How to get ready for GDPR data protection
In the last six months large-scale cyber attacks across the world have increasingly grabbed the headlines. In response, the Information Commissioner’s Office (ICO) has upped its game online by providing more regular updates on companies failing the current Data Protection Act rules — a 40% rise in those being penalised since January — amid warnings that penalties will be much worse under the EU’s General Data Protection Regulation (GDPR) rules effective from May next year.
As a certification body, Assign-IT has seen a significant increase in SMEs wanting to know how to comply with GDPR, and thus we have been busy taking them through either the CyberEssentials or IASME information and cybersecurity schemes depending on their appetite for risk in this new area. (CyberEssentials is a necessary first-stage certification and part of full GDPR compliance certification gained under the IASME scheme.)
Tackling data protection from a risk perspective
At the InfoSec 2017 cybersecurity show in June, we weren’t surprised to find almost all exhibitors were pitching GDPR compliance services or products but not offering an overall solution because of the sheer size and scope of the new legislation.
To ease understanding, the ICO gave a keynote stage briefing that suggested how businesses best approach GDPR. Senior technology officer Peter Brown urged businesses to tackle the issue from a risk perspective — they should create an information asset register and start an information security risk assessment against those assets. He said it was a key part of the process in becoming compliant with the GDPR.
The ICO’s advice matches what we find are the typical requirements of businesses once they start working with us to get a IASME certification — the standard to meet to be compliant with GDPR — and yet something few companies have undertaken or ever needed in the past.
Scrutinise all areas of your business to comply
Creating an information asset register can be tough as you don’t necessarily just have to write down where the data is stored. GDPR covers your whole business so you need to look at all areas from front office to back office plus the people and processes involved. Peter Brown explained that when you’re ready to complete the risk assessment you need to use the Confidentiality Integrity and Availability (CIA) methodology to identify the risks presented by the assets.
As an IT support company and official certifier for both IASME and CyberEssentials cybersecurity schemes, we aim to help you understand and carry out these risk assessments and to implement the necessary policies, procedures and controls that make your business compliant with GDPR.