There is a whole raft of legislation that organisations must comply with by law and further requirements they must meet to qualify for certifications and professional accreditations. These can differ by vertical, region and even by data type. Here is a list of current key data security and data protection regulations in the UK and Europe

1. General Data Protection Regulation (GDPR)
   This EU regulation sets guidelines for the collection and processing of the personal information of individuals within the EU. It emphasises transparency, security, and accountability by data controllers while giving individuals greater control over their personal data.
2. Data Protection Act 2018 (DPA 2018)
   The UK’s implementation of the GDPR; this Act controls how personal information is used by organisations, businesses, or the government. It is the UK’s main legislation governing the protection of personal data.
3. Payment Card Industry Data Security Standard (PCI-DSS)
   A worldwide mandatory standard for payment card processors designed to reduce payment fraud through stipulating security requirements around cardholder data.
4. ISO 27001
   A recognised global standard for information security best practices, guiding organisations in managing information security and the effective application of the information management processes.
5. Network and Information Systems Regulations 2018 (NIS Regulations)
   NIS Regulations are EU regulations that provide legal measures to boost the overall level of security of networks and information systems for digital service providers and operators of essential services.
6. Digital Operational Resilience Act (DORA)
   DORA is a set of standards and rules around ICT risk management. It’s a European Union regulation applicable to the Finance and Insurance Industries of EU nations. These sectors must comply with DORA to safeguard against crises that may jeopardise financial markets across the EU. The legislation does not directly apply to the UK. However, if a UK-based company is engaged with, or seeks to engage with, an EU-based company then it’s likely it will need to comply. The deadline for DORA compliance is January 2025. Together, these regulations play a critical role in shaping the strategies and practices around data security and data protection

WHAT IS HAPPENING NOW, AND HOW DOES IT AFFECT YOUR DATA?

With a full raft of data protection legislation to be considered, each business will experience the effects of the regulations differently depending on the nature of the business you operate. However, there are commonalities.

All these regulations discussed require adequate protection be provided to a certain data type – this could equate to the prevention of storage in certain networks, the application of encryption techniques or the enforcement of stringent access management techniques.

A specific example is the Payment Card Industry Data Security Standard (PCI DSS). The security standard for card payment data, now in its fourth iteration, mandates security measures for organisations that handle branded credit cards from the major card schemes. PCI DSS compliance is critical for any business that processes or stores payment card information. To apply controls to PCI data, an organisation must first know where PCI data exists within its networks. Only then can it apply the correct controls based on the DSS rules.

HOW DO YOU ACHIEVE ISO COMPLIANCE BY UNDERSTANDING DATA?

The first step to achieving ISO compliance is to understand the legislation that controls the data or area you are working within. As mentioned previously, all legislation differs slightly but with strong themes throughout.

Few pieces of data legislation mandate the use of specific methods or strength of control. Instead, they use language which explains how organisations should apply appropriate levels of control, access or management. These directives are naturally open to interpretation and are often based on what an organisation can realistically achieve considering its capacity and available budget.

It has often been said that the easiest way to keep data safe (and remain compliant) is to remove it from a network – to lock it away and allow no one access. This, of course, is not realistic and individuals, machines and third parties will all have legitimate business reasons to interact with and move data.

To enable approved users to find, classify and protect data and maintain regulatory compliance, organisations need to understand how their data is likely to be needed and used by different parties. Only then can they map appropriate controls and existing or new software or procedural limitations to the data types to keep it safe. For example, an ISO 27001-compliant organisation may wish to only distribute information classified as ‘confidential’ using encrypted formats or to prevent it from being stored in the general SharePoint site, accessible by all employees.

This, of course, contrasts with data that is not sensitive and therefore can exist happily in the public domain, without absorbing the additional controls, time and resources needed to protect sensitive data effectively.

Consideration around the data a company has, holds, processes and deems sensitive enough is a process within itself. One which should drive the application of technology and corresponding processes and deliver documentation which maps the approach to be taken.

If you are working on a compliance project or need specialist expertise, additional resources, or a fresh perspective, we’re here to help. Contact us at hello@handd.co.uk or request a call back to ensure your project meets all compliance requirements and exceeds expectations.

Read our case study ‘How one company achieved ISO 27001 compliance by classifying its data’.

Learn more in our Guide ‘Data Security and Data Protection in 2024‘, where focus on more common projects, initiatives and areas that we feel need particular attention throughout 2024 and beyond.