT?

No, you cannot simply blame a third party. You have responsibility in the selection and ongoing monitoring of any third-party processors of your data. Without evidence of appropriate due diligence, you can still be fined heavily for a breach of their systems.


As a third-party IT service provider, am I protected by my T&Cs?

Unfortunately not. The days when IT providers could deliver poor security, covered by tight limited liability clauses in their terms and conditions, are coming to an end. Under GDPR, third-party processors have a new direct liability to the ICO and can be fined directly.

The excuse that 'my customers didn't want to pay for more security' cannot be used either. The GDPR says the security of third parties should be proportionate to the risk, not to the budgets of their customers.


How to:

Prevent a Breach

Build a Defensible Position

Meet the 72 hour challenge

Minimise the damage

What should I be doing now?

ECSC Group plc has many years experience in preventing and dealing with cyber security breaches, including managing communications with the ICO. An important element of post-breach ICO reporting is 'what did you do before the breach'. To have what we call a 'defensible position', you have to show appropriate preventive actions to demonstrate that you behaved responsibly.

For most people, this starts with some kind of independent assessment, highlighting cyber security weaknesses and helping you fix your vulnerabilities. Depending upon your business, this could take many forms, ranging from simulated hacking exercises, technical reviews of your systems, or analysis against a recognised security standard such as Cyber Essentials (for small businesses) and ISO 27001.


Where can I learn more?

ECSC runs free, regular quarterly events on the latest GDPR developments. For our region, these are held at our UK Security Operations Centre in Bradford (ECSC has a mirror facility in Australia to provide 24/7/365 cyber security monitoring).

Further details can be found here.

DOWNLOAD THE BRIEFING

Sign Up

Sign Up For the Latest News, Briefings & Announcements




ECSC Group plc

ECSC has over 15 years' experience in the design, implementation and management of IT security solutions.

Reg No. 3964848

VAT No. 746361914

Contact

28 Campus Road
Listerhills Science Park
Bradford
BD7 1HR
United Kingdom

+44 (0) 1274 736 223

info@ecsc.co.uk