GDPR: ICO publishes new guidance on Special Category Data 

Special category data

The Information Commissioner’s Office (ICO) has published new guidance on how and why special category data needs to be handled more carefully.

Some types of personal data are extremely sensitive , and therefore, data controllers must take extra measures to ensure their protection. This is known as special category data and it relates to data that:

  • reveals racial or ethnic origin;
  • reveals political opinions;
  • reveals religious or philosophical beliefs;
  • reveals trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning an individual’s health;
  • data concerning a person’s sex life; or
  • their sexual orientation.

Leaks of this type of personal data can be extremely damaging and dangerous, just imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them. 

This has led the ICO to publish new guidance to support organisations in ensuring they stay GDPR compliant and protect the data they control. 

What does the new guidance say about how organisations should approach processing special category data?

Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for the processing and potentially an associated DPA 2018 Schedule 1 condition. Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing. 

There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase your customers’ confidence in you. 

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox

CyberSmart is now available on G-Cloud 11

CyberSmart has become an official supplier on G-Cloud 11, a major government procurement framework. 

G-Cloud, created in 2014 by the Crown Commercial Service and Government Digital Service, makes government procurement easier, transparent and much more efficient, reducing the usual lengthy procurement processes from weeks/months down to days. It is straightforward and well guided.

After making it through a rigorous tender process, which ensured our products and services fit in with the needs of G-Cloud, we were confirmed as a supplier from July 2019, ensuring cybersecurity compliance and assurance are easily accessible to everyone on the framework.

The framework allows the central government, local authorities, NHS Trusts, Ministry of Defense and other public sector bodies (including agencies and arm’s length bodies) to access a central website and purchase cloud-based services. 

With CyberSmart Active Protect in G-Cloud 11, the tools are in place to ensure full cybersecurity compliance and assurance in public sector bodies and meet recognised cybersecurity standards across full organisations. 

From ensuring all devices are continuously compliant; to achieving certifications, often on the same day, such as Cyber Essentials, Cyber Essentials Plus or IASME GDPR Ready, the opportunity is now clear and much faster than before.

Jamie Ahktar, CyberSmart’s CEO said: “ Cybersecurity in the public sector is a matter of great concern, so we are happy to be able to provide our innovative platform and products, to support and safeguard key British organisations. Being included in G-Cloud 11 is yet another endorsement of CyberSmart’s platform, and is testament to our already successful and growing relationship with the public sector.

Can you purchase via G-Cloud 11? See here for government guidance or contact us.

Every device. Every user. Everywhere.

CyberSmart has a bold mission to protect and empower SMEs. In order to do so, we need to provide continuous compliance through the entire organisation. This is no small feat, as today’s organisations have diverse systems and modern ways of working. We are extremely excited to announce the next big step in our journey is now live.

A mobile world

The world has gone mobile, and SMEs are more than ever, relying on their mobile phones and tablets to do business. After all, they are pocket-sized computers, connected to fast mobile networks, with all the applications we need to be productive. The smartphone has allowed us to get the most out of these devices including handling and storing sensitive data, processing payments and communicating with others.

The ability to carry such devices in our pockets is driving growth and efficiency on a scale not seen before, allowing SMEs to do business, anywhere, everywhere. But like any internet connected device, this is leaving users open to mobile security threats.

Every device. Every user. Everywhere.

CyberSmart Active Protect is already protecting thousands of devices for hundreds of organisations in the UK, and now that protection and assurance can be deployed on mobile devices. Our new mobile application brings the best of our desktop app to every device in your organisation, securing every user, wherever they are, so your business can focus on what it does best, with peace of mind.

CyberSmart Active Protect

Active Protect checks mobile devices are configured to the recommended security practices, as per the requirements of Cyber Essentials. It guides users on how to protect the device and themselves. It also supports policy distribution to make sure users comply with their company’s internal policies. As it’s an app instead of a profile, it supports both user-managed and corporate provided devices.

cybersmart mobile app smart policy and phone security check

Why does my organisation need the mobile app?

  • Ensure all devices within the organisation are checked for compliance with Cyber Essentials, preventing potential cyber threats such as mobile spyware and malware.
  • Guides users through remediation if they need to address any issues.
  • Real-time information feeds back into the CyberSmart dashboard for a single view of compliance.
  • Allows users to read and agree on policies on their mobile devices.

What’s next?

