GDPR Compliance_

The new European data protection regulation. Our experienced GDPR practitioners can get you compliant; and put data protection and cyber security firmly on the agenda.

Speak to an Expert

What is GDPR?

GDPR stands for General Data Protection Regulation, which will come into place in May 2018. It consolidates the many different data protection regulations spread across EU member countries, into one common standard. So if a company in one member state has a data breach, it will be treated the same way as a data breach in any other member state; both consistently, fairly and inline with common, easy to understand controls.

Why comply with GDPR?

GDPR compliance will become a mandatory legal requirement for all EU-based companies, from May 2018. Companies will no longer be able to use personal data for their own competitive advantage; and must follow a clear set of rules to ensure data is processed in a fair and consistent manner.

Besides staying on the right side of the law, GDPR compliance will help you eliminate unnecessary data flows, streamline operations and get your staff cyber-aware. Your company’s brand, reputation and profitability will naturally be protected by a robust set of data protection controls.

The cost and effort of putting your company through GDPR compliance is negligible compared to the cost of a data breach.

Sanctions are proposed for continual non-compliance and/or large scale data breaches, up to 4% of annual worldwide turnover, or 20,000,000 Euros, whichever is greater. With this in mind alone, GDPR compliance must be taken very seriously.

Benefits of GDPR Compliance

  • It will be a mandatory requirement from May 2018 – if your company has a heavy reliance on the processing of personal data, steps must be taken now.
  • Show commitment to security – demonstrate to your business partners, regulators and suppliers that you take data protection seriously.
  • To win public sector work – independently verified GDPR compliance is likely to become mandatory for public sector suppliers. Proper evidence will be required, you will no longer be able just to tick a box.
  • Competitive advantage – in comparison to rivals that are not GDPR-ready.
  • Safeguard commercially sensitive data – Cyber criminals actively target companies with high value data. Streamlining data flows, removing legacy data and putting into place security awareness and policy controls will go a long way to reducing your company’s exposure to data thieves.
  • Professional advice from a cyber security consultancy – Gain an expert oversight of your data protection controls.
  • Gain independent verification – from data protection experts.
  • Protect your company’s profits and reputation – by avoiding the financial disaster and negative publicity associated with a data breach.

Why use 2-sec?

Our GDPR Practitioners are amongst the most experienced, globally. We appreciate no two companies are the same; and take a bespoke approach to GDPR readiness for each of our clients:

Industry leading cyber security experts since 2011 – we have worked with data protection standards long before GDPR was conceived, including ISO 27001, Cyber Essentials, PCI DSS, PA-DSS and IASME. Our GDPR Practitioners each have over 10 years’ experience working with data security standards.

Z

Fully accredited – At both a corporate and an individual level including CREST, QSA, PCI DSS, PA-QSA, Cyber Essentials PLUS, IASME, CHECK, CISSP, CISA, CISM, OSCP, SANS-GIAC and CEH.

Commitment to understanding your business – We will take adequate time to understand your business, operations and process to accurately scope your GDPR assessment.

Multiple assessment routes – We offer a range of methods of assessment according to your situation – self-certification, on-site support or a combination of both.

Dedicated Customer Success Manager – We know that you’ll have a lot of questions throughout the compliance process, so you’ll have direct phone and email contact with your own go-to person.

w

Clear communication – Our mission is to ‘simplify security’. We will communicate our recommendations to you in a clear and jargon-free way.

Be GDPR-ready

GDPR focuses on a key set of controls, which when properly implemented will protect data from criminal, unauthorised and accidental use. Focus is very much on an individual’s right to privacy and the elimination of unnecessary data storage. If a company does not need the data, or data subjects have not provided consent, the data must be securely deleted. We recommend the following steps are followed:

Responsibility and Accountability

Data Controller and Data Protection Officer roles should be assigned, and the company given clear direction as to how it handles data, from the top down. Greater emphasis will be needed for public authorities and entities that carry out large scale data processing. Clear and effective incident response plans should be adopted, so that the relevant authorities can be notified within 72 hours of a data breach.

Scope and Data Flow Analysis

A thorough analysis of all data flows throughout your company must be carried out. This applies to both legacy and current processes; and also processes that have been outsourced to third parties. Where data is no longer needed, it must be securely deleted.

Third Parties

Careful attention must be paid where data is being handled by third parties on your behalf. Contracts should be reviewed and amended; and third party data flows also documented. Particular attention should be paid if the third party is outside of the EEA, or sends data outside of the EEA.

Risk Assessment

Once data flows and any third party interactions are established, risk assessments should be carried out on each type of data flow, to identify areas that need further attention.

Privacy by Design

Data processing systems may need redesign, to ensure privacy by design and by default. If no clear consent exists for the storage of personal data, it has to go. Systems that impose mandatory data collection fields, for example web forms, will need redesign. A Privacy Impact Assessment should be carried out for all new systems or processes that involve the handling of personal data.

Data Classification

Personal data must be protectively marked; and data subjects must be able to change or delete personal data upon request. Specific permission needs to be sought should personal data leave the EEA.

Internal Security Awareness

The importance of data protection should be stressed to all employees; and included in employment contracts. Suitable policies and procedures should be developed, so that each member of staff is aware of their responsibilities for data protection. Staff that handle sensitive data must be subject to regular criminal records checks.

Information Security Management

GDPR Compliance is not a one-off task. Data must be securely managed throughout its life-cycle; and the best way to achieve this is through implementing an information security management system (ISMS), based on a standard that is appropriate to the size of your organisiation. Secure data processing must be embedded into the heart of your organisation’s culture and demonstrable to both auditors and regulators.

Assessment Options

2-sec offer a range of assessment options, from a self-assessment through to a more in-depth audited assessment designed for businesses whom handle large amounts of personal data or work in the public sector.

GDPR Micro

  • Designed for smaller companies, with limited exposure to personal data.
  • We provide you access to the 2-sec assessment portal.
  • You answer a series of questions.
  • We remotely verify your answers.
  • We issue GDPR readiness report.
  • Fixed price – £1250+VAT per assessment.
  • Buy securely via PayPal.

GDPR Essentials

  • Pre-assessment scoping call.
  • You answer a series of questions.
  • We remotely verify your answers and seek clarity where needed.
  • We verify compliance status of any third parties you use.
  • Interim report issued.
  • All remediation points must be addressed, within 4 week window.
  • We issue GDPR Essentials report.
  • We also provide telephone and email support and access to the 2-sec GDPR knowledge base.

GDPR PLUS

  • Successfully complete GDPR Essentials.
  • Pre-assessment scoping call.
  • We carry out an onsite assessment of your data protection controls.
  • We facilitate a data flow mapping and data classification workshop.
  • Interim report issued.
  • All remediation points must be addressed, within 4 week window.
  • We will issue a GDPR PLUS report.
  • We also provide telephone and email support and access to the 2-sec GDPR knowledge base.

Your Name (required)

Company Name (required)

Contact Number

Your Email (required)

Your Message

Or call us on: 0844 502 2066

For more information

There is a wide variety of GDPR information available. We recommend UK-based customers follow the official ICO guidance, until GDPR Compliance becomes embedded in EU regulation from May 2018.