GDPR vs Cyber Security
What do these initiatives have in common?
In summary GDPR and Cyber Security share a common approach towards the management of risk and make the requirement for compliance an active process.
GDPR, the General Data Protection Regulations, is the European led regulatory framework which mandates personal data shall be processed securely using appropriate technical and organisational measures.
Cyber Security is a much broader term that means many things, references multiple national authorities, offers variations of formal IT security frameworks, and promotes a wide market of best practices, policies & products.
Shouldn’t Data Protection should reduce risk?
Too many times, following an attempt to improve Cyber Security, sensitive data that should be better controlled becomes spread across more systems and as a result more widely accessible.
Data protection measures, for GDPR or Cyber Security or both, are only effective when considered as part of the whole system.
BEWARE: It is very easy to inadvertently increase risk
Enforcing a data protection regime that is compliant with the GDPR should have no impact on an organisation’s Cyber Security profile, yet a poorly defined process to deal with Subject Access Requests, increases the risk of a data breach.
Likewise, implementing a programme of Cyber Security without consideration of GDPR will result in an increased burden with a potentially significant detrimental effect and increased cost of maintaining compliance.
Data protection should be straight forward
Data processing systems should be easily separated into 3 elements with documentation and data protection measures considered for each;
Include visible and less visible elements (don’t forget Software as a Service accounts, offsite backup or the occasional remote access) and note where external resources (people and technology) are used. Where risks are interdependent arrange for further checks and define the scenario to control the risk.
Data protection measures (for GDPR or Cyber Security or both) are only effective when considered as part of a whole system.
It should be simple to understand what’s required to meet the requirements of GDPR, don’t allow technical jargon to replace assurance. If necessary, Sytec can provide an independent opinion regarding any shortfall of measures in place for GDPR.
Make proof the default
To prove compliance, managers must accept they are accountable for their systems and the proactive management of all the data being processed. When data is no longer required, it should be removed and the action documented.
Collecting unnecessary data is foolhardy and amplifies the consequential actions following a data breach.
Too frequently, managers report ‘I rely on others for compliance’. It is incorrect to presume data protection exists and is maintained by others.
It is more effective to presume a default of no data protection measures until evidence to the contrary is presented.
My 5 top tips for compliance
- Responsibility for compliance starts with leadership, top down.
- Only collect and process data required for the task.
- Poorly considered Cyber Security has a knock on effect to GDPR compliance.
- It is a mistake to assume GDPR is in place because of a Cyber Security policy.
- Compliance with GDPR does not flow from your suppliers’ compliance.
In summary, both GDPR and Cyber Security are about risk management and must be considered as frameworks for handling data. Both require organisations to define their own specific measures, documentation systems, verification and reporting regimes.
Sytec works across the UK to provide an independent risk assessment of data protection measures and if required we will provide guidance to identify and close the gap between what is required and what is in place.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are separated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers
Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.