Security Essentials Series – Why is Cyber Essentials good for GDPR?

This Security Essentials Series blog focuses on data protection and why Cyber Essentials is a good standard to framework your management of personal information.

General Data Protection Regulation

The European Convention on Human Rights addressed the right to privacy in the 1950s and stated, “Everyone has the right to respect for his private and family life, his home and his correspondence”. As a result, the European Union implemented legislation to protect this right, which has evolved to be the current General Data Protection Regulation (GDPR) that we use today. 

Europe’s data privacy and security law, the General Data Protection Regulation, was introduced in May 2018 to replace the Data Protection Act (1998). GDPR refers to the processing and collection of personal information, and the necessity for this regulation came because of the development of the internet.

GDPR applies to those who process the personal information of EU citizens, as well as those who offer goods and services to said people – meaning in some cases that even if you are not based in the EU, GDPR still applies.  

GDPR aims to ensure that only necessary personal information is collected and stored, only appropriate personnel have access to it, and the individual understands why their personal information is required.

GDPR also aims to ensure that the personal information collected is stored securely, that if an individual’s data is being shared with a third party, the individual is informed prior to their information being shared, and that the individual is asked to agree to their information being shared where they have the choice. GDPR also states that information should only be stored for as long as is necessary.  

Non-compliance with GDPR is an offence and can result in a fine of either 4% of the organisation’s annual global turnover or 20 million euros (approx. £17.5 million). As well as this, data subjects have the right to seek compensation in the event of a data breach.  

The Link to Cyber Essentials

GDPR is relevant to Cyber Essentials because information assets, for example, personal data and financial records – which are protected under GDPR – are popular targets for cyber-criminals due to their perceived value. So, if these assets are breached, then it is a punishable GDPR violation.

An example of a data breach may be seen in the form of malware known as spyware. Spyware is a type of malicious software that may be installed on your device after clicking on a suspicious link; once it is installed on your device it can begin to steal and/or damage your information assets.

This could lead to your customer information being leaked, including email addresses, passwords and bank details. This results in non-compliance with GDPR, subjecting your organisation to a fine, as well as compensation claims from data subjects.  

Malware protection is one of the five technical controls set out by Cyber Essentials, so by attaining your Cyber Essentials certification, the likelihood of your organisation experiencing this type of breach is significantly reduced.  

Complying with all 5 technical controls set out by Cyber Essentials supports your business to mitigate 80% of common cyber threats and avoid data breaches.  

Therefore, by ensuring that the entire IT infrastructure required to run an organisation’s functions are covered by Cyber Essentials, the security risk is significantly reduced, and the business remains compliant with GDPR.