Cyber security and data protection – an inevitable convergence?

New cyber security threats

The way businesses operate is constantly evolving and there has been an exponential growth of internet services including online data storage in recent years. As these new technologies have become increasingly prevalent and relied upon by businesses, a raft of new cyber security threats has emerged.

We look here at how cyber security and data protection interrelate and what this means for your business.

Cyber security and the GDPR

The GDPR requires that personal data must be processed in a manner which ensures appropriate security of it. The GDPR also made data protection by design a legal obligation for the first time. This means that a business must factor into any data processing operation, at the earliest stage, appropriate technical and security measures to implement data protection and safeguards for processing personal data.

Contact our Data Protection team now.

Such measures include:

• the pseudonymisation and encryption of personal data
• the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The second of these is key from a cyber security perspective. As businesses make increased use of web servers and cloud-based services for storing data, they must ensure the confidentiality, integrity, availability and resilience of any such servers and services. This puts cyber security front and centre.

Just prior to the GDPR coming into force in May 2018, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) published joint guidance for businesses. The guidance was distilled into four key headline aims:

1. Manage security risk
2. Protect personal data against cyber-attack
3. Detect security events
4. Minimise the impact.

Security risks can be managed through good governance, risk management and asset management. If third party data processors are used in a business’s supply chain, contracts must be in place and guarantees should be obtained about the technical and organisational measures implemented by the third party processor. If things are not up to scratch, the business should not engage them.

Cyber-attacks can be prevented through the implementation of policies and procedures to shape the approach to system security. Users should be authenticated and access strictly controlled. Technical steps to ensure data and system security should be taken, such as encrypting data, controlling connectivity to systems and devices, managing software vulnerabilities and keeping software up to date.

Systems must be monitored to identify attacks or other security events. Procedures should be in place to respond and recover if a breach takes place. Improvements should be made to prevent it happening again.

The fact that the ICO worked jointly with the NCSC on this guidance clearly underlines the central role that cyber security must play for a business to meet its obligations under the GDPR.

Conclusion

The convergence of cyber security and data protection became increasingly inevitable as the regulatory regimes evolved to keep pace with advancements in technology.

As data becomes increasingly digitised and web servers and cloud-based storage become the preference, the links between cyber security and data protection are likely to strengthen further.

We can assist businesses of all sizes with advice on the GDPR, data protection compliance and approaches to minimising the risk of data breaches.

To discuss these matters further, please contact Kevin Mahoney on 01242 246 426 or at [email protected].