As a business that operates online what obligations do you have to guarantee to protect the security of any internet transactions. The Privacy and Electronic Communication Regulations 2003, The Network and Information Systems Regulations (NIS) 2018, and the Communications Act 2003 impose obligations on providers of public electronic networks, to have adequate and sufficient, technical and organisational measures to protect the security of the service.
Non-internet specific legislation and common law principles may also apply to protecting internet transactions. For example, a company that loses customer data or permits unauthorised third-party access to that data may face a claim for breach of contract (if there was a contractual term to take care of the data), negligence, and a claim under the General Data Protection Regulations (GDPR). The loss of data could be a breach of the GDPR’s integrity and confidentiality principle which requires personal data to be processed in a secure manner. It includes protection from unauthorised or unlawful processing, accidental loss, destruction, or damage.
The British Standard 10012:2017 gives a specification for a personal information management system. It gives guidance on how to comply with the requirements of the GDPR.
The government presented the Cyber Essentials scheme in 2014 which provides controls that all organisations should introduce to minimise the risk of internet-based threats. It focuses on five ‘key controls’ which are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Data protection legislation also imposes obligations to have appropriate technical and organisational measures to protect personal data. Under the GDPR, data controllers and processors must apply appropriate security measures to protect personal data. These can include:
- The use of confidentiality ensuring systems
- Integrity and processing resilience
- Data backup
- Disaster recovery systems
The regulation also gives the possibility for the development of an approved code of conduct and/or approved certification system to show compliance with the GDPR’s security requirements. The United Kingdom (UK) government has said it intends to maintain the GDPR into domestic law even in the event of a no-deal Brexit.
It is vital that as a business you protect any online transactions. The failure to do so could result in fines, damaged reputation, a loss of consumer faith and trust leading to less transactions being made.
At Lawdit Stay Legal we offer several packages at different price points to keep your business on the right side of the law. We will also put legal safeguards in place to assist and protect you and your business if a dispute were to arise. With a free initial consultation there is no need to delay, so book today!