- People
- Expertise
Our expertise
We are a team of more than 500 professionals, with the depth of experience which makes us genuine experts in our fields. Together, gunnercooke’s people have strength across just about every corporate discipline and sector. We provide legal, commercial and strategic advice that delivers real value to the clients we work with, which span from multinational enterprises through to unicorns and non-for-profit organisations. Our breadth of expertise covers some of the most interesting and important emerging disciplines, from ESG and charity law, to blockchain and competition.
Search by practice areaDispute ResolutionDispute Resolution OverviewMeet the Dispute Resolution TeamIntellectual Property DisputesFinancial Services & FinTech OverviewProceeds of CrimeEmployment TribunalTax InvestigationProperty Dispute ResolutionInsolvency DisputesMediationCivil Fraud & Asset TracingHealth & SafetyBusiness Crime & InvestigationsLitigation & ArbitrationInternational Arbitration - International
International Offices
gunnercooke has 12 offices globally including the UK, Scotland, US, Germany and CEE, with further plans for growth in the coming years. These offices enhance the existing in-house capability of our dedicated international teams and dual-qualified experts that cover China and Hong Kong, Spain, France, Italy, Brazil and Portugal. Our team has experience working across 101 different countries, speaking 30 languages and are dual-qualified in 15 jurisdictions. Our expertise means we can offer large teams to carry out complex cross-border matters for major international clients.
- Our story
Our story
gunnercooke is the fastest growing corporate law firm in the UK, now making its mark globally. We comprise a rapidly growing number of experts spanning legal and other disciplines. Clients benefit from flexible options on fees to suit their needs, access to a wider network of senior experts throughout the relationship, and legal advice which is complemented by an understanding of the commercial aspects of running a business.
- Reading Room
- News & Insights
Most public bodies (that’s to say government departments, agencies, NDPBs and the NHS) have been obliged, since 2014, to utilise established cyber security standards as a key means of improving cyber security (and with that, data protection measures) in their supply chains.
The Cyber Essentials Scheme, is central to this.
Cyber Essentials is a Government backed scheme to help businesses of any size protect themselves against a range of the most common cyber attacks and to demonstrate their commitment to cyber security.
It’s described in the latest Procurement Policy Note as “the quickest and most effective means of mitigating risks associated with [sensitive] contracts…”.
For that reason it mandates the use of CE for the more data sensitive public contracts especially those where government information protectively marked at “Official” might be used, or for those contracts which involve the processing of large amounts of personal data.
It makes plain, however, that CE does not guarantee security (it is intended to help SMEs and larger organisations get the basics of cyber security right), nor is it the only cyber security standard, and if a bidder for a public contract can demonstrate that it has an equivalent set of security measures or an international standard in place then will be just as acceptable.
In any event, the affected public bodies “…must ensure that effective and proportionate cyber security controls are applied to contracts to mitigate supply chain risks.
As the PPN states-
“There are key characteristics associated with contracts considered to be at a higher risk of cyber security threats. In-scope organisations must ensure that all suppliers demonstrate that they meet certain technical requirements for contracts or services that include the following characteristics:
…where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier;
- where personal information of Government employees, Ministers and Special Advisors is handled by a supplier (such as payroll, travel booking or expenses information);
- where ICT systems and services are supplied which are designed to store, or process data at the OFFICIAL level of the Government Security Classifications Policy; and/or
- where contracts deal with information related to the day-to-day business of Government, service delivery and public finances. “
Although the PPN says that not all contracts will be affected, given the presence of personal data in so many different types of contracts for goods and/or services, the requirement might well turn out to be almost universally applicable. That will be for the public bodies to work out.
But for suppliers, having a CE Certificate (or equivalent) gives them a real commercial advantage in the bidding process; helps streamline their bidding process input (because the certificate is shorthand for what can be extensive technical details that would otherwise have to be submitted afresh each time) and it helps build trust with customers.
Whilst the basic CE Certificate will be fine for most businesses, especially SMEs bidding for routine contracts, for the more complex businesses or high risk contracts, Cyber Essentials Plus will be the better bet. CE Plus applies the same technical standards and controls ( which include b effective boundary firewalls; internet gateways; secure configuration; access control; malware protection and security update management ) but comes with the additional assurance of having been independently tested remotely and through on-site vulnerability testing.
CE is not just relevant to organisations awarding or bidding for government contracts of course. It is proving to be a key tool for suppliers in all sectors (including lawyers and other professions), helping them cover the basics of cyber security to protect their commercial information. Crucially it is also very useful for demonstrating a commitment to personal data security. The ICO likes it, therefore so should we.
Tim Heywood FRSA is a partner in Gunnercooke llp specialising in data protection, cyber and procurement. Tim is a member of the Law Society’s Technology & Law Committee. He is the former Legal Adviser at what is now the National Cyber Security Centre (NCSC) (part of GCHQ). Tim advises IASME, which is the Government’s delivery partner for Cyber Essentials.
This blog is for guidance purposes only and is not legal advice. You should obtain specific legal advice on your particular circumstances.
