With cybersecurity becoming a board-level issue, compliance officers, lawyers, board members, and business drivers are looking for official guidance or recommendations on cybersecurity measures to protect business, customers, and the wider economy.Continue Reading Cybersecurity preparedness: What guidance to follow?

The General Data Protection Regulation ((EU) 2016/9679) (GDPR) came into effect on 25 May 2018. One of the key principles centres on integrity and confidentiality of personal data. Article 5(1)(f) of the GDPR provides that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (emphasis added)”

The GDPR goes a little further than the previous data protection framework (that is, under the EU Data Protection Directive 95/46/EC) and provides some description of the technical and organisational measures expected to achieve a level of security appropriate to the risk associated with the processing of personal data (see Article 32 of the GDPR). Inevitably, however, decisions around security will need to be made by the controller and/or processor – and it will therefore be for them to determine what is “appropriate”.

We have seen that the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have published ‘security outcomes’ aiming to provide some further guidance on the security of processing personal data.

On 18 May 2018, the NCSC and ICO published a set of technical security outcomes considered to represent “appropriate measures” under Article 5(1)(f). This guidance describes an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.Continue Reading ICO and NCSC issue guidance on security outcomes under GDPR