G-Cloud 10, GDPR and Cyber
Guest blog by Sarah James of Alliantist, talking about the implications of GDPR and Cyber on G-Cloud 10.
There aren’t many things that the General Data Protection Regulation (GDPR) has not touched, and G-Cloud 10 is no exception.
How is GDPR affecting G-Cloud sellers?
Earlier this year Crown Commercial Service (CCS) requested that all government buyers bring their commercial arrangements in line with the new regulation well in advance of the 25th May deadline. This has put the onus on G-Cloud suppliers to ensure that when it comes to data processing, they are compliant with GDPR – and more importantly, are able to describe and demonstrate that fact.
As you know, you don’t need a security certificate of any kind to register with and sell on the G-Cloud framework. But if powerful customers who are looking for security credentials your competition doesn’t have, you want to be able to stand out from the crowd.
How can I describe and demonstrate GDPR compliance?
There is no such thing as a GDPR compliance certificate, and you can’t buy a silver bullet product that makes you instantly GDPR ready. There are of course many crossovers with ISO 27001 and GDPR, but the information security certification does not cover it all.
To give the end buyer confidence in your GDPR and information security practices when selling on G-Cloud, you should start with the security of your technology. Is your product or platform regularly penetration tested? Have you implemented 2-Factor Authentication for additional access security? Have you taken out sufficient cyber security insurances?
The Information Commissioner’s Office (ICO) recently updated their GDPR guidance around security saying that any technology used should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Additionally, the policies your organisation follows in relation to the control and/or processing of personal data must be lived and breathed.
Information security is as much about your supply chain. Making due diligence part of your new supplier processing is as important as your own GDPR compliance, so showing the steps you have taken to make those important business decisions is essential.
What does the addition of cyber security mean for my G-Cloud listing?
Just like in G-Cloud 8, G-Cloud 10 is including Cyber Security Services. Cyber security was originally removed with the advent of G-Cloud 9 because at the time the CCS had launched a separate framework that covered cyber.
There are a few benefits of reintroducing cyber back into G-Cloud, especially for smaller companies who may have been deterred in applying for 2 frameworks. Government buyers will now be able to get their cyber, cloud services and products from a single location. Good news for suppliers and government procurement teams alike!
Suppliers can now supply the following services within Lot 3 on G-Cloud 10:
- security strategy
- security risk management
- security design
- cyber security consultancy
- security testing
- security incident management
- security audit services
This includes services that are assured under NCSC schemes such as:
- Cyber Security Consultancy
- Penetration Testing (CHECK)
- Cyber Incident Response (CIR)