As we’ve seen with the EU General Data Protection Regulation (GDPR), many organisations fail to prepare for laws and regulations because they don’t realise they are subject to them. Of course, ignorance is no excuse, and non-compliance could lead to fines or other regulatory action.
The Information Commissioner’s Office provides guidance on many information security laws that apply to UK organisations, including:
- The Bribery Act 2010
- The Computer Misuse Act 1990, as amended by the Police and Justice Act 2006
- The Data Protection Act 1998
- The Data Retention and Investigatory Powers Act 2014
- The Defamation Act 1996
- The Digital Economy Act 2010
- The Freedom of Information Act 2000
- The Intellectual Property Act 2014
- The Privacy and Electronic Communications (EC Directive) Regulations 2003
- The Public Records Act 1958
- The Re-use of Public Section Information Regulations 2015
Identifying relevant laws
Organisations won’t necessarily be subject to all of these laws, but they won’t know that unless they’ve checked each law’s applicability. This makes identifying relevant laws time-consuming, and it’s not a one-off event. If an organisation changes the way it operates, it needs to know if it is now subject to a law that it previously wasn’t. For example, an organisation that starts using cookies on its website will be subject to the Privacy and Electronic Communications Regulations.
Changes might also make the organisation no longer subject to a law. As a result, it can stop following certain procedures, saving time and money.
The process of identifying relevant laws gets even trickier when you factor in complex regulations. Some clauses will apply to the organisation and some won’t, so you’ll need to go through the regulation and highlight the applicable sections.
All in all, regulatory compliance can be a minefield that takes a lot of time, money and advice to navigate. However, you can simplify the process with our Compliance Manager.
What is Compliance Manager?
It provides a curated list of information security clauses from UK law and a collection of GDPR articles, each accompanied by implementation guidance.
You can also add your own requirements or controls that are applicable to your organisation.
Compliance Manager’s interactive database lists the applicable clauses from each law and provides guidance on implementing them, mapped against the appropriate best-practice controls from Annex A of ISO 27001, the international standard for information security management systems.