If you’re reading this article, I’ll take a guess that you know by now the basics about GDPR. You’ll know that it isn’t just “going away” because of Brexit. You’ll know that it isn’t only relevant to large organisations, and you’ll know that doing nothing isn’t a viable option.
If there’s any of that you don’t know, there’s lots of information readily available to get you started. Start with the ICO (Information Commissioner’s Office) website (links at the end).
Hopefully though, you’ll by now know
- Whether GDPR will apply to you
- Whether you’re a Data Controller, a Data Processor, or both
Hopefully, you’ve already
- Started to make a plan
- Begun to evaluate what Personal Data you have and why
- Initiated the process of deciding, and documenting, your lawful basis for processing personal data.
Protecting that Personal Data is also a key requirement, and this is where Cyber Security comes in.
There are a number of references contained within the various GDPR articles that are relevant, one of the key ones being from article 32, part of which states
“the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
So what’s “appropriate”?
The good news is, if you are already doing the right things around Cyber Security, then you’re likely a good part of the way there. A good Cyber Security strategy follows a risk-based approach, based on your individual business, and involves implementing appropriate policies, processes, technical controls and education, to reduce and mitigate risks to your data and systems. Take the same approach with customers’ personal data, and that will help you deem what is appropriate.
The not so good news is, for many companies, they’re not already doing the right things, at least not all of them. For instance, if you don’t really know what the critical assets are in your business (think data, systems), then how do you know you are protecting the right things? If you think that technical solutions alone (think Antivirus, firewalls) will keep you safe, add yourself to that bucket too – Policies, Processes and People (a.k.a. education) are at least equally important.
We get it. Cyber Security isn’t something that brings additional revenue into your business. It’s not the easiest subject to tackle, and maybe it’s not really where you want to spend your money- who likes paying to prevent something that might never happen, right? But a couple of things are for sure.
One– prevention is far, far better than cure. And two, it absolutely needs to form part of your GDPR strategy. In the event of a data breach resulting in an investigation by the ICO, the likelihood is that the ICO will look back over your decisions and ask “did this business take all reasonable efforts to protect customers personal data based on the risk to those customers?”.
So if you haven’t already, make sure you consider your Cyber Security strategy as a key part of your GDPR planning. Our advice – don’t just look at the data that is relevant to GDPR when doing this, grasp the opportunity to look at all the data and systems that your business relies on. That way, you’ll optimise your resource efforts, particularly if you’re getting an expert in to help, and you’ll help protect all of the data and systems that are key to running your business, not just customer data.
Want to hear more? Join us along with a panel of experts from legal and other fields at the Norfolk Chamber GDPR conference – we hope to see you there!
Useful Links
