We support clients across core Data Protection and Information Security controls such as the UK GDPR and UK Data Protection Act 2018 but have a wealth of experience in the wider Legal and Regulatory Controls that organisations must adhere to.
PECR
PECR should be considered alongside the Data Protection Act, in relation to specific types of data processing.
These include: where you are using personal information to carry out direct marketing; if you’re using certain types of cookies on your websites and, potentially, if you provide a function that allows someone to look up contact details of individuals on a directory. In addition there are further requirements for electronic communications service providers.
Evolve North can help you consider if your current promotional activities would be classed as direct marketing, making sure you’re carrying out marketing in line with current privacy law. This will include considering whether or not you need consent from individuals, which may be influenced by your marketing approach and who you’re targeting. We can also help you understand whether you can continue to use your marketing lists in the same way, and any implications of ‘bought in’ lists.
We also help organisations understand the types of cookies they use currently, whether a cookie notice may be required on websites, and help you develop cookies policies that effectively inform website users about how their data is used and their options for not sharing information via cookies.
DSPT
We provide help and guidance to health and social care organisations implementing the Data Security and Protection Toolkit
The NHS England Data Security & Protection Toolkit allows organisations that process health and social care data to demonstrate their compliance with Data Protection Law and the National Data Guardian Data Security Standards. It will be used by the Care Quality Commission to monitor best practice.
We can support you in fulfilling the requirements of the DS&P Toolkit in a number of ways. This may include carrying out an independent audit of your current evidence to identify areas where further work may be needed. We also help to fill gaps in current areas of compliance, such as identifying and recording your information assets, risk assessing these assets, ensuring appropriate reviews of third parties are being carried out, helping train your staff, or developing new policy, procedure and guidance documents.
Evolve North’s mix of governance and data security expertise, and extensive experience of working with health and social care organisations, makes us ideally placed to support your needs in this area.
NIST
The National Institute of Standards and Technology (NIST) Cyber Security Framework is a framework to help organisations manage and reduce their cyber security risk. It uses a common language and set of best practices for managing cyber risk across an organisation.
The framework is designed to be adaptable and flexible to adjust to the needs of different organisations of any size in any industry. It is structured around five core functions – Identify, Protect, Detect, Respond, and Recover – these represent the basic cyber security activities that any organisation should undertake to manage and reduce cyber security risk.
Although typically used by US-based organisations, it is becoming more common in the UK and Europe.
Enforcement and Penalties
In the case of breaches or non-compliance, the National Cyber Security Centre (NCSC) has the authority to investigate and enforce actions against violators. Penalties can reach up to £17 million or 4% of global turnover. Public disclosure of offending organisations is also possible.
Understanding NIST
The National Institute of Standards and Technology (NIST) Cyber Security Framework provides a common language and best practices for managing cyber risks across organisations. Structured around five core functions—Identify, Protect, Detect, Respond, and Recover.
Who Needs NIST?
While not legally mandated, NIST is beneficial for organisations with complex supply chains or relationships involving US entities. Recognised by the Information Commissioner’s Office (ICO), it offers a robust approach to assessing IT security and data protection capabilities.
NIS
The Network and Information Systems Directive has been designed to improve the cybersecurity and resilience of network and information systems across the EU. It was transposed into UK law through the Network and Information Systems Regulations 2018 and was amended in 2021 to reflect the UK’s status as a non-EU country. The NIS regulations require certain organisations take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems, and to report significant incidents to the NCSC in the UK.
Who is obligated to comply with the regulations?
The regulations apply to operators of essential services (OES) and digital service providers (DSPs) that are based in the UK.
The NCSC defines OES as entities that are essential for the maintenance of critical societal and/or economic activities that rely heavily on network and information systems. They can include organisations in energy, transport, health, banking, and digital infrastructure. For DSPs, the NCSC guidance defines a digital service provider as ‘an organisation providing cloud computing services, online marketplaces, and search engines.’
In the event of a breach, or non-compliance with the regulations, the NCSC has the power to investigate and take enforcement action against the offending organisation. The NCSC may choose to issue enforcement notices requiring an organisation to take specific actions to remedy any breach of the regulations or levy financial penalties of up to £17m, or 4% of global turnover, as well as publicly naming and shaming those organisations that breach the regulations.
What are the requirements?
The specific requirements set out by the NCSC for complying with the directive include:
- Security measures
- Incident reporting
- Identification of critical systems
- Risk management
- Cooperation with the NCSC
- Record-keeping
DORA
What is it?
The EU Digital Operational Resilience Act (DORA) offers a regulatory framework for digital operational resilience, obliging financial firms within the EU, to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. It focuses on the following key areas:
- ICT Risk Management
- ICT related Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-party Risk
- Information sharing in relation to cyber threats and intelligence
Who does it apply to?
The proposed regulation covers the majority of financial services organisations operating in the EU and establishes a framework that allows financial services supervisors to oversee Critical ICT Third Party Providers including Cloud Service Providers. It covers amongst others:
- Credit institutions
- Payment and electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Trading venues and trade repositories
- Insurance and reinsurance undertakings
- ICT third party service providers
When will I need to comply with this?
DORA came into force in January 2023 and organisations have a two year implementation period to ensure they meet the relevant requirements detailing within the Act and in the technical standards/policy instruments that support these (some of these were released in January this year, with further policy products being released in July).
How can Evolve North help?
Evolve North is working closely with financial institutions to help them understand the requirements of DORA, how they fit in with their current ways of working and what further work may be required to be compliant with DORA.
We can support improved awareness in your organisation and work with you to carry out a gap analysis against the DORA requirements, so that you have a clear plan of action for ensuring compliance within the relevant timescales.
We can also support you in implementing improvements where further work may be identified, whether this is reviewing and updating your current approaches to ICT Third Party Management, information risk management or incident management, implementing approaches for testing digital operational resilience or strengthening your technical controls in line with the requirements of the Act.
SWIFT
What is it?
SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a global messaging network used by financial institutions to securely exchange financial messages. To ensure the integrity and security of the network, SWIFT has implemented various compliance measures based on industry-standard frameworks such as NIST, ISO 27000 and PCI-DSS to prevent financial crime and maintain regulatory compliance.
On an annual basis, every Business Identifier Code (BIC) holder, needs to verify compliance with all mandatory controls within the Customer Security Controls Framework (CSCF)
Who does it apply to?
Anyone wishing to utilise the Swift messaging service will need to attest compliance against the mandatory (and optional advisory) security controls depending on which of the 5 architecture types are implemented.
How can Evolve North help?
As Evolve North possess cybersecurity assessment experience and expertise in industry standards such as ISO27000 and PCI-DSS along with extensive knowledge of how the Customer Security Programme (CSP) works. We are able to independently assess your organisation against the CSCF to meet the level of compliance required.
We can work with you to assist with any gaps identified from remote or on-site assessments, based upon the level of implemented architecture, to provide assurance that appropriate measures are in place and effective across all of the required objectives, principles and controls.
And can also support you in implementing improvements where further work may be identified.
We can support organisations looking to achieve and maintain these Legal and Regulatory controls, whether it is a high-level recommendations and guidance, gap analysis, documentation and reporting, tactical project delivery, deep dive auditing of compliance or continued remedial support, Evolve North are expertly positioned to help.
Talk to a specialist now – call 01748 905 002 or email info@evolvenorth.com