How does NCSC endorsed Cyber Essentials scheme relate to the General Protection Data Regulation?
Cyber Essentials & GDPR
Last week the British and Foreign bible society, based in Swindon UK was fined £100,000 by the UK’s Information Commissioner’s office (ICO) – the UK’s independent body to enforce the General Protection Data Regulation (GDPR). Since the 25th of May 2018, GDPR is now mandatory to all organisations who hold personal data of European citizens. Fines of this calibre will become standard as GDPR allows the authority (ICO) to scale the fines depending on:
- The annual turnover of the company in question
- The severity of the offence or reported complaint
Cyber Essentials is a UK Government backed scheme, a set of security controls to encourage best practices and enforce a minimum level of Cyber Security which should be achievable for any business, no matter how complex their infrastructure. The criteria are clearly set and the organisation knows what to expect when they begin the certification process.
GDPR is more subjective, forcing organisations to rethink their entire approach to how they obtain, process and manipulate personal data amongst other requirements. It effectively transfers the power of law back to the individual allowing them to know what their data is used for, to opt out and to remove their data entirely if requested.
If we take a step back and look at the two as a whole:
- Cyber Essentials is a certification against a list of security controls that, once implemented into an organisation, is designed to protect said organisation from being the recipient of the most common Cyber Attacks.
- GDPR is a mandatory regulation that all organisations holding EU citizen personal data have to abide by. It effects the acquisition, processing and manipulation of all personal data.
How do they relate?
If an organisation is breached and this resulted in a loss of data, GDPR enforces the organisation to report the breach, which will be followed up by an investigation by the governing body (in the UK’s case – the ICO).
As the fines are now scaled depending on the severity of the negligence that caused the breach, Cyber Essentials is seen by many public and private sector organisations as one of a number of preventative measures that an organisation can put in place prior to the above investigation and may be considered when the severity of your fine is being considered.
In short – it’s not mandatory to be certified, but it could be a lifeline if the worst was to happen.
