A quick guide to Cyber Essentials and GDPR
We’re all aware by now of GDPR and the huge fines companies risk if they don’t take steps to comply with it.
There are two sides to GDPR:
- How do you handle the personal data your company collects?
- What steps have you taken to minimise the risk of this data being leaked or stolen?
In this article we’re going to look at each of these in turn.
1. How do you handle personal data?
The very question of how your company handles the collection of personal data must be further broken down:
- What personal data do you collect?
- Why do you collect and process this data? (What is the justification for collection?)
- How do you collect the data?
- Where do you store the data?
- How does your business record consent for the collection of personal data?
- Do you share the data with third parties?
- Do you need to keep the data you’ve collected? Do you have a process to delete it?
2. What steps have you taken to minimise the risk of a data leak?
GDPR is all about holding companies responsible for the data they collect and store. Those same companies will be penalised if their data is leaked or stolen.
The regulations centre on two issues: have you got a good reason to collect this data, and can you prove you are carrying out due diligence in protecting it from a data breach?
This is an IT security issue at heart, and so the government-approved Cyber Essentials security certification is your benchmark for complying with GDPR standards.
Since 2014, all companies that work with the government and their contractors have needed this certification in place. But it’s a recognised standard of assurance that all businesses can benefit from.
There are two certification options: Cyber Essentials, and Cyber Essentials Plus. The first lets you self-assess, and is an easy-to-follow process that results in certification. The second is similar, but boosted by the fact that you’re assessed by a third party ‘Certification Body’.
The areas that Cyber Essentials checks include:
- Where your data is stored;
- If that’s in ‘the cloud’, the cloud provider’s standards;
- Whether only the relevant people have access to the data you’ve collected;
- Your password policy;
- Your firewall set-up;
- Your policy on installing security patches to the software you use;
- Your antivirus software;
- Encryption on your laptops;
- Your back up scheme.
This might seem like a lot to go through, but once it’s done you know you’ve got a good security base from which to work. As an IT provider we welcome any attempt for security to be taken more seriously!