The launch of Active Protect is just another step, albeit a very exciting one, in the CyberSmart journey towards our mission. Our team is focusing on rolling out many more advancements across our product range. This includes inspiring and educating SMEs on practices and strategies to combat cyber threats and further simplifying cybersecurity and compliance for organisations.

CyberSmart Active Protect is live in the following stores:

Cyber Essentials: A BIG step in the journey towards GDPR compliance

GDPR compliance

GDPR compliance became a legal requirement in May 2018 and was put in place to bring transparency and homogenise data privacy laws for citizens in the European Union. The regulation holds organisations responsible for data breaches and imposes heavy fines on them if they are found guilty of poor security measures. The UK Data Privacy Act of 2018 makes GDPR a legal requirement for all businesses.

This higher degree of accountability means organisations need to take action and strengthen their security and protection for personal data. Cyber Essentials is a simple, government-backed scheme that will help businesses, whatever their size, to protect their data against a whole range of the most common cyber attacks.

In this article, we explain how Cyber Essentials can help you on your path towards full GDPR compliance.  

Why would achieving Cyber Essentials help?

Cyber Essentials, a UK government-backed scheme administered through the National Cyber Security Center (NCSC). The scheme provides five basic controls to help organisations protect themselves against common cyber attacks. The NCSC claims Cyber Essentials can help eliminate the risk of 80% of cyber attacks.

The aim of Cyber Essentials is to provide a baseline standard for businesses to safeguard sensitive data, which aligns to the primary concerns addressed by both the European Union regulations and the UK law. The regulation of GDPR in the UK and the notification of all data breaches is delivered via the Information Commissioner’s Office (ICO). The technical controls of Cyber Essentials help you demonstrate to the ICO that you are on the right path towards GDPR compliance.

It is important to note that Cyber Essentials does not ensure total compliance with GDPR, as GDPR is a comprehensive regulation that requires businesses to safeguard personal data. All organisations that handle personal information of EU citizens must comply with the GDPR. Achieving a Cyber Essentials certification is a big initial step towards GDPR compliance. However, businesses still need to take further action after this. See our blog post on GDPR certification.

How can CyberSmart help?

CyberSmart is an automated compliance service that helps organisations become compliant with standards such as Cyber Essentials and GDPR. We provide ongoing compliance, helping businesses protect themselves against emerging cyber threats.

As a certified provider, CyberSmart guides and assists organisations in achieving various standards of compliance. We recognise flaws in your existing security policies and recommend best practices.

Our well-tested process ensures you meet the security requirements of these standards. We take away the stress of understanding and evaluating the requirements of each standard from you.

Conclusion

Cyber Essentials is a great first step towards GDPR compliance. However, it is just one step of the journey. Organisations need to adopt a cybersecurity solution that can scale and adapt according to their growing needs.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox

Cybersecurity standards explained

Cybersecurity standards

The cybersecurity sector is a crowded place when it comes to different standards, certifications, rules and regulations. It can also cause a lot of head-scratching and confusion for those not familiar with the best practice.

Founders and business owners often come to us and say they want to or have to get ISO 27001 certified. Hardly anyone knows when and how ISO 27001 makes sense for a small business and what other certifications can be achieved instead of ISO 27001 or used as a stepping stone towards achieving ISO 2700. Here is a brief overview of the most common cybersecurity standards in the UK: 

Cyber Essentials

In short, Cyber Essentials is a scheme designed by the UK government that aims to get all UK businesses to be able to manage their IT security to a certain level. It helps companies to implement basic levels of protection against cyberattacks, demonstrating to their customers and suppliers that they take cybersecurity seriously.

Established in 2014, the purpose of this standard is to develop necessary cybersecurity standard throughout an organisation. The standard is relatively technical and protects organisations from 80% of cyber-attacks. The most surprising factor we discovered as cybersecurity consultants was that most companies that had other standards, such as ISO 27001 or PCI-DSS implemented, would still fail under Cyber Essentials. The best use case for this standard is to implement it as a first defence and perimeter security before other standards are considered.

Cyber Essentials certification is a great first step towards GDPR. It serves as evidence that you have carried out basic steps towards protecting your business from internet-based cyber attacks.

Cyber Essentials Plus

Cyber Essentials Plus is the audited standard of Cyber Essentials. Besides including some additional controls, the implementation needs to be assessed by a Cyber Essentials Plus auditor. This obligatory audit creates additional trust in the standard and it is safe to assume that once Cyber Essentials is well-established, Cyber Essentials Plus will increasingly become mandatory.

