If you process Personally Identifiable Information (PII) then you should already be complying with the Data Protection Act 2008. The General Data Protection Regulation (GDPR) tightens up data control and processing for all EU citizens, whether you are in the European Economic Area (EEA) or not.
GDPR has teeth
Whereas the UK Information Commissioner can fine an organisation up to £500k, if you make a disclosure, the GDPR requires mandatory notification on breach and penalties for a breach could be up to 4% of global turnover or €20 million. Custodial sentences are still possible for data protection breaches under other UK legislation.
There are two aspects that you need to consider in relation to successfully securing privacy information. These are the management system you use to govern the data and the controls that you put in place to ensure the Confidentiality, Integrity and Availability of that data.
We provide a GDPR Gap Analysis Base Service and a GDPR Plus Service to help you meet these requirements. The two services are complementary to both the UK Data Protection Act and each other.
GDPR Base Service
The GDPR Base Service has two main goals in mind – understanding your business and providing you with the paperwork that you will require.
Before you can undertake any form of control around the privacy information you hold, you need to know where it is, what you use it for and by whom. Most organisations have some idea, but generally this is a challenge for customer data, let alone internal information. This is further complicated if you have data from other companies, held on behalf of their customers.
The GDPR Base Service will identify what information you have and how you use it. Once you understand this a Privacy Information Management System (PIMS) and appropriate policies can be created to manage the data.
The service has been designed in line with the international standard for the security of information – ISO27001.
When you complete this exercise you will be able to address the 12 key points that the UK Information Commissioner’s Office (ICO) has recommended that UK organisations should focus on to ensure that they can meet the new regulation.
Take Your First Step
Request a GDPR Gap Analysis quote, and start your GDPR journey:
GDPR Plus Service
This add on to the GDPR Base Service takes the work already completed and extends this to the operational, physical and technical areas of your business, and considers their implemented state.
The report will focus on two areas:
1. Statement of applicability of controls – This grades whether the control is required for the security of privacy information, and then states whether this is in place or not.
2. ISO27001 remediation action plan – Any areas that are non-conformant to ISO27001 will be added to a remediation action plan. This will be risk prioritised within your organisation so that you can see which areas need to be changed first.
The GDPR Plus Service does not have to directly follow the GDPR Base service, as it can always be added at a later date.
For more information, contact us on 01256 379970 opt 1 (Sales) or email [email protected]