MENU
  1. Eduserv
  2. Eduserv Blog
  3. Professional Services
  4. The implications of GDPR to cyber security

The implications of GDPR to cyber security

|

In the third article of our series on the new General Data Protection Regulation (GDPR), James Mulhern, Chief Information Security Officer for Eduserv, looks at how GDPR will impact organisations’ cyber security efforts and how it could encourage improvement.

1. Make GDPR your opportunity to review and strengthen cyber security

By its very nature, GDPR is designed to considerably increase individuals’ rights on personal data. In particular, it outlines special new provisions and compliance requirements for “sensitive personal data” which includes genetic data, biometric data, health data and data relating to sexual orientation, race, political opinions and so on.

Evidence gathered via the dark web suggests that sensitive personal data – such as medical records – is now more valuable for cyber criminals than financial information like credit card details.

If you’re responsible for cyber security, you should therefore be using GDPR as a golden opportunity to get a firmer grip on a key area where attacks are increasing. This is particularly true for organisations like local authorities, who routinely collect and share citizens’ sensitive data with other organisations (both public and private) to operate effectively. And if confirmation were needed that this is the right path to take, it seems that central Government agrees, because it recently confirmed in its Cyber Security Regulation and Incentives Review that it will also seek to improve cyber risk management through the implementation of the GDPR.

2. Start by reducing your attack surface

Under GDPR, compliance will depend in part on having explicit and specific consent for the exact purpose for which data is held or processed. This means that over the next year, organisations need to interrogate all the sensitive personal data they hold to find out whether they have the right level of consent. If they don’t, they will have to delete it. In cases where they don’t have consent but still have “legitimate reason” to keep the data, then it’s likely that they will have to retrospectively pseudonymise or anonymise the data, which is the course of action the GDPR recommends for organisations to achieve compliance. Going forward, they will need to ensure that these privacy practices are embedded by design.

While this will be time consuming, it’s also a great opportunity to reduce entry points and vulnerabilities that are currently exposed to cyber criminals and reduce overall “attack surface”. On top of this, organisations should ensure that they (or at least their security supplier) have appropriate measures in place to provide active and protective monitoring as well as ongoing testing that will help identify new vulnerabilities as they arise.

3. When you appoint a Data Protection Officer, make sure they are cyber security aware

One of the much-discussed elements of GDPR is that it requires many organisations to appoint a Data Protection Officer (DPO) to achieve compliance. This includes all public authorities as well as all organisations that carry out “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data”.

GDPR specifies that DPOs are responsible for activities including monitoring compliance, educating staff on their responsibilities, providing advice on privacy impact assessments and co-operating wherever necessary with the relevant supervisory authority.

In addition to this, I believe organisations should also ensure their new DPOs are cyber security aware and trained. GDPR compliance implies implementing Cyber Security Regulations, so your DPO will need to be up to speed with the latest thinking on cyber security and broader organisational resilience. If they are, they will help to guarantee your data’s security, integrity and accessibility by disseminating cyber security best practice throughout your organisation.

4. Make sure everyone in the organisation is aware of GDPR and sees security as their responsibility

One of the great maxims of cyber security today is that organisational and human factors are just as important as any technical barriers you put in place to prevent an attack. The GDPR confirms this, stating that in order to achieve compliance, organisations need to demonstrate that they have robust processes in place for regularly testing, assessing and evaluating the effectiveness of not only technical measures but also the organisational measures for ensuring security

More than ever, organisations should recognise that managing cyber security under GDPR is about managing processes and people as much as anything else – so they’ll need to think about providing security and GDPR awareness sessions that improve understanding of personal and sensitive data across the organisation. In addition, they should consider scenario based exercises, red teaming and advanced resilience testing based on both covert and overt scenarios.

More on GDPR

Preparing for the General Data Protection Regulation – 12 steps you can take now

Why should GDPR be high on the Chief Information Officers’ agenda?
Eduserv and data

Five steps to dealing with GDPR effectively in your organisation

5 ways to make sure your digital services comply with GDPR

Eduserv and data

Eduserv provides a comprehensive range of cloud, digital development, data and cyber security services for the public sector and charities across the UK. We have in-depth knowledge of the way organisations need to manage and protect personal data in all these contexts and are actively helping our customers to prepare for GDPR compliance. For more information get in touch with James Mulhern at james.mulhern@eduserv.org.uk or 01225 474 344.