IASME

This standard goes far beyond Cyber Essentials and can be described as a “mini version of ISO 27001:2017”. Together with the government, IASME developed this standard in order to create an easily adaptable and affordable alternative to ISO 27001. The IASME standard is specially tailored towards SME’s and includes processes, people and technology. In May 2018 both IASME standards will be expanded to include GDPR readiness. Both IASME standards require Cyber Essentials as part of the readiness as well. Similarly to cyber essentials, the IASME standard can serve as proof to customers and suppliers that their information is being protected. It is provided alongside the cyber essentials certification. There are two types: the standard self-assessment and the Gold standard, which requires an audit onsite.

ISO27001

ISO 27001 is an international information security standard. Including far over 100 controls the standard is frequently implemented by corporations or businesses dealing with critical infrastructure or the public sector. ISO27001 covers areas that include security policies, access control, operations security, human resources, cryptography and compliance. It does not cover GDPR*. However, an organisation can voluntarily include GDPR in their ISMS (Information Security Management System). 

*A note on GDPR: GDPR is NOT a standard, it’s a law, so we’ve excluded it here. 

If you have any questions about Information Security Standards or Cyber Security in general or just want to have a chat, drop us a line at hello@cybersmart.co.uk.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

5 cybersecurity tips to kick off the New Year

Here’s what everyone should be doing in 2018 in terms of cybersecurity and data protection:

(more…)

Here’s what everyone should be doing in 2018 in terms of cybersecurity and data protection:

(more…)

GDPR: What is it and why is it important?

What is GDPR?

The General Data Protection Regulation (GDPR) is Europe’s new framework for data protection laws. GDPR replaces the previous 1995 data protection directive, which current UK law is based upon.

It introduces tougher fines for non-compliance and breaches and gives us all more say over what companies can do with our data. On top of this, it also makes data protection rules more or less identical throughout the EU.

Why was GDPR drafted in the first place?

The new law has two aims. First, the EU wants to give people more control over how their personal data is used. This is down to the practices of companies like Facebook and Google, who often swap access to their services for users’ data. 

The current Data Protection Act was enacted before the internet, making it easy to exploit data using new technology. GDPR seeks to address this. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the  digital economy.  

Second, the EU wants to give businesses a clearer legal environment to operate in. It’s estimated that making data protection law identical throughout the single market will save businesses a collective €2.3 billion a year.

When will it apply?

GDPR has applied to all EU member states since 25 May 2018. 

Who does it apply to?

According to the EU, ‘controllers’ and ‘processors’ of data need to follow GDPR rules. Let’s dig into those terms a little. 

A data controller is the party responsible for how and why data is processed. This is usually your business itself. A processeser is the party responsible for the actual handling of the data.

Using a third-party contractor for processing your payroll is great example of this. Your business tells the payroll company when wages should be paid, how much each employee should recieve, and if anyone leaves or joins. The payroll company provides the IT system and stores your employees’ data. In this situation, your business is the controller and the payroll provider the processor.

Even if controllers and processors are based outside the EU GDPR still applies, so long as they’re dealing with data belonging to EU residents.

It’s your responsibility as a controller to ensure the processor follows the rules. Meanwhile, processors must keep records of their processing activities. There’s a big incentive to do this. Under GDPR, the penalities are much more severe than they were previously.  

How can Cyber Essentials help with GDPR?

While your organisation needs more than Cyber Essentials to comply with GDPR, it’s a great first step. Cyber Essentials certification is evidence that you have taken steps towards protecting your data from cyber attacks.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

One more GDPR post

At every cyber security event, people talk about the new General Data Protection Regulation (GDPR). It seems as the Cyber Security industry is obsessed with this new law and makes sure that everyone else knows about it too. Companies, consultants and lawyers are hopping on the GDPR train, because there is a significant opportunity for new services and products. However, there is also a lot of misconception going around and scaremongering, which is stereotypical for the cyber security industry.

(more…)

At every cyber security event, people talk about the new General Data Protection Regulation (GDPR). It seems as the Cyber Security industry is obsessed with this new law and makes sure that everyone else knows about it too. Companies, consultants and lawyers are hopping on the GDPR train, because there is a significant opportunity for new services and products. However, there is also a lot of misconception going around and scaremongering, which is stereotypical for the cyber security industry.

(more…)