Getting started with compliance

First step – tackling the GDPR

What’s the GDPR?

The General Data Protection Regulation is a set of data protection rules concerning the privacy of personal data. Its goals are to validate an individual’s rights, establish how personal data is collected, handled and processed by businesses to enhance privacy, and to give data subjects more rights over what can and cannot be done with their personal data.

Why start with the GDPR?

GDPR compliance is a lot easier if you start it early, so that’s why I put it as the first step. If you embed GDPR compliant processes into your business, it can help you work towards achieving all the standards that come after. It will also save you having to go back to make existing processes GDPR compliant, a process that can be met with internal resistance and general difficulties. To get started, it helps to address these 3 things:

Records of Processing

Article 30 of the GDPR requires companies to hold a formal document with an overview of the company’s data processing activities around personal data. Records of processing activities (ROPA) should include data processing information, data categories, data subjects, the purpose of processing that data and its data recipients.

Data Breach Processes

The GDPR requires organizations to report personal data breaches to the relevant supervisory authority within 72 hours of discovering a data breach. A simple checklist can help businesses formulate an incident response plan and document actions taken since discovering a breach. This should contain key information such as the date and time of discovering the breach, finding out what types of data have been jeopardized, how many records have been affected, who needs to be notified, and how many individuals will the data breach impact.

Data Protection Impact Assessments

A process to help organizations identify and minimize data protection risks. A DPIA must describe the nature of the data processing, its necessity and compliance measures, assess possible risks to individuals and how those risks could be minimized.

Second step – start small, with Cyber Essentials (Basic)

What’s Cyber Essentials?

Cyber Essentials is a self-assessment questionnaire that can also be used as a cybersecurity checklist. It focuses on the five basic elements of cybersecurity:

• Passwords
• Patch Management
• Access control
• Anti-virus
• Secure configuration

Why is Cyber Essentials an important step?

Achieving Cyber Essentials not only opens up working with government-based businesses, but it also allows you to demonstrate to customers that you take cybersecurity seriously. By going through the certification process, you begin documenting and thinking about the control of the data and devices in use throughout your business. In comparison to other security controls, it’s relatively cheap to undertake Cyber Essentials, and you can even get a copy of the assessment in advance so you can see what you’re in for.

Third step – take Cyber Essentials ‘one step’ further (see what I did there?)

What’s Cyber Essentials Plus?

Cyber Essentials Basic is a self-assessment which means not a lot of evidence or checks are carried out to validate your answers. It’s why the Basic scheme is fairly cheap to obtain and why some contracts/customers of yours may not deem it enough to satisfy their security controls. For that reason, Cyber Essentials Plus exists.

Why Cyber Essentials Plus?

It involves an assessor scanning networks and workstations as well as stress testing devices with anti-malware related tests. Essentially, they are validating that the basic assessment wasn’t a pack of fibs! Quick facts about Cyber Essentials Plus: you must achieve Cyber Essentials Basic first, and you can only achieve Plus within 90 days of achieving the basic version. There’s a little more to it, so feel free to check out our Cyber Essentials/Plus offerings and get in touch if you have any questions.

Fourth step – it is more of a jump than a step – ISO 27001

What is ISO 27001?

ISO 27001 is the daddy of Information Security standards. It contains 114 controls (controls are basically ‘things you must do/demonstrate’) focusing on the Confidentiality, Integrity and Availability of data.

Why is ISO 27001 Important?

It requires a lot of documentation, investment, and dedication, but it is proven that organizations that achieve ISO are far less likely to suffer a data breach and if they do, they are far more equipped and ready to handle the situation. A quick look up suggests that only 1,523 UK businesses have and continue to achieve ISO 27001, which in the grand scheme of things, is a relatively small number. So, achieving this standard will put you in an elite bracket of businesses. Of those businesses that are ISO 27001 compliant, most of them are small-micro sized firms, which shows the bigger you are, the harder it can be to implement.