Axiom Cyber Intelligence: GDPR and cyber security go hand in hand
In a speech at the CBI Cyber Security Conference Elizabeth Denham, The Information Commissioner, described data protection and cyber security as being ‘inextricably linked’.
Here we explore why these two disciplines have such a close relationship.
The association between GDPR and Cyber Security is laid out in Article 5 of the General Data Protection Regulation. Article 5 outlines six core principles for the handling of personal data such as having a lawful basis to hold the personal data and retaining it only for as long as is necessary. The sixth principle however, clearly states the requirement for personal data to be processed securely.
Article 5 Principle 6 states personal data must be, “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
GDPR equally requires that security be given greater consideration when data controllers appoint a data processor.
The data controller determines the purposes and means of processing.
The data processor processes the personal data on behalf of the controller.
Under GDPR the data controller is required to trust only those processors who provide sufficient guarantees and controls as to their own GDPR compliance, including appropriate technical and organisational (security) measures.
Quite rightly, why would you trust an organisation with YOUR data unless you are happy then can protect it effectively?
An indication that any organisation is taking security seriously at a basic level is the Cyber Essentials badge. Data controllers should consider this a minimum standard, or even start to insist organisations in their supply chain get certified?
So, what ‘technical and organisational measures’ can an organisation undertake?
Firstly, organisations must look at what personal data is being held and for what reason is it held? If you no longer NEED the information delete it in a secure manner.
Secondly, organisations need to look at how they hold the personal data, and what security is in place to protect it.
Finally, where an organisation identifies gaps in cyber security, whether it is a technical issue e.g. no firewall or an organisational issue, such as insufficient policies and procedure to support the data security, they need to respond. Organisations need to step up and fill the gaps to protect the personal data they control and process.
Good governance standards will also support your organisation in terms of appropriate ‘technical and organisational measures’. Be it the international standard ISMS 27001 or Cyber Essentials, both will help guide your business towards effective practice and improved resilience.
As you can see, data protection and cyber security are “inextricably linked’. Consequently, cyber security has a huge impact towards your own GDPR compliance, suitable cyber security measures will not only support your GDPR compliance but could also help facilitate new business opportunities.
If you have any questions or we can help you to conduct a gap analysis of where your business is currently positioned with GDPR and Cyber Security, please get in touch.
Axiom Cyber Intelligence
0333 355 8553
Axiom Cyber Intelligence is a sponsor of TheBusinessDesk.com’s Business Masters Awards 2018. Axiom is sponsoring the Medium Business category for the events in the West Midlands, Yorkshire and the North West.