For those who are not aware, Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:
The Information Commissioners Office has published guidance on the “security principle” of the GDPR, which states that firms should process personal data securely by means of ‘appropriate technical and organisational measures’. These measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them. However the GDPR does not give specific advice on what these measures should be, since for one thing the cyber security landscape is constantly changing, and additionally the chosen measures must be appropriate both to your firm’s circumstances and the level of risk your data processing poses.
As such, there is not a legal obligation under GDPR to attain Cyber Essentials certification, however many law firms we work with are choosing to implement Cyber Essentials for a number of reasons:-
The ICO’s guidance notes also clearly state that technical measures over and above Cyber Essentials may be required depending on the individual organisation’s circumstances and the type of personal data that they process. Given that law firms are at particular risk with the wealth of confidential material they are dealing with, ranging from personal data, to large financial transactions through to the personal affairs of high profile clients, I would advise law firms that they should also be considering a range of technologies, processes and procedures over and above the baseline that Cyber Essentials certification establishes.
I hope this has given you a useful insight into the correlation between cyber essentials certification and the GDPR security principle. Should you need help with assessing your current level of security in readiness for GDPR, or you would like a ready-made Cyber Essentials compliant security solution, please do not hesitate to contact me on (01494) 444065 or email firstname.lastname@example.org when I will be happy to arrange a no obligation conference call to discuss ways that Epoq IT can help.
This blog forms part of our series of informational resources for senior partners, practice managers and compliance officers at law firms. To read more articles, please visit my blog, IT in Law Firms.
For more information about our GDPR services please visit http://epoq-it.co.uk/gdpr/
For more information about Epoq IT’s MySecurity service, a suite of technologies and procedures able to fulfil all the 5 key controls needed for Cyber Essentials Certification, please go to http://epoq-it.co.uk/service-and-support/mysecurity/