Written by Cazz Ward, Assistant Director, ICT and Digital at The Big Life group
Approximately 4 minutes read time
GDPR compliance and effective cyber resilience are clearly two sides of the same coin and it makes sense to take an integrated approach to developing a single roadmap towards compliance and protection.
Understand your data
Your starting point has to be an understanding of the personal and critical data you hold. Calculating the level of risk to that data can then be determined by looking at where it is stored, how it is processed and if it is adequately protected. This will be achieved by the GDPR requirement to document your processing activities. Approach this primarily from a business process rather than IT system perspective but it doesn’t hurt to take a two pronged attack – getting your IT team to identify all the data systems (assets) they are aware of before you start will contribute to the mapping of the processing activities. Of course, there will also be physical assets such as filing cabinets and archives to consider.
It is important that the mapping of your processing activities is a collaborative team exercise involving representatives from the business, IG leads, Information Security/IT leads and maybe even someone from your procurement team. Each role will have something to contribute. Whilst most organisations are not able to dedicate a resource to collecting all the information, simply sending out a questionnaire to your service leads to complete will not result in getting information back that is either meaningful and accurate. We have adopted a combined training/workshop approach to our audit, using the following methodology:
- Development of an online questionnaire based on the requirements of Articles 30 and 32 of the GDPR. Data assets, classes and subjects relevant to our organisation have already been identified to avoid free text answers
- Working at board level, identification and grouping of business areas which have similar processing activities and, from these areas, finding representatives who understand their processes and data (usually a mixture of service managers, performance managers or admin staff)
- Delivery of a workshop/training session to each group consisting of 3 parts – a GDPR and cyber-security overview, an exercise to identify all processing activities for the business areas in the workshop and then some time spent going through the questionnaire doing some examples.
- Ongoing support to staff to complete the remaining questionnaires for all the activities they have identified
This means that, not only do we get a complete and consistent understanding of the processes in the organisation (especially where those processes cut across more than one area), we are also raising the awareness of key staff in the organisation. This embeds a principle of privacy by design much more effectively than just providing online learning.
Using the output of the workshop, gaps and improvements can identified and prioritised based on risk level. This will include ensuring adequate privacy notices, policies and consent processes are in place. It is also an opportunity to improve business processes and remove duplication of data.
Protect your data
While you are evaluating your data, you need to be in parallel considering your overall approach to cyber security across your estate and that of all your suppliers. Some of the key areas to consider are:
- Infrastructure – once you have established the boundary of scope for your infrastructure, review your approach to secure configuration, firewalls, malware protection and patch management. The Cyber Essentials standards provide a good basis for self-assessment and may become a minimum standard for those working in or for the public sector.
- Access control – A review of our access control and password policies should also be part of your plan. This also includes starter and leaver processes, checking that information access is given and revoked appropriately and in a timely fashion.
- The mobile workforce – securing your network perimeter is no longer sufficient. Our staff work remotely – often out in the community, so we need good endpoint protection. Enterprise Device Management (EMM) products have extended mobile device management to include identity, content and application protection. The Gartner Magic Quadrant EMM report may help you focus on what is important for your organisation. With the increased use of cloud services, the threat landscape has shifted yet again and you may need to also look at Cloud Security Application Broker (CASB) products. It’s an acronym minefield and unless you have expertise within your organisation, it’s worth taking some independent advice.
- Supplier contracts and assurance – A greater level of assurance with your IT suppliers is required. Information security assessments and data processing agreements should be reviewed with an eye on GDPR compliance. The Cabinet Office’s Supplier Assurance Framework provides useful resources on which to base your assessment. The ICO provides guidance on contracts and liabilities between data processors and controllers.
- Your ‘human firewall’ – Whilst the majority of attacks may come from hacking and malware, many security breaches and unintended disclosures of information are caused by human error or lost or stolen equipment. It’s important that all staff are informed and confident about how to protect your information assets, with audit and monitoring in place to back this up. You need to design your training around the culture of the organisation and what makes sense to your staff. If you have regular communications that go out to staff, you may want use those to start drip feeding key messages to them.
Done properly, GDPR compliance provides a real opportunity for positive change. Focusing on risk, as well as a more generic approach to cyber resilience should ensure that not only is your data protected, but that business processes and data quality are improved.