If you process personally identifiable information (PII) then you should already be complying with the Data Protection Act 2008. The General Data Protection Regulation (GDPR) tightens up data control and processing for all EU citizens, whether you are in the European Economic Area (EEA) or not.
GDPR has teeth
Whereas the UK Information Commissioner could currently fine a company up to £500k, if you make a disclosure, the GDPR requires mandatory notification on breach and penalties for a breach could be up to 4% of global turnover or €20 million. Custodial sentences are still possible for data protection breaches under other UK legislation.
There are two aspects that you need to consider in relation to successfully securing privacy information. These are the management system you use to govern the data and the controls that you put in place to ensure the Confidentiality, Integrity and Availability of that data.
Our partner, Risk-X, has designed a GDPR Gap Analysis Base Service and a GDPR Plus Service to help you meet these requirements. The two services are complementary to both the UK Data Protection Act and each other.
Take Your First Step — Request a GDPR Gap Analysis quote, and start your GDPR journey. Click Here >>
GDPR Base Service
The GDPR Base Service has two main goals in mind – understanding your business and providing you with the paperwork that you will require.
Before you can undertake any form of control around the privacy information you hold, you need to know where it is, what you use it for and by whom. Most companies they have some idea, but generally this is a challenge for customer data, let alone internal information. This is further complicated if you have data from other companies, held on behalf of their customers.
Our partner, Risk-X has designed the GDPR Base Service in line with the most well recognised international standard for the security of information – ISO27001.
The GDPR Base Service will identify what information you have and how you use it. Once you understand this a Privacy Information Management System (PIMS) and appropriate policies can be created to manage the data.
The process that we use to do this is as follows:
When you complete this exercise you will have a workable Privacy Information Management System (PIMS) and will be able to address the 12 key points that the UK Information Commissioner’s Office (ICO) has recommended that UK businesses should focus on to ensure that they can meet the new regulation.
GDPR Plus Service
This add on to the GDPR Base Service takes the work you have already completed and extends this to the operational, physical and technical areas of your business, and considers their implemented state.
Our consultants will look at the scope that was generated with the GDPR Base Service and then use ISO27001 (aligned with privacy frameworks) to review how your data is protected.
The report will focus on two areas:
1. Statement of applicability of controls
This grades whether the control is required for the security of privacy information, and then states whether this is in place or not.
2. ISO27001 remediation action plan
Any areas that are non-conformant to ISO27001 will be added to a remediation action plan. This will be risk prioritised within your organisation so that you can see which areas need to be changed first.
The GDPR Plus Service looks at all areas of the business in scope for privacy information and provides a baseline of all of the controls that are in place. Further guidance is then provided to allow you to remediate any areas of failure.
ISO27001 is a great standard to use for this process and lends itself directly to privacy requirements. You may decide to then uplift this to cover all areas of your business.
The GDPR Plus Service does not have to directly follow the GDPR Base service, as it can always be added at a later date.
For more information, contact us on 01256 379970 opt 1 (Sales) or email [email protected]