It’s time to change the course of your cyber security strategy and point it in the direction of GDPR.
Back in December 2016 the UK Government published a policy paper titled “Cyber Security Regulation and Incentives Review”, did you read it? Probably not.
In that document one of the recommendations was, and I quote “Government will therefore seek to improve cyber risk management in the wider economy through its implementation of the forthcoming General Data Protection Regulation (GDPR). The breach reporting requirements and fines that can be issued under GDPR will represent a significant call to action for industry”.
That was the moment that the entire cyber security industry, in the UK, slowly started to correct its course. Having had many conversations within the confines of the National Cyber Skills Centre, there were concerns that despite all the statistics, all the warnings and all the front page headlines regarding cyber crime that the UK business community were not addressing this issue. Was this a problem of awareness? Of education? Did businesses not believe the warnings coming from the cyber security vendors, or perhaps it was as simple as that the ‘losses and fines’ that may, and I stress ‘may’ face in the event of cyber attack, data breach or hack were ‘acceptable’. The reality is that we, the cyber industry, may never know.
My personal view point is that addressing cyber risks was always optional, it would be a good thing to do once the to do list had reduced to a more manageable. Supporting that is the ‘stable door’ approach where it will be addressed once an initial ‘event’ has occurred. It was never going to be a priority whilst it was on the periphery of business and technical advice.
Those days are over, because GDPR, is on the horizon. It’s no longer optional, it’s mandatory that companies of all sizes now adhere to this legislation, meaning that the cyber security industry is about to get very, very busy.
So, what is GDPR? To get you in the GDPR mindset let’s compare it to Health & Safety legislation. From my understanding H&S is for the protection of physical well being within a company. In H&S you must ‘tech’ people how to use equipment safely and responsibly, so as to not cause material harm. If a H&S incident occurs then it has to be reported to the enforcement agency and if H&S regulations were breached then fines maybe levied.
GDPR is, for sake of argument, the digital equivalent. Think of it as protection for the ‘data’ within a company. With GDPR you have you must ‘tech’ people how to use data safely and responsibly, so as to not cause material harm and if a data related incident occurs then it has to be reported to the enforcement agency, where again fines may be levied.
In both cases a company will have a nominated individual responsible for ensuring that the company is compliant – a Health and Safety officer for the H&S ‘physical side’ and a Data Protection Officer (DPO), for the GDPR ‘digital side’.
I’m sure that companies will cry out about additional regulation being placed upon them, which is understandable. However, those of you with long memories can remember a time before health and safety was implemented and will wince at things that were ‘gotten away with’. I’m sure it pains us all to admit that despite some of it’s more extreme tabloid headline grabbing ‘health and safety gone mad’ measures these regulations are a very worthwhile measure and have protected many.
GDPR is going to do the same for the data driven aspects of a company, which continues to grow at a rapid pace. The good news is that in the Cyber Security Regulation and Incentives Review the government also stated that “For now, Government will not seek to pursue further general cyber security regulation for the wider economy over and above the GDPR”, which should give the business community some confidence that this legislation is fixed for the foreseeable future.
The GDPR legislation comes into effect, i.e. companies will need to company with it by May 2018 which is not that very far away now and the pressure is starting to build. Does this mean that cyber security, the technical controls, the processes and procedures that many have implemented are now redundant? No, not at all. These will become a subset of the work needed to comply with GDPR and to make it workable
A good place to start the conversations about GDPR is to look at the documentation being provided by the Information Commissioners Office (ICO), as they are the enforcement and investigation agency that will have responsibility for GDPR. Their document ’12 steps for GDPR’ from ICO has a wonderful diagram on Page 2. I would highly recommend printing it out and using it to ‘start’ GDPR readiness discussions at senior management meetings, department meetings, and team meetings.
After years of warnings the course to greater cyber hygiene has been corrected and we are collectively heading towards GDPR whether we like it or not. I for one would like to wish you all a safe journey.
During April 2017 The National Cyber Skills Centre will be running its NEW course :-
The General Data Protection Regulations (GDPR): A practical approach for the small and medium enterprise