Menu

in the third article of our series on the new General Data Protection Regulation (GDPR), James Mulhern, Chief Information Security Officer for Eduserv, looks at how GDPR will impact organisations’ cyber security efforts and how it could encourage improvement.

1. Make GDPR your opportunity to review and strengthen cyber security

By its very nature, GDPR is designed to considerably increase individuals’ rights on personal data. In particular, it outlines special new provisions and compliance requirements for “sensitive personal data” which includes genetic data, biometric data, health data and data relating to sexual orientation, race, political opinions and so on.

Evidence gathered via the dark web suggests that sensitive personal data – such as medical records – is now more valuable for cyber criminals than financial information like credit card details.

If you’re responsible for cyber security, you should therefore be using GDPR as a golden opportunity to get a firmer grip on a key area where attacks are increasing. This is particularly true for organisations like local authorities, who routinely collect and share citizens’ sensitive data with other organisations (both public and private) to operate effectively. And if confirmation were needed that this is the right path to take, it seems that central Government agrees, because it recently confirmed in its Cyber Security Regulation and Incentives Review that it will also seek to improve cyber risk management through the implementation of the GDPR.

2. Start by reducing your attack surface

Under GDPR, compliance will depend in part on having explicit and specific consent for the exact purpose for which data is held or processed. This means that over the next year, organisations need to interrogate all the sensitive personal data they hold to find out whether they have the right level of consent. If they don’t, they will have to delete it. In cases where they don’t have consent but still have “legitimate reason” to keep the data, then it’s likely that they will have to retrospectively pseudonymise or anonymise the data, which is the course of action the GDPR recommends for organisations to achieve compliance. Going forward, they will need to ensure that these privacy practices are embedded by design.

While this will be time consuming, it’s also a great opportunity to reduce entry points and vulnerabilities that are currently exposed to cyber criminals and reduce overall “attack surface”. On top of this, organisations should ensure that they (or at least their security supplier) have appropriate measures in place to provide active and protective monitoring as well as ongoing testing that will help identify new vulnerabilities as they arise.

3. When you appoint a Data Protection Officer, make sure they are cyber security aware

One of the much-discussed elements of GDPR is that it requires many organisations to appoint a Data Protection Officer (DPO) to achieve compliance. This includes all public authorities as well as all organisations that carry out “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data”.

GDPR specifies that DPOs are responsible for activities including monitoring compliance, educating staff on their responsibilities, providing advice on privacy impact assessments and co-operating wherever necessary with the relevant supervisory authority.

In addition to this, I believe organisations should also ensure their new DPOs are cyber security aware and trained. GDPR compliance implies implementing Cyber Security Regulations, so your DPO will need to be up to speed with the latest thinking on cyber security and broader organisational resilience. If they are, they will help to guarantee your data’s security, integrity and accessibility by disseminating cyber security best practice throughout your organisation.

4. Make sure everyone in the organisation is aware of GDPR and sees security as their responsibility

One of the great maxims of cyber security today is that organisational and human factors are just as important as any technical barriers you put in place to prevent an attack. The GDPR confirms this, stating that in order to achieve compliance, organisations need to demonstrate that they have robust processes in place for regularly testing, assessing and evaluating the effectiveness of not only technical measures but also the organisational measures for ensuring security

More than ever, organisations should recognise that managing cyber security under GDPR is about managing processes and people as much as anything else – so they’ll need to think about providing security and GDPR awareness sessions that improve understanding of personal and sensitive data across the organisation. In addition, they should consider scenario based exercises, red teaming and advanced resilience testing based on both covert and overt scenarios.

Eduserv and data

Eduserv provides a comprehensive range of cloud, digital development, data and cyber security services for the public sector and charities across the UK. We have in-depth knowledge of the way organisations need to manage and protect personal data in all these contexts and are actively helping our customers to prepare for GDPR compliance. For more information get in touch with James Mulhern at james.mulhern@eduserv.org.uk or 01225 474 344.

About the author

James has over 20 years’ experience of working IT in a variety of roles including Operations, Research & Development and Information Security. He is passionate about the role of Information security in helping ensuring organisations successfully deliver their mission. He is a strong believer in the importance of monitoring and testing in strengthening an organisation’s cyber resilience and their ability to respond to cyber-attacks.

James was responsible for Eduserv achieving ISO27001 and PSN certification as well as numerous IL2/IL3  accreditations including the Pan Government Accreditation of our Cloud services. He has worked closely on security controls for the Department for Education’s 3DC and has a strong background in information assurance, control and compliance.

Throughout his career, James has been involved in the implementation and management of many high-profile projects, for many of Eduserv's key clients, including such as the National Assembly for Wales, the Department for Education, the Department for Business Innovation and Skills, JISC, the Cabinet Office and the Metropolitan Police Service.

To get our advisers working seamlessly alongside your own team, email us or call 0300 1210 010