Most people reading this post will own a car, or at the very least know someone who owns a car. Cars are not a cheap investment. They require ongoing maintenance, care, love and attention. Some people spend vast amounts on their 'dream cars' whilst others see them merely as a vehicle to get them from 'A' to 'B'.
Irrespective of your love (or lack of) for your vehicle, there is one thing that we all must do; maintain it in a road-worthy fashion. The UK law is very clear about the regularity upon which you must evidence this maintenance by expecting an annual 'MOT' test. Indeed, did you know that MOT simply means 'Ministry of Transport'. It is this government body that sets the rules around what will be tested and how. The rules are clear, and we are legally compelled to comply. So, why am I talking about MOT's and vehicles? Because like our vehicles on the road, we need to be able to trust the systems we use. But how?
GDPR – The new MOT test for data protection?
The General Data Protection Regulations (GDPR) require businesses who process data to do so with due regard for a number of factors. There are six principles that businesses need to adopt so that they can evidence that they are taking care of data subjects (that's you and I), and treating their data with the respect it deserves.
The sixth principle surrounds the protection of data, stating that data shall be 'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').(A5.f)
So, how can you ensure data is protected against unauthorised or unlawful processing?
Service and MOT tests
Returning to our car analogy for a second, we know that some people not only wait for the MOT test to see if their vehicle is safe, but also regularly service it. This ensures that they know that the vehicle is being well maintained and operating a peak-performance. They know it can be trusted when they need it most, and the passengers they put inside it can rest assured that their needs are being catered for. Sound like a good idea? So, why don't we do this with our computer systems and information security in general?
Working with our Information Security and IT teams and suppliers, we should be regularly making sure that the data we hold (the passengers) can rest-assured that their needs (for security and privacy) are being addressed. This is a fundamental right of data subjects and is enshrined in the GDPR, which we must all comply. So, what can, and should we be doing?
Obviously keeping your Information Security up-to-date isn't quite as easy as taking your vehicle to the MOT centre, but there are things we can do. This includes ensuring your systems are up-to- date with the latest 'patches'. These updates include, updating your underlying operating systems (are you still running on 'Windows Vista' machines?) and also updating the software that you use on a daily basis (e.g. MS Outlook, Chrome etc). Possibly the most important area to keep up-to- date is the malware protection software you have installed on your computer. This could be the 'last line of defence' in protecting your systems, so ensuring this is up-to-date is vitally important.
GDPR – A new MOT certificate?
There are 'certificates' for Information security, such as ISO27001:2013, ISO27018:2014 and Cyber Essentials. These demonstrate that companies are doing all they can to protect the data they hold. These are reasonably technical standards and rely on your IT department providing assurances that updates are being applied to the systems you use. Doesn't that seem like a good idea?
By being able to demonstrate that your systems are up-to-date you can potentially avoid, and certainly minimise the risk of data breaches. This will help you comply with the new GDPR, but also build trust with your customers and clients.
In conclusion, no one gets into a car and asks the driver for their latest MOT certificate. We naturally assume the driver cares enough about their own well-being as well as ours. But in our modern world, more and more people are looking for assurances that the vehicle (i.e. your systems) you place their data in is well maintained and compliant with the law.
How will you meet that challenge?