With cyber attacks regularly making the headlines, there is growing pressure on regulators to root out organisations that fail to comply with their obligations to protect data.
To stay secure and avoid regulatory action, organisations need to identify the laws and regulations that apply to their organisation and put in place measures to meet their requirements. How much work you’ll need to do will depend on your current level of compliance, so you should start any compliance project with a gap analysis.
To give you an idea of the steps you’ll need to take, we’ve outlined a few key points on the most important information security laws:
- The Bribery Act 2010
Organisations need to prove that they have processes in place to prevent bribery. This will centre around a set of policies that define bribery and the organisation’s position on gifts, hospitality, expenses and charitable donations.
They also need to conduct regular risk assessments to identify potential sources of bribery, and mitigate those risks with appropriate controls.
- The EU General Data Protection Regulation (GDPR)
The GDPR takes effect on 25 May 2018, superseding the Data Protection Act (DPA). Organisations that meet the Regulation’s requirements will also comply with the DPA.
There are also many new requirements to meet. This includes reviewing the way they collect and store information, addressing their data breach notification procedure, adopting a privacy-by-design approach and conducting regular data protection impact assessments.
- The Freedom of Information Act 2000
Anyone has the right to request information from a public authority. Organisations have 20 days to tell the applicant whether they hold any information that falls within the scope of their request and provide them with that information.
The Information Commissioner’s Office recommends that organisations treat most requests as normal customer enquiries. The provisions of the Act only need to come into force if you can’t provide the requested information promptly or the requester makes it clear that they expect a response under the Act.
- The Privacy and Electronic Communications Regulations (PECR)
The PECR outline specific rules on communications, cookies and customer privacy. Organisations should conduct an audit of their security measures to make sure they have effective policies and procedures in place and are following them.
You can get more advice on information security laws with our Compliance Manager.
Compliance Manager is a subscription service that helps organisations pinpoint the steps they need to take to comply with dozens of IT-related laws. Its interactive database lists the applicable clauses from each law and provides guidance on implementing them, mapped against the appropriate best-practice controls from Annex A of ISO 27001, the international standard for information security management systems.
For each law, Compliance Manager includes effective dates, implementation requirements and links to the legislation.
You can also add your own requirements or controls that are applicable to your organisation.