The essential differences between Cyber Essentials and GDPR
We’ve recently been stressing the need for firms to make sure that they can comply with the EU’s General Data Protection Regulation (GDPR) when it’s introduced in May 2018.
However, where do other elements of a firm’s protection fit into this picture – such as Cyber Essentials, ISO 27001 and IASME?
For instance, if you have Cyber Essentials, are you already covered for GDPR? Or once you are GDPR-compliant, is it true that you don’t need Cyber Essentials? The answer in both cases is a resounding “No”. Although some of the elements covered by both Cyber Essentials and GDPR might appear the same, there are some key differences, which we’ll explore in this blog. Please note that whatever happens with Brexit, it won’t make a difference to the need for businesses to comply with regulations such as GDPR, as this will soon be embedded in UK law.
Let’s take a look at the two main methods of information protection that firms of all sizes need to consider: GDPR and Cyber Essentials.
By now, most firms should know the fundamentals of GDPR. In a nutshell, the new regulation is designed to ensure that the integrity of any personal data that is collected, managed, stored or processed by an organisation is fully protected. When GDPR comes into force, it will bring new mandatory requirements for data controllers and processors. These will provide further safeguards, ranging from the need to gain an individual’s consent to store and use their data - and their right to know what personal data is held about them - right through to the need for some companies to appoint data protection officers.
GDPR will also introduce much heavier penalties for breaches of the regulation by companies that fail to comply. The onus is on individual firms to understand the risks associated with any personal data they hold or use and to take the necessary measures to mitigate those risks. If you’d like to know more about the details of the new regulations, take a peek at this blog on our website: ‘The General Data Protection Regulation & The Data Protection Bill 2017’.
Cyber Essentials overview
The Cyber Essentials Scheme has a slightly different scope from GDPR – it’s a part of the Government’s National Cyber Security Strategy, which seeks ‘to make the UK a safer place to conduct business online’. The Scheme is designed to promote and certify basic levels of technical protection against cyber attacks.
Cyber Essentials focuses on five key technical controls that will help companies to protect themselves from the most common types of cyber attacks - phishing and hacking. The five controls are: boundary firewalls and Internet gateways; secure configuration; access control; malware protection; and security software patch management. When implemented correctly, these five controls will help to provide mitigation against a wide range of potential threats.
There are two levels of Cyber Essentials – the basic programme outline above, which is a self-assessment scheme, and Cyber Essentials Plus. The latter includes an onsite technical audit conducted by an external body and an internal and external vulnerability test.
Vive la difference
So what are the key differences between the two types of compliance?
- Cyber attacks. Cyber Essentials is all about protecting your firm against potential cyber attacks. Although this complements many of the GDPR requirements, the new regulation actually covers many more aspects relating to the protection of personal data. This includes the rights of individuals to access any personal data relating to them that an organisation holds, free of charge. Firms must have processes in place that enable them to meet such requests within 30 days, or face being penalised.
Under GDPR, if there are any data breaches that could mean that personal data has been compromised, a firm might have to notify their entire customer base about this.
- A matter of culture. Cyber Essentials is basically a technical solution designed to protect a company against phishing and hacking by cyber criminals. GDPR is meant to go a step further – it aims to bring a change in the corporate culture. It wants everyone in the organisation that handles or manages personal data to be aware of the potential threats and to use the most effective processes for safeguarding that data.
- Managing risk. With GDPR, an essential component of achieving and maintaining compliance is an effective risk management strategy, which includes keeping accurate records; checking and updating procedures wherever necessary; and reviewing compliance processes on a regular basis. With Cyber Essentials, the emphasis is on technical protection rather than a risk management strategy.
- Essential or not? Whilst both programmes could be regarded as essential requirements for a busy law firm, Cyber Essentials is a scheme devised by the government to help companies to protect themselves. There are no direct penalties for firms failing to use Cyber Essentials – other than the obvious risk of the potential threat to their data and systems by not having suitable levels of protection. However, firms who work with government bodies, including the Ministry of Defence, must have Cyber Essentials certification as a minimum standard.
In contrast, GDPR is mandatory – any firms dealing with personal data must take measures to comply with the regulation or face potentially severe consequences. As mentioned previously, the onus is on the individual company to ensure that it can comply with the regulation.
Other methods of protection
There are two other key standards which might cause some confusion in people’s minds, as there is some overlap with both GDPR and Cyber Essentials. These are ISO 27001 and IASME. Here is a brief explanation of each:
ISO 27001 – ISO 27001 accreditation is a sign that a firm has achieved a certain level in terms of managing its information security. It covers issues such as the implementation, management, monitoring and review of an effective information security management system and the associated policies and procedures. This might include some, but not all, of the requirements of GDPR.
IASME (Information Assurance for Small and Medium Enterprises) – This programme, which is based on an SME version of ISO 27001, was developed to provide a cyber security standard for SMEs. Certification again demonstrates that a certain level of security has been achieved. There are two levels – self-assessment (via an online questionnaire) and ‘Gold’ - an onsite audit by an IASME certification organisation. The self-assessment now includes optional questions that help to evaluate the level of a company’s compliance with GDPR. IASME is aligned with Cyber Essentials and certification usually includes Cyber Essentials certification.
To sum up, if you’re looking for protection from cyber attacks, and to ensure that your information security is up to scratch, it would be advisable to go for Cyber Essentials and IASME certification. Larger firms should seek ISO 27001 accreditation, as this will give an extra level of reassurance to their customers. Meanwhile, organisations of all sizes must ensure that they’re fully prepared to meet the requirements of GDPR when it comes into force next May.
If you’re still unsure or need any help or advice with any of these issues, please don’t hesitate to give us a call on 01829 731 200