What is GDPR?
The General Data Protection Regulation (GDPR) is an upcoming change to data protection legislation from the European Union and is arguably the most important change in more than twenty years. The new law will come into effect in May 2018; and it’s scope includes all organisations collecting or processing the data of EU individuals. Once GDPR comes into force, all organisations within scope will face significantly more aggressive requirements relating to the way data is collected, stored, managed, deleted, transmitted and erased.
Why have GDPR compliance?
GDPR compliance will become a mandatory legal requirement for all EU-based companies, from May 2018. Companies will no longer be able to use personal data for their own competitive advantage; and must follow a clear set of rules to ensure data is processed in a fair and consistent manner.
Besides staying on the right side of the law, GDPR compliance will help you eliminate unnecessary data flows, streamline operations and get your staff cyber-aware. Your company’s brand, reputation and profitability will naturally be protected by a robust set of data protection controls.
Further key requirements of GDPR include an embedded structure of governance and accountability across the organisation, as well as appropriate and lawful consent. Organisations will also be required to ensure that security is managed via a risk-based approach; and that privacy is built into the organisation from the beginning, by design and by default. All organisations will now be required to understand their information and technology assets as in scope for GDPR, as well as any data collected or processed on their behalf by third parties. One further requirement is that organisations report a data breach to the Information Commissioner’s Office within 72 hours. Breaches will include the loss, destruction, unauthorised access of data records, as well as any unlawful alteration or disclosure of data; but also incidents where data has been put at risk of disclosure.
Sanctions are proposed for serious cases of continual non-compliance and/or large scale data breaches, of up to 4% of annual worldwide turnover, or 20,000,000 Euros, whichever is greater. With this in mind alone, GDPR compliance must be taken very seriously.
Benefits of GDPR Compliance
- Show commitment to data protection and privacy – demonstrate to your business partners, regulators and suppliers that you take data protection seriously.
- To win public sector work – independently verified GDPR compliance is likely to become mandatory for public sector suppliers. Proper evidence will be required, you will no longer be able just to tick a box.
- Safeguard commercially sensitive data – Cyber criminals actively target companies with high value data. Streamlining data flows, removing legacy data and putting into place security awareness and policy controls will go a long way to reducing your company’s exposure to data thieves.
- Protect your company’s profits and reputation – Addressing the requirementsof GDPR will mean that you are less likely to suffer a data breach, but will also be prepared for any event with overhauled incident management capabilities, improved security awareness and effective data governance.
- Prevent Data Loss. Cybercrime is often targeted at organisations that are known to have low-level controls. Threats from data thieves or accidents will be reduced by streamlining data flows, removing legacy data and putting into place security
awareness and policy controls.
- Competitive advantage – Investing time now for GDPR readiness can provide a commercial advantage for clients in comparison to competitors that are not ready for the regulation.
Why use 2-sec?
Our GDPR Practitioners are amongst the most experienced, globally. We appreciate no two companies are the same; and take a bespoke approach to GDPR readiness for each of our clients:
Industry leading cyber security experts since 2011 – we have worked with data protection and privacy standards long before GDPR was conceived, including ISO 27001, Cyber Essentials and PCI DSS.
Fully accredited – At both a corporate and an individual level including CREST, QSA, PCI DSS, PA-QSA, Cyber Essentials PLUS, IASME, CHECK, CISSP, CISA, CISM, OSCP, SANS-GIAC and CEH.
Commitment to understanding your business – We will take adequate time to understand your business, operations and process to accurately scope your GDPR assessment.
Assurance – Once our assessment has been completed, senior management teams will have a clearly defined, independent breakdown of where and how your organisation is ready for GDPR.
Improvement Plan – Following our GDPR assessment, a client will have an easy to follow roadmap for continued self-improvement which can be used to close the gap on any weaker areas.
Demonstrable Commitment to Data Protection and Privacy – Once complete, our assessment provides reassurance to your client’s staff, clients, customers, suppliers and regulators that your organisation takes data protection and privacy seriously.
