Which companies need both GDPR and Cyber Essentials

Which companies need both GDPR and Cyber Essentials

Despite the GDPR being in place since the 25th May 2018, a number of companies are still unclear whether this EU regulation applies to them. Increasingly, the basic technical standard known as Cyber Essentials is also being mandated across the United Kingdom, in particular for central and local government contracts. Therefore a number of companies will need to meet both the regulation and technical standard. In this article, we explore what organisations would benefit by meeting the GDPR and also having Cyber Essentials.

CyberEssentials – Does it apply to my company?

Let’s start by summarising Cyber Essentials. There are two variants of the standard: the core Cyber Essentials, which is the self-assessed version with a focus on several common technical risks, and the audited version which is known as Cyber Essentials Plus. In this article we are going to focus on the standard Cyber Essentials, however certain instances of Cyber Essentials Plus may be required for your organisation.

CyberEssentials is primarily a UK-based technical standard, and while formally recommended by the UK Government and its Cyber department (National Cyber Security Centre), it is not a formal requirement for the majority of companies (read more about this in the table below). Since the inception of Cyber Essentials in 2014, the UK Government has recommended it for all organisations. This is meant to reduce the levels of cyber security risk in the government’s supply chain.

This standard helps you in your journey to meet a basic set of technical data protection requirements of GDPR, in particular, the part about the commonly referenced term “appropriate technical and organisational measures,’’ which is referenced a total of eighty-nine times! This phrase refers to a suite of measures including processes and a mixture of technical and non-technical controls. Essentially, you would take a risk-based approach based on your specific data processing activities and attempt to mitigate those risks via a series of technical or organisational measures.

Cyber Essentials, however, doesn’t cover data privacy at all, and its non-technical controls are basic and minimal. Since GDPR stipulates that you must be able to demonstrate ongoing compliance, what better way than meeting an already existing cyber standard as part of a wider information framework programme? Refer to the table below, which outlines instances where Cyber Essentials may be compulsory as part of the tender/contract process.


Meeting both for competitive advantage

In our experience, most companies are failing to implement basic security controls such as “running as an administrator,” robust password management, and operating system and third-party security updates. These areas (and more) are a core requirement to gain Cyber Essentials.

Looking at the General Data Protection Regulation and Cyber Essentials, they both have different goals and aims. They do, however, share a common theme of decreasing a company’s information security risk. In the case of GDPR, this is much wider and covers policies and procedures, as well as a data subjects’ rights, whereas Cyber Essentials focuses on a small number of easy to implement technical controls with accompanying basic policies.

In our experience, for organisations based in the UK, we would strongly advise you to consider gaining the Cyber Essentials/Plus standard as part of your GDPR programme, as it ensures basic security controls have been implemented. For organisations based outside the UK who don’t know where to start, Cyber Essentials is a great framework, and we would advise you to informally follow it. If you offer services to UK based  companies, gaining Cyber Essentials would likely ensure you have a competitive advantage, especially for tenders and government contracts.