Personal data is the lifeblood of many organisations, but it is becoming increasingly important to manage the way that information is used.
Organisations that fail to do so risk data breaches, reputational damage, lost time and financial repercussions.
This is no more evident than with the GDPR (General Data Protection Regulation), which gives supervisory authorities the power to issue fines of up to €20 million (about £17.5 million).
We hope that you have been paying close attention to your GDPR requirements since the legislation took effect in 2018, but they aren’t the only set of rules you may be subject to.
Depending on the nature of their business, UK-based organisations may also be required to comply with:
- The Bribery Act 2010
- The Computer Misuse Act 1990, as amended by the Police and Justice Act 2006
- The Defamation Act 1996
- The Digital Economy Act 2010
- The Freedom of Information Act 2000
- The Intellectual Property Act 2014
- The Privacy and Electronic Communications Regulations
- The Public Records Act 1958
And, of course, there is the UK GDPR, which enshrines the requirements of its EU namesake into UK law.
Organisations that are subject to both sets of regulations must be careful, though, as there are differences between the two legislations. As such, there will be times when they must be treated as distinct legislations with their own specific compliance practices.
Identifying relevant laws
Organisations won’t necessarily be subject to all of these laws, but they won’t know that unless they’ve checked each law’s applicability.
This makes identifying relevant laws time-consuming, and it’s not a one-off event. If an organisation changes the way it operates, it needs to know if it is now subject to a law that it previously wasn’t.
For example, an organisation that starts using cookies on its website will be subject to the Privacy and Electronic Communications Regulations.
Changes might also make the organisation no longer subject to a law. As a result, it can stop following certain procedures, saving time and money.
The process of identifying relevant laws gets even trickier when you factor in complex regulations. Some clauses will apply to the organisation and some won’t, so you’ll need to go through the regulation and highlight the applicable sections.
All in all, regulatory compliance can be a minefield that takes a lot of time, money and advice to navigate. However, you can simplify the process with our Compliance Manager.
What is Compliance Manager?
Compliance Manager is a comprehensive tool for managing information security and data protection requirements.
It provides a curated list of information security clauses from UK law and a collection of GDPR articles, each accompanied by implementation guidance.
You can also add your own requirements or controls that are applicable to your organisation.
Compliance Manager’s interactive database lists the applicable clauses from each law and provides guidance on implementing them, mapped against the appropriate best-practice controls from Annex A of ISO 27001, the international standard for information security management systems.
A version of this blog was originally published on 15 December 2017.