GDPR – the need for Cyber Essentials
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s attempt to bring data protection up to date with the new or previously unforeseen ways that data could be used.
Since the Data Protection Act 1998 was introduced the way organisations use and store data has changed significantly; thus the need for it to be replaced by this new regulation. GDPR sees the introduction of a single set of data protection rules throughout the EU with the privacy of data the key concern and with tougher fines for those who breach regulations or fail to comply.
The EU is looking to clarify what businesses can and can’t do with data throughout the EU whilst giving people more control over what companies with access to their data can do with it. Since the 1995 EU Data Protection Directive the internet and cloud technology have changed the way that data is used or can be exploited.
What is Cyber Essentials?
Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect themselves against common cyber attacks. Poor cyber security can damage your reputation and cost you business whereas strong cyber security can boost your reputation and win you more business at home and overseas.
DCI Cyber Essentials is a foundation level certification designed to provide a statement of the basic controls your organisation should have in place to mitigate the risk from common cyber threats. This is achieved through a self-assessment process carried out under the guidance of our cyber security experts. Upon completion of the questionnaire you will receive the certification, allowing you to display the official Cyber Essentials badge on your documents and website.
When does GDPR take effect?
GDPR will apply in the UK and organisations must be compliant from 25 May 2018. The Government has confirmed that Brexit and the UK’s departure from the European Union will not affect the commencement of GDPR.
What does my organisation need to know?
There are many things that organisations need to be aware of when GDPR comes into effect. One of the big changes is that organisations that experience a data breach will see fines of up to 4% of their annual turnover or 20 million Euros, depending on which is greater. By way of comparison the current maximum fine for a data breach is £500,000.
If data security breaches remain at the levels of the past few years that could mean fines paid to the European regulator could hit hundreds of billions of pounds once GDPR comes into effect.
Other things to note when GDPR takes effect:
- In the case of your organisation suffering a data breach, the Information Commissioner’s Office (ICO) MUST be informed within 72 hours of the breach.
- Even if your organisation is not in the EU if you wish to sell to people in the EU you will need to be compliant with GDPR.
- Companies must show valid consent for using personal information and data subjects will now have the so called “right to be forgotten.”
More information can be found at the official EU General Data Protection Regulation (GDPR) site here.
For many organisations the introduction of GDPR will make little difference as they are already working within the limits set by the regulation. However, those that are not need to start making sure they are compliant as soon as possible.
How can Cyber Essentials help with GDPR?
Whilst your organisation will require more than just Cyber Essentials to comply with GDPR, it is a step in the right direction. Cyber Essentials certification is evidence that you have taken steps towards protecting your organisation and its data from cyber attacks.
How do I get Cyber Essentials?
Certification with DCI Cyber Essentials can be started today. You can download our Scheme Summary which will provide you with background about the scheme, the scope of the assessment, assurance framework and the next steps to becoming certified.
Certification to the Government’s Cyber Essentials Scheme is a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks.