There are a number of levels of data protection accreditation currently available to businesses, I will attempt below to show how they relate to each other and give guidance as to their suitability for different sized business. In addition, I shall mention how they differ from the General Data Protection Regulation coming in next May, but are also linked in that they can help a company demonstrate that they are on the road to GDPR compliance.
Cyber Essentials (CE)
This is an entry level scheme that is accredited by UK government. This should be the very least that a business should aim to achieve and if it is attained, it shows that a business is taking cyber-security seriously by bringing their IT security up to a certain approved standard. It is the most straightforward to achieve and it is relatively cheap too at just £300 plus VAT. If this option is for you, then you’ll need to consider the burden on your time, as it does require a comprehensive self-assessment of your systems. Findings from your own assessments will also need to be verified externally.
It should be noted that if you are looking to contract with the Government or MOD, both your company and your supply chain will need to demonstrate CE certification.
Cyber Essentials Plus (CE+)
As above for Cyber Essentials, the “Plus” stands for an additional element. This is in the form of an on-site audit, which is carried out by an independent assessor and typically includes basic vulnerability testing by a third party. The cost of this will depend on the complexity of your business, but costs are usually £1,200 – £1,500 and upwards for larger or more complex systems. This is a little on the pricey side, however, for those businesses willing to include the extra budget it demonstrates a heightened commitment to cyber security over and above say, a competitor with only CE.
Information Assurance for Small & Medium Entities (IASME)
This is a scheme specifically designed for small businesses and introduces a Government standard based on ISO27001. Just like Cyber Essentials, it is a cost-effective way of demonstrating that a business is committed to protecting their company data. It sits alongside CE and can also be the standard certification using a self-assessment questionnaire and external assessor or gold standard involving an onsite audit in addition.
Going for gold – ISO27001
This is the industry gold standard ‘for the management of information security’. This is because of the complexity of the testing and the number of areas of a business that it covers. This makes it relevant only to larger organisations due to the numerous aspects of the business that it deals with. It is also an extremely costly process for the same reasons.
The General Data Protection Regulation (GDPR)
GDPR will replace the European Data Protection Directive 95/46/EC, which was implemented in the UK as the Data Protection Act 1998. It governs the use of personal data and it has been hitting the headlines a lot.
GDPR will come into force on 25 May 2018. It means that any company will need to comply, or at least be able to demonstrate that they are taking reasonable steps to become compliant as soon as possible. It applies to those organisations both within the EU and those outside the EU but holding personal data of EU subjects. In short, GDPR widens the definition of personal data, increases accountability, has greater requirements for consent, reduces the timescale for dealing with subject access requests, and greatly increases the level of potential fines for data breaches.
From May 2018, the new General Data Protection Regulation (GDPR) will come into force and every business should now be considering which course of action is most appropriate for them.
If you would like some further advice on any of the above, contact Wilkins Kennedy’s risk and counter fraud team to see how we can help.