How compliant does your IT need to be?
Posted 28th March 2022
Back in March 2019 our team wrote a blog about the upcoming GDPR compliance requirements that were looming on the horizon. For those who may have forgotten, GDPR governs how businesses and organisations process and manage personal data. That could be anything from email and physical addresses, to how CCTV footage is stored and accessed. Looking back, after everything the world has been through in the interim, being GDPR compliant may seem less important. However, nothing could be further from the truth. In fact, with many businesses moving towards remote working and ‘bring your own device’ (BYOD) policies, ensuring that your IT is compliant should be high on your priority list.
We can see a not too distant future where many businesses will only want to deal with other companies whom are CyberEssentials compliant as a minimum (its already happening in the Public sector).
For most businesses, IT compliance, and the requirements and certifications that go with it, goes hand in hand with GDPR. If you work through a GDPR checklist, you will find that you can at least prove to the ICO that you took the privacy of personal data seriously. Failing to show that your business has taken adequate steps to protect personal data can lead to huge fines and a loss of credibility and reputation. So, how do you show that your business’ IT is compliant?
The first thing to do is ensure that someone high up in your business or organisation is accountable for the safety of all data and any potential GDPR breaches. It is literally the concept of ‘the buck stops here’. Being accountable means that you are then answerable should the ICO decide to investigate a potential.
Identify standards that will help you become compliant
There are a number of standards and certifications that can guide your business towards compliance and prove that you have taken steps.
One of the first things you can do is begin working towards your Cyber Essentials Accreditation. This Government backed accreditation enables businesses to economically improve their cyber security whilst also improving GDPR compliance. The certification requires you to create and implement a managed security plan whilst also identifying gaps in your existing security and, when completed properly, can reduce the risk of cyberattacks by up to 80%. A Cyber Essentials Certificate has to be renewed annually, allowing you to regularly assess how compliant you are.
Associated with the CyberEssentials is the IASME Governance, its ideal for companies that want to measure their GDPR and Data security compliance – but is not as complex as the
ISO27001 mentioned below. It can also be done as a self-assessment with the Essentials Basic.
Alongside this is the ISO27001 certification which helps organisations of all sizes implement a framework of policies and procedures connected to IT risk management. Certification in ISO27001 requires management to examine IT security risks, design and implement controls for them, and incorporate a management process that ensures that processes are regularly assessed.
Conduct a data audit
Both Cyber Essentials/IASME Governance and ISO27001 require you to complete a data audit, looking at what data you hold, where it is held and how secure it is, and who has access to it. For many businesses this process is a great way of spring cleaning the information you have on your system, clearing out information that you no longer need, and looking at who can see data and why.
Risk Assessment and Gap Analysis
So, by this point you should be able to see what risks and gaps exist within your IT infrastructure, for example staff using their own devices to access company documents. The next step is to create a risk assessment which identifies what risks exist and what you will do if they should take place, e.g., what will happen if a member of staff loses their phone?
Showing that you have identified where your organisation is lacking with regards to cyber security and putting actions in place to resolve issues if they arise, can prove to the ICO that you have everything in place should an unavoidable breach arise.
Develop policies, procedures, and processes
Now is the time for you to ensure that your policies, procedures, and processes are in line with GDPR requirements. This includes all data protection policies, privacy notices, employee, customer, and supplier contracts.
Cyber Essentials/IASME Governance is great for assisting in helping you to implement the basic controls and processes you need to maintain compliance.
Train your team
One of the key points of compliance is making sure that everyone is singing from the same hymn sheet. So, you need to train your team in cyber security, how to recognise threats, and data protection. User Awareness Training is an excellent way of training your team and managing their progress.
Ask some experts to help
Making sure that your business is IT compliant can seem like a mountain to climb and there can be pitfalls along the way. One of the simplest ways of keeping yourself on the right side of GDPR legalities is to use an experienced team of IT experts who can guide you and assist you. If you would like to check how compliant your business is or are concerned that there are some gaps in your cyber security, get in touch.