Your legal obligations in the data security field are potentially vast – wide ranging and powerful – yet it seems that many are barely aware that there is law in the first place!
Thou shalt not….(insert almost anything) is the result – and is consequently confusing.
The resultant potential fines, prison sentences, prohibitions (and consequent loss of reputation of organisation and individual) would put anyone off - if they understood it all.
It does not much help for you to look at what legislation and supporting guidance that there is either. There is too much of it, for a start.
Many have heard of the General Data Protection Regulation (GDPR) and many seem to be convinced it hardly, if at all, applies to them. Newsflash: it applies to every organisation.
But by the time the Network and Information Security Regulations 2018 (NIS Regs) or the Computer Misuse Act 1990, Privacy and Electronic Communications Regulations 2003 and the Payment Services Directive 2 are mentioned, recognition declines and interest fades.
The fact is that while these, and other legislation, are in force, the main drive to direct, control and facilitate safe use of the internet, data handling and personal liberties is actually tied up in Standards of various kinds (ISO 27001 Data Security and ISO 27701 Privacy Information Standards for example) and in Handbooks and Rulebooks of advisory approaches (such as the FCA Handbook or PRA Rulebook).
In fact, there are over 128 applicable standards as well as a range of legal avenues described in common law tort of misuse of private information and elsewhere. Too much to take in!
So while there is a huge range of legislation, standards, rulebooks and legal options, there are some very simple ways to address these legal obligations. The best known ones are:
- Cyber Essentials (and Cyber Essentials Plus) is an approach set up by the Government to help users to identify areas where they need to make controls. It is a list of 5 broad steps required to retain control of your data – how you meet them is left to the user (and their consultants).
- ISO 27001 Data Security Standard is the standard that the Information Commissioner’s Office – the authority on data security in the UK (known as the ICO) has determined to install to ensure its data security concerns are met. It details a thorough process to ensure the data security concerns of all types are identified, considered, assessed, enacted and tightened to achieve a more secure data environment.
- ISO 27701 Privacy Information Standard is focused on the GDPR aspects of Data Security and is an add-on to the ISO 27001 standard, operated in the same way.