WGPlus (Archive)
So how many emails did you receive from ‘data holders’ this month? |
The General Data Protection Regulation (GDPR) took effect on the 25 May 2018. The GDPR requires that personal data must be processed securely using appropriate technical & organisational measures. The Regulation does not mandate a specific set of cyber security measures but rather expects you to take ‘appropriate’ action. In other words you need to manage risk. What is appropriate for you will depend upon your circumstances as well as the data you are processing and therefore the risks posed, however there is an expectation you have minimal, established security measures in place. The security measures must be designed into your systems at the outset (referred to as Privacy by Design) and maintained effective throughout the life of your system. The NCSC have worked with the ICO to develop a set of GDPR Security Outcomes. This guidance provides an overview of what the GDPR says about security and describes a set of security related outcomes that all organisations processing personal data should seek to achieve. The approach is based on four top level aims:
The ICO has published a lot of helpful guidance on its website. A good starting point for advice on implementing security measures for the GDPR is existing good cyber security guidance. Some good sources of information include the ICO 10 Steps to Cyber Security, Small Business Guide or the Cyber Essentials scheme. You can also share information, advice & intelligence about cyber risks online by joining the ICO CISP community. If you are affected by an incident which involves (or is likely to involve) a breach of personal data, then you are likely to have an obligation under the GDPR to notify the ICO. The ICO provide more detailed detailed guidance on their website about what constitutes a notifiable breach, preparing & responding to breaches. You may also wish to report significant cyber incidents to the NCSC. Incidents below national threshold should be reported to Action Fraud – the UK’s national fraud & cyber crime reporting centre or, if you're in Scotland, then reports should be made to Police Scotland. |
Researched Links: |
techUK: NCSC and ICO publish cyber security guidance on GDPR The GDPR Security Outcomes can be read here in full techUK's Data Protection Bill Briefing Update ICO: New data protection laws put people first DCMS: Data laws made fit for the digital age DCMS: Will you be ready for GDPR before 25 May? Charity Commission: Make sure your charity is ready for GDPR techUK: Does GDPR prevent Blockchain, or does Blockchain assist GDPR? ICO: The GDPR & Beyond: Privacy, Transparency and the Law |