Meta Defence Labs, a UK and Sri Lankan-based cybersecurity firm, was the first to hold the island’s inaugural training session on data protection and GDPR compliance. Following up on this initiative, the company is also proud to announce their status as the first and only certification body for Sri Lanka to provide the proven and effective UK government-recommended cybersecurity frameworks, Cyber Essentials and IASME, to ensure minimum GDPR compliance. When applied together, Cyber Essentials and IASME not only gives minimum GDPR compliance but is also proven to help stop 80% of cyber-attacks to a company.
With many companies and organisations in Sri Lanka operating under the misconception that merely obtaining ISO27001 certification establishes GDPR compliance, the risk of GDPR non-compliance is high. While an information security framework like ISO27001 helps towards getting compliance when applied to the right scope, this does not always guarantee GDPR compliance.
“There are a lot of companies who still believe that GDPR is only an issue for IT departments. They are being misled to believe, that by getting ISO27001 for their IT department, will make the GDPR issues go away. This is a risky approach for companies as they are probably not only wasting their money but also exposing their business to massive fines or losing European contracts/partners. The principles defined in the GDPR must be applied to the whole organisation and not just a subset. It’s because of these reasons that we are engaged in many activities to raise awareness on data protection, especially advising at the board level to get the point across that this is a business issue,” said Meta Defence Labs CEO Clive Simms.
How does Cyber Essentials with IASME help SMEs?
Cyber Essentials; demonstrates you are managing the technical risks. Cyber Essentials is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber-attacks.
IASME is a UK Government funded project to develop “an alternative to ISO27001”. IASME offers a certification route to demonstrate that you have considered the requirements of the General Data Protection Regulation (GDPR) by following the 12 steps approach to GDPR compliance, recommended by the UK Information Commissioner’s Office (ICO).
As Cyber Essentials focusses on key technical controls, GDPR requires more than Cyber Essentials on its own. By certifying to the IASME Governance Standard, which includes the GDPR requirements, you demonstrate that your organisation has a wider governance system for management of the controls protecting personal data. The IASME governance standard adds a number of topics to Cyber Essentials which supports GDPR compliance. These include assessing business risks, training staff, dealing with incidents and handling operational issues.
The GDPR is a global data protection regulation that extends beyond companies that operate only in the EU. This regulation protects fundamental rights and freedoms of natural persons and their right to the protection of personal data. Any organisation that envisages offering goods or services to EU data subjects, processes the personal data of EU subjects, or monitors the behaviour of EU data subjects, must comply with the requirements of the GDPR. Organisations in breach of the GDPR, can be fined up to 4% of their annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements.
Personal data under the GDPR, comprises both general and sensitive personal data. The GDPR can be applied to any personal information relating to a natural person who can either directly or indirectly be identified by reference to the said identifying piece of information. Because of this broad definition, the GDPR can apply to a wide range of personal identifiers, which include basic attributes like, name, ID number, location information, web cookies, handwriting and several others.
The GDPR applies to both automated personal data and manual filing systems that have data organised according to specific criteria. This includes data that has been pseudonymised and/or coded, depending how difficult it is for a particular code or pseudonym to be attributed to a particular individual.
In the context of sensitive personal data, all information that includes genetic, biometric, and other categories specified by Article 9 of the regulation fall under the GDPR.
Why does it matter to Sri Lankan organisations?
Given that the European Union makes up approximately a quarter of Sri Lanka’s import/export market, many organisations in Sri Lanka collect and process personal information of EU residents while trading with the EU. Therefore, many of these organisations are directly impacted by the GDPR and are at risk of being non-compliant. Fostering a strong data protection culture is, therefore, imperative.
The benefits of creating a data protection culture:
- Competitive advantage in being able to demonstrate good GDPR compliance
- Avoid massive fines and reputational damage
- Gain stakeholder trust and retain European clients
- Create a data protection culture within business and the greater Sri Lankan society