This is the fourth of a five-week series of articles on how to prepare for the GDPR.
Week 3 focuses on the lawful processing of data.
This week we look at cybersecurity and the GDPR.
Cybersecurity and the GDPR
The GDPR requires organisations to take appropriate technical and organisational measures to ensure a level of security that reflects their risks in processing personal data. This is similar to organisations’ current obligations under the Data Protection Act, but there are some differences for which you should prepare.
As with overall GDPR compliance, you should consider appointing someone with sufficient seniority and expertise to lead your work on cybersecurity. You should also consider drawing up an information security policy that addresses your firm’s overall information security needs. This will clearly encompass your processing of personal data under the GDPR, but should also cover information assets that comprise non-personal data.
You may also wish to ensure that your policy covers physical and personnel security procedures.
Data breach notification
You should familiarise yourself with your obligations to notify a personal data breach to the Information Commissioner’s Office no later than 72 hours after becoming aware of it (and, in certain circumstances, to notify a personal data breach to data subjects). Mandatory data breach notification is a new obligation and failure to notify carries heavy penalties.
The GDPR explicitly refers to pseudonymisation and encryption of data as potentially appropriate mechanisms for ensuring the security of personal data. Amongst other measures it mentions are:
- ensuring the ongoing confidentiality, integrity, availability and resilience of your processing systems and services
- having the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- having a process for regularly testing, assessing and evaluating the effectiveness of your technical and organisational measures for ensuring the security of your processing.
A range of cyber security resources are available to help you. You should familiarise yourself with the guidance, products and services of the National Cyber Security Centre, including its guide for small businesses; the Cyber Essentials Scheme and the Cybersecurity Information Sharing Partnership (CiSP). You can also visit the Law Society’s cybersecurity and scam prevention webpages.
Our GDPR pages provide useful information on various elements of GDPR as well as external links which may be of use.
The Information Commissioner’s Office provides a guide on preparing for GDPR which should be your first stop as you work towards compliance.
We have provided guidance for law firms on when it may be necessary to appoint a data protection officer.
We encourage you to share useful information with your colleagues. Everyone in your firm will have some responsibility for GDPR compliance.