GDPR

The NIS Directive: who does it apply to and what will it mean?

May 2018 is a big month for cyber security.

Not only will the EU General Data Protection Regulation (GDPR) come into effect but a new UK Data Protection Act will enshrine GDPR’s principles in UK law in the same month. In addition, the EU Network and Information System (NIS) Directive, which aims to increase the security of network and information systems across the EU by encouraging the adoption of International and European standards, will also be implemented into UK law in May 2018. It is of particular importance to organisations which provide essential services, or those which supply those who provide these services.

There is, however, nothing to fear regarding NIS Directive compliance. By adopting ISO27001 International Standard for Information Security best practice and implementing robust Disaster Recovery and Business Continuity Management plans, organisations can ensure compliance will be achieved.

Where GDPR relates to the loss of personal data, the NIS Directive addresses the issue of loss of service by IT networks and information systems. Specifically, it relates to safeguarding essential services and those who fail to implement effective cyber security measures will face fines of up to £17m or 4 per cent of global turnover.

The measures outlined in the NIS Directive are part of the UK Government’s five year £1.9bn National Cyber Security Strategy. They are designed to ensure that the UK’s essential networks and infrastructure are kept safe and secure against the risk of cyber attacks. Not only will operators in electricity, transport, water, energy, health and digital infrastructure be required to demonstrate a resilient cyber defence, they will also need to demonstrate that they have robust incident response plans in place.

The NIS Directive is not, however, limited to these organisations. It is important that UK technology firms establish whether they fall within the scope of the NIS Directive because it applies not only to essential services but to those who are significant suppliers to the operator of an essential service. This covers a multitude of organisations and extends to online marketplaces, online search engines and cloud computing services.

Although the potential fines of up to £17m make headline figures, the Department for Digital, Culture, Media and Sport has made it clear that they are a last resort. Where operators can demonstrate that they have conducted adequate risk assessments, enacted appropriate security measures, implemented robust incident response plans and are fully engaged with the process, these fines will not apply.

The key, therefore, is to be able to demonstrate that the NIS Directive is at the core of an organisation’s cyber defence strategy. From staff training to penetration testing; from incident management to business continuity planning and ongoing resilience: every stage needs to be addressed. Those already in the process of adopting GDPR into their business process will be some way towards the NIS Directive’s requirements, but it is important to know what additional steps need to be taken.

Professional support is an important and cost-effective way to manage this process. SRM has helped many organisations become ISO27001 certification ready, and can assist with Business Continuity and Disaster Recovery. With experience and expertise across a whole range of organisations and a sound understanding of the requirements of the NIS Directive, SRM’s consultancy team can steer and manage the process without wasting time or budget.

For more information see:

GDPR free live webinar: the roles of manual and automated penetration testing

ISO27001 Lead auditor and pre-audit preparation

GDPR Self Assessment Questionnaire

Free live webinar: GDPR – the roles of manual and automated penetration testing

15:00 – 15:45 Thursday 8th March 2018

Have you tested to check your GDPR compliance?

A key aspect of GDPR compliance is demonstrating that your systems are secure. Penetration testing is a vital tool but with automated and manual tests both available which best serves your purpose?

In this 35 minute webinar, with time for questions, co-hosted with AppCheck, SRM’s Test and Exercise expert Andrew Linn outlines how a structured synergy of both will deliver the optimum result.

The webinar will cover:

  • The crucial role of automated testing
  • Automated and manual testing synergies
  • The manual component
  • Beyond the penetration test

There will be a live Q&A at the end and Andrew Linn will answer any specific questions relating to your business or sector.

How to register

The live webinar is at 3pm on Thursday 8th March and is free. You are simply required to register your attendance via this link:

https://register.gotowebinar.com/register/1342453508719907585

 

Cyber Security Breaches Survey 2018 – shows that size matters and that numbers never lie

As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.

The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.

Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).

As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.

The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998.  Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.

Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.

Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.

SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.

 

SRM’s step by step self-assessment guide to GDPR readiness

For full details of the HM Government survey report see the Cyber Security Breaches Survey 2018.

 

Or see our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

After GDPR, what will happen to ICO notification fees?

 

GDPR compliance: key issues facing law firms

GDPR compliance: key issues facing law firms

Only 25 per cent of law firms consider themselves to be compliant with the forthcoming EU General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. According to a recent report (November 2017) by CenturyLink of 150 legal sector IT decision-makers, 75 per cent of law firms say they are not yet prepared.  Yet the report reveals that only 55 per cent of law firms have employed data security professionals to help them with this task.

Given that the world of data protection is constantly evolving and the legislation is complex and demanding, it is not surprising that this figure is likely to increase considerably over the next four months.

At SRM we work with a wide range of businesses including law firms of all types and size. Our experience shows us that there are certain specific issues which are most relevant to this sector.

DPA 1998 / DPA 2018

First, the good news. The vast majority of law firms are already bound not only by the current Data Protection Act (DPA) 1998 but also by their commitment to client confidentiality (under the SRA rules). As a result, they already have relatively robust systems and procedures in place. So, although the burden of compliance is significant, with GDPR imposing stringent requirements upon organisations, we have found that law firms on the whole are well set up to address the application of GDPR across their business. What we have found, however, is a level of confusion as a result of Brexit leading some to mistakenly believe that GDPR will not apply to the UK.