Independent and Expert Advice – Our experts engage with our clients as impartial advisors, providing independent and professional advice.
Reputational Protection – Addressing the requirements of GDPR will mean that our clients are less likely to suffer a data breach, but will also be prepared for any event with overhauled incident management capabilities, improved security awareness and effective data governance.
Preventing a Data Loss – Cybercrime is often targeted at organisations that are known to have low-level controls. Threats from data thieves or accidents will be reduced by streamlining data flows, removing legacy data and putting into place security awareness and policy controls.
GDPR focuses on a key set of controls, which when properly implemented will protect data from criminal, unauthorised and accidental use. Focus is very much on an individual’s right to privacy and the elimination of unnecessary data storage. If a company does not need the data, or data subjects have not provided consent, the data must be securely deleted. We recommend the following steps are followed:
Responsibility and Accountability
Data Controller and Data Protection Officer roles should be assigned, and the company given clear direction as to how it handles data, from the top down. Greater emphasis will be needed for public authorities and entities that carry out large scale data processing. Clear and effective incident response plans should be adopted, so that the relevant authorities can be notified within 72 hours of a data breach.
Scope and Data Flow Analysis
A thorough analysis of all data flows throughout your company must be carried out. This applies to both legacy and current processes; and also processes that have been outsourced to third parties. Where data is no longer needed, it must be securely deleted.
Careful attention must be paid where data is being handled by third parties on your behalf. Contracts should be reviewed and amended; and third party data flows also documented. Particular attention should be paid if the third party is outside of the EEA, or sends data outside of the EEA.
Once data flows and any third party interactions are established, risk assessments should be carried out on each type of data flow, to identify areas that need further attention.
Privacy by Design
Data processing systems may need redesign, to ensure privacy by design and by default. If no clear consent exists for the storage of personal data, it has to go. Systems that impose mandatory data collection fields, for example web forms, will need redesign. A Privacy Impact Assessment should be carried out for all new systems or processes that involve the handling of personal data.
Personal data must be protectively marked; and data subjects must be able to change or delete personal data upon request. Specific permission needs to be sought should personal data leave the EEA.
Internal Security Awareness
The importance of data protection should be stressed to all employees; and included in employment contracts. Suitable policies and procedures should be developed, so that each member of staff is aware of their responsibilities for data protection. Staff that handle sensitive data must be subject to regular criminal records checks.
Information Security Management
GDPR Compliance is not a one-off task. Data must be securely managed throughout its life-cycle; and the best way to achieve this is through implementing an information security management system (ISMS), based on a standard that is appropriate to the size of your organisiation. Secure data processing must be embedded into the heart of your organisation’s culture and demonstrable to both auditors and regulators.
Our GDPR services
2-sec can provide your organisation with an assessment of it’s readiness for GDPR. We have a bespoke approach to assessment which delivers assurance to our clients that they are prepared.
Our teams of data protection advisors and technical security experts carry out thorough assessments of your organisation across four key areas of GDPR including information and data protection strategic governance, information assets in scope, third parties in scope and technology assets in scope.
Once completed you will receive a full information and data protection register, which acts as a full inventory of what your business has in scope under GDPR, and how it compares to the requirements. Our register is also a working-framework, providing a roadmap for how your organisation can continue to improve and manage data protection, information security and privacy. Our register will function as your organisation’s comprehensive management system
- Security policies and procedures
- Data classification
- Data Protection Officers and accountability
- Data protection culture
- Risk management
- Type of data collected
- Data collection methods
- Hard copy data
- Consent controls
- Asset register
- Third parties in scope
- Contracts and provisions
- Third parties’ collection methods
- Third parties’ storage methods
- Third parties’ erasure methods
- Data storage
- Data erasure
- Data portability and modification
- IT asset mapping
- Incident reporting capability
Get GDPR ready
For more information
There is a wide variety of GDPR information available. We recommend UK-based customers follow the official ICO guidance, until GDPR Compliance becomes embedded in EU regulation from May 2018.