Are you covered for GDPR if you have Cyber Essentials?
You don’t need Cyber Essentials if you are GDPR compliant?
The answer in both cases is a resounding “No”.
Although some of the elements covered by both GDPR and
Cyber Essentials might appear the same, there are some key differences that needs to be highlighted.
This new regulation is designed to ensure that the integrity of any personal data that is collected, managed, stored or processed by an organisation is fully protected.
When GDPR comes into force, it will bring new mandatory requirements for data controllers and processors.
These will provide further safeguards, ranging from the need to gain an individual’s consent to store and use their data (and their right to know what personal data is held about them) right through to the need for some companies to appoint data protection officers.
GDPR will also introduce much heavier penalties for breaches of the regulation by companies that fail to comply. The responsibility lies on individual firms to understand the risks associated with any personal data they hold or use and to take the necessary measures to mitigate those risks.
Cyber Essentials Overview
The Cyber Essentials Scheme is a part of the Government’s National Cyber Security Strategy, which seeks to make the UK a safer place to conduct business online.
The Scheme is designed to promote and certify basic levels of technical protection against cyber attacks.
Cyber Essentials focuses on five key technical controls that will help companies to protect themselves from the most common types of cyber attacks: phishing and hacking.
The five controls are:
boundary firewalls and Internet gateways
security software patch management
When implemented correctly, these five controls will help to provide mitigation against a wide range of potential threats.
There are two levels of Cyber Essentials:
the Basic Programme outlined above, which is a self-assessment scheme, and Cyber Essentials Plus.
The latter includes an onsite technical audit conducted by an external body and an internal and external vulnerability test.
Key Differences between GDPR and Cyber Essentials:
Cyber Essentials is all about protecting your firm against potential cyber attacks. Although this complements many of the GDPR requirements, the new regulation actually covers many more aspects relating to the protection of personal data. This includes the rights of individuals to access any personal data relating to them that an organisation holds, free of charge.
Firms must have processes in place that enable them to meet such requests within 30 days, or face being penalised.
Under GDPR, if there are any data breaches that could mean that personal data has been compromised, a firm might have to notify their entire customer base about this.
A matter of culture
Cyber Essentials is basically a technical solution designed to protect a company against phishing and hacking by cyber criminals. GDPR is meant to go a step further – it aims to bring a change in the corporate culture.
It wants everyone in the organisation that handles or manages personal data to be aware of the potential threats and to use the most effective processes for safeguarding that data.
With GDPR, an essential component of achieving and maintaining compliance is an effective risk management strategy, which includes keeping accurate records; checking and updating procedures wherever necessary; and reviewing compliance processes on a regular basis. With Cyber Essentials, the emphasis is on technical protection rather than a risk management strategy.
Essential or not?
Whilst both programmes could be regarded as essential requirements for a busy law firm, Cyber Essentials is a scheme devised by the government to help companies to protect themselves. There are no direct penalties for firms failing to use Cyber Essentials – other than the obvious risk of the potential threat to their data and systems by not having suitable levels of protection.
However, firms who work with government bodies, including the Ministry of Defence, must have Cyber Essentials certification as a minimum standard.
In contrast, GDPR is mandatory – any firms dealing with personal data must take measures to comply with the regulation or face potentially severe consequences. As mentioned previously, the responsibility lies on the individual company to ensure that it can comply with the regulation.