Elizabeth Denham, The Information Commissioner, in a speech to the CBI Cyber Security Conference described data protection and cyber security as being ‘inextricably linked’. We will explore why these two disciplines necessitate such a close relationship.
The correlation is distinctly laid out as early as Article 5 of the General Data Protection Regulation. Article 5 outlines 6 core principles for the handling of personal data such as having a lawful basis to hold the personal data and retaining it only for as long as is necessary. The sixth principle however, clearly states the requirement for personal data to be processed securely.
The actual wording of Article 5 Principle 6 affirms personal data must be, “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Those words ‘technical and organisational measures’ are fundamental. They essentially translate as ensuring that you have protections in place that are appropriate and proportionate to the risk. Risk in this context means potential impact on the data subject. Protecting the confidentiality and integrity of the data subject invariably means ensuring suitable cyber security measures are in place.
GDPR similarly necessitates that security be given greater consideration when Data Controllers appoint their Data Processor. As a reminder, the Data Controller determines the purposes and means of processing whilst the Data Processor processes the personal data on behalf of the Controller. Even though the Processor will be liable for their part in any incident, the first approach (or claim) is to be against the Controller.
Under GDPR the Data Controller is required to rely only on those Processors who provide sufficient guarantees and controls as to their own GDPR compliance, including appropriate technical and organisational (security) measures. An indication that a processor is taking security seriously at a basic level is undoubtedly the Cyber Essentials badge. Maybe Controllers should consider this a minimum standard, or even start to insist organisations in their supply chain get certified.
GDPR additionally requires an organisation to assess potential risks to the data subject before undertaking any major project. A Data Protection Impact Assessment (DPIA), principally allows safeguarding measures to be implemented which mitigate risks to the data subject before the project starts. A DPIA should be a live document and updated throughout the life of the project.
So, what ‘technical and organisational measures’ can an organisation undertake? Primarily, organisations must look at what personal data is being held. The personal data held by a florist for example is likely to represent less risk than that held by a GP surgery.
Whatever the nature of an organisation, Cyber Essentials has an important role to play. In a speech to the Institute of Chartered Accountants in England and Wales (ICAEW), the ICO outlined, “I would also recommend consideration of the Government’s Cyber Essentials scheme to assist in identifying the actions you need to take.”
Whilst in the unfortunate event of an incident, Cyber Essentials may not lead to avoidance of harsh words or potential penalties from the ICO, it can be taken into account that your organisation was operating in line with recognised good practice which, in turn, may help mitigate any consequences. Plus, by following the principles of Cyber Essentials, your organisation is far less likely to suffer an incident in the first place!
Good governance standards will also support your organisation in terms of appropriate ‘technical and organisational measures’. Be it the international standard ISMS 27001 or IASME’s own Governance standard, both will help guide your business towards effective practice and improved resilience.
As we can see, data protection and cyber security are “inextricably linked’. As a result, cyber security and information assurance have a huge contribution to make towards your own GDPR compliance. Going forward, Controllers will be very wary as to what security their Processors have in place. In that regard, suitable cyber security measures will not only support your own GDPR compliance but could also help facilitate new business opportunities.