Some management system standards require organisations to consider their legal compliance obligations and document their approach to meeting them.
For ISO 14001 that means considering Energy and Environmental Laws but for ISO 27001 it means looking at local Data Protection and Technology legislation.
In an integrated management system you might find it more efficient to manage all your legal and other requirements through a single process.
The amount of legislation depends on the scope of your activities, with regulated industries such as financial services or legal advice having additional regulations and codes-of-conduct to consider.
However, there are some key Information Security Laws in the UK that most organisations should consider, regardless of what they are doing:
Data Protection Act 2018
Prior to 25th May 2018, there was a lot of hype around the implementation of the General Data Protection Regulations (GDPR) from the EU.
Now, with the deadline past the UK has updated its Data Protection legislation which addresses the rights of individuals in relation to the use of their personal data.
The Data Protection Act 2018 is relevant to almost all organisations because the scope of personal information extends across customers, prospective customers and employees.
Find more information at the ICO website: www.ico.org.uk
Privacy and Electronic Communications Act
If you operate a website or market to customers through email, telephone call, text message or fax, you should consider the Privacy in Electronic Communications Act.
Dubbed ‘The Cookie Law’, it drove the adoption of pop-up cookie policies which you can find on almost every website.
Computer Misuse Act
The Computer Misuse Act dates back to 1990 and addresses unauthorised access to computer systems or unauthorised modification of material.
Despite being over 25 years old, the act has remained relevant through a series of amendments, including the Serious Crime Act 2015 which created a new offence of "committing unauthorised acts causing, or creating risk or, serious damage in relation to a computer".
Copyright, Designs and Patents Act / Intellectual Property Act / Digital Economy Act
Did you know that you automatically have copyright over the original material you produce?
We’ve grouped these three pieces of legislation which all cover yours’ or others’ intellectual property. Most organisations will benefit from reviewing these.
Waste Electrical and Electronic Equipment Regulations
Lastly, the WEEE Regulations were introduced to reduce the amount of electrical equipment going to landfill. There is a range of items covered by the regulations including computer equipment, light bulbs and batteries.
From an information security perspective, we are also interested in Securely Disposing of IT Assets, ensuring data is removed before being sent for proper disposal.
See also: Assess the Aspects and Impacts for Energy Use in a Business by AvISO
Keep up-to-date with Legislation
The legislative landscape is always changing, so you should ensure you have methods of keeping up-to-date on new and changing laws, either through a professional association or a free newsletter such as ours.
Guest Blog by Robert Clements
From Assent Risk Management – Part of a series by Assent Risk Management and AvISO Consultancy