To clarify: in May a new UK Data Protection Bill will be enacted to coincide with the implementation of GDPR. The new UK act will enshrine the principles of the GDPR in UK law so compliance with one ensures compliance with the other. This means that the EU GDPR is relevant to all firms, even those which have no clients or contacts outside the UK.

Data Protection Officer

Most firms need to have a data protection officer (DPO) in place and this is compulsory for those firms that carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Finding someone internally to fill this role is often an issue, however, because few with existing ‘day jobs’ have the required professional working knowledge of the forthcoming data protection regulations. We have found that many DPOs report feeling unsupported and ‘out of their depth’ until we are involved, providing expert resource and support.

Consent

If any processing activities involving personal data, which does not fall under special categories of data, require consent then that consent must be freely given with a specific, informed and an unambiguous indication of consent. We have found that many firms misunderstand the requirement for consent under GDPR. In basic terms, it is that ‘opt-out consent’ is no longer an option. Clear consent from the individual needs to be obtained via some affirmative action. Moreover, any current clients or contacts also have to opt-in and we have provided guidance in running opt-in campaigns before May 2018 to ensure that permission to contact is in place.

Training

One of the main problems we have encountered with law firms is the need for awareness and training. From the senior partners to the lower ranking members of the office staff, everyone needs to be properly trained in correct data protection procedures. It is not simply the role of the DPO to comply with GDPR; it has to be a business-wide planned strategy. This is because, in our experience, human error is the most significant threat to data security.

Internationalism

Another area where we have found issues is in the growth of internationalism. Larger law firms continue to merge with their international counterparts becoming part of super global law firms. The UK elements of these international firms must take particular note of the new regulations as it will be inevitable that they will hold data pertaining to EU citizens (whether clients, third parties or employees) or process such data and will be caught by the provisions of the GDPR, whatever the legislative environment within which their associates operate.

‘Special’ categories of personal data

Under the GDPR it will be easier for clients who suffer ‘material or non-material damage’ due to a data breach by their firm, to bring claims for compensation. In addition, we see more UK firms now coming into contact with ‘special’ categories of personal data (eg. handling an employment law case involving allegations of discrimination on grounds of sexual orientation), they could be exposed to the most significant fines if they fail to keep client data secure.

Advertising

As a business development tool, law firms increasingly use the web, sometimes including forms of online advertising. We have worked with firms where these involve the use of profiling of EU citizens (in practice, this often simply means that geo-location preferences do not exclude IP addresses associated with EU countries) and it is important that they consider the implications of GDPR in these activities.

HR Data Processing

Employees will have the same rights as clients under GDPR which means that the Data Protection processes must also include employees. When considering the implications of GDPR a lot of organisations do not take employee data into account and often have lower security standards and fewer controls in place to protect it.

Our GDPR team

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

 

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full DPO role.

 

Our GDPR SAQ has been developed to outline key areas that need to be addressed and to provide a guide as to your current state of GDPR readiness.

For more information on how our GDPR team can support and resource your organisation contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or telephone 03450 21 21 51.

Visit our website: GDPR – The General Data Protection Regulation

Or read our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

GDPR: the world will not stand still on 25th May 2018

The 25th May 2018 is not an end date. Far from it. It marks the beginning of a new era in data protection but one that will continue to evolve as our online world continues to develop. So, although organisations will be required to be compliant with the General Data Protection Regulation (GDPR) from that date, it is an ongoing process, not Armageddon.

In the words of the ICO’s Information Commissioner Elizabeth Denham: ‘It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.’

For organisations with GDPR firmly on their radar it seems primary focus is on reaching a level of compliance come GDPR Day 1, but about Day 2 and beyond? Those who are fully compliant by 25th May will need to work hard to remain compliant. Those who are not yet completely ready will need to work even harder to reach and maintain compliance or risk substantial fines. The key factor to remember, however, is that it will be nigh on impossible to achieve perfect maintenance of absolute compliance. So, take comfort from the fact that the ICO has stated that those who are able to demonstrate that appropriate systems and thinking are in place will find that the ICO takes this into account when they consider any regulatory action.

So, while absolute compliance may be an intended aim, what organisations really need to focus on is the fact that they can demonstrate the thinking and the steps they have taken to be compliant. That is not to say that anyone will get ‘A’ for effort if no practical steps have been taken.

As Elizabeth Denham explains, there is no excuse when it comes to GDPR: ‘’There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date…We all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there…

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.

VirtualCISOtm is proving a popular option for businesses which require broad levels of expertise to complement existing skill sets and roles in a flexible manner.

To find out where you are in terms of GDPR readiness, complete our free online GDPR Self Assessment Questionnaire.

To find out more about what SRM’s GDPR can do for you, contact Mark Nordstrom (mark.nordstrom@srm-solutions.com) or 03450 21 21 5https://blog.srm-solutions.com/are-you-ready-for-gdpr/1 or check out our website.

 

Or read our blog:

GDPR: a question of confidence

GDPR has been developed to protect us from breaches like Uber

After GDPR what will happen to ICO notification fees?

 

 

SRM Blog