When GDPR came into force back in May 2018, it very much focused on ‘obtaining consent’ to hold someone’s Personal Information.
But there were other aspects to GDPR that were required, but not so clearly defined – and one of those aspects was about having the right level of protection to stop a third-party from accessing someone’s Personal Information.
The only guidance was that you needed ‘Appropriate Security Measures’ – but there was nothing to suggest what they might be.
Since then, we have been in contact with the Information Commissioner’s Office (ICO) to help clarify what businesses need to do.
So what are Appropriate Security Measures?
The ICO have said that ‘Appropriate Security Measures’ means ‘at least the basic minimum of Cyber Essentials Certification ready’.
Which is good news! The Government’s Cyber Essential’s Certification Scheme has been around for a while now, and is pretty well defined (albeit with some areas still open to interpretation, especially when it comes to protecting mobile phones).
Why is this important?
This all matters, because most GDPR-related fines that have been issued by the ICO have been in relation to Data Breaches (where Cyber-Criminals have obtained data, or where companies have mistakenly exposed or lost data). So, it’s Cyber Security lapses that are the main focus for the ICO.
So are you Cyber Essentials Certification Ready?
We’ve created a simple checklist for our clients, to clarify which elements of Cyber Essentials they have in place, and whether there’s anything missing.
And, because Cyber Essentials ‘standard’ is now required by GDPR, we’re actively recommending that you obtain the certification yourself. You’ll then be able to prove that you’ve applied those basic minimum standards required by GDPR.
The future landscape
It’s important to note that the cyber security landscape is still evolving. There’s further change coming in April 2020 that will tighten up the requirements for Cyber Essentials Certification. It’s recently been announced by the NCSC (National Cyber Security Centre) that ISAME will become the only certification body for Cyber Essentials. ISAME standards are currently higher than the other accreditation bodies, so we’re expecting the bar to be raised to include mobile phones when the change happens in April next year.
But whatever happens, if you’re a projectfive customer, we’ve got your back.