gdpr

GDPR Compliance

IASME GDPR

GDPR stands for General Data Protection Regulation, this is a mandatory policy that will be taking effect from the 25th May 2018. Made available back in 2016, this regulation aims to consolidate the many different data protection regulations which are spread across all EU member countries.  Additionally, the ICO is changing the UK DPA and is aligning the UK Data Protection Act to fall inline with GDPR.

Complying with GDPR

GDPR compliance will become a mandatory legal requirement from the 25th May 2018 for all businesses that either interact with EU residents or are based within the UK. Businesses will no longer be able to use personal data for their own competitive advantage; and must follow a clear set of rules to ensure data is processed in a fair and consistent manner.

GDPR compliance will help you eliminate unnecessary data flows, streamline operations and get your staff cyber-aware. Your business brand, reputation and profitability will naturally be protected by a robust set of data protection controls.  The cost and effort of putting your company through GDPR compliance is negligible compared to the cost of a data breach.

Heavy sanctions are proposed for continual non-compliance and/or large scale data breaches, up to 4% of annual worldwide turnover, or 20,000,000 Euros, whichever is greater. With this in mind alone, GDPR compliance must be taken very seriously.

Benefits of GDPR Compliance

  • It will be a mandatory requirement from May 2018 – if your business has a heavy reliance on the processing of personal data, steps must be taken now.
  • Show commitment to security – demonstrate to your business partners, regulators and suppliers that you take data protection seriously.
  • To win public sector work – independently verified GDPR compliance is likely to become mandatory for public sector suppliers. Proper evidence will be required, you will no longer be able just to tick a box.
  • Competitive advantage – in comparison to rivals that are not GDPR-ready.
  • Safeguard commercially sensitive data – Cyber criminals actively target companies with high value data. Streamlining data flows, removing legacy data and putting into place security awareness and policy controls will go a long way to reducing your company’s exposure to data thieves.
  • Professional advice from a cyber security consultancy – Gain an expert oversight of your data protection controls.
  • Gain independent verification – from data protection experts.
  • Protect your business profits and reputation – by avoiding the financial disaster and negative publicity associated with a data breach.

Be GDPR Ready!

GDPR focuses on a key set of controls, which when properly implemented will protect data from criminal, unauthorised and accidental use. Focus is very much on an individual’s right to privacy and the elimination of unnecessary data storage. If a business does not need the data, or data subjects have not provided consent, the data must be securely deleted.

Undertaking the Cyber Essentials scheme with TeraByte will help you ensure that your business is doing the upmost to ensure it is fully compliant with GDPR as well as ensuring that your business is reducing its risk against cyber attacks.

To become GDPR compliant we recommend that the following steps are followed:

1

Responsibility and Accountability

Data Controller and Data Protection Officer roles should be assigned, and the business given clear direction as to how it handles data, from the top down. Greater emphasis will be needed for public authorities and entities that carry out large scale data processing. Clear and effective incident response plans should be adopted, so that the relevant authorities can be notified within 72 hours of a data breach.
2

Scope and Data Flow Analysis

A thorough analysis of all data flows throughout your business must be carried out. This applies to both legacy and current processes; and also processes that have been outsourced to third parties. Where data is no longer needed, it must be securely deleted.
3

Third Parties

Careful attention must be paid where data is being handled by third parties on your behalf. Contracts should be reviewed and amended; and third party data flows also documented.
4

Risk Assessment

Once data flows and any third party interactions are established, risk assessments should be carried out on each type of data flow, to identify areas that need further attention.
5

Privacy by Design

Data processing systems may need redesign, to ensure privacy by design and by default. If no clear consent exists for the storage of personal data, it has to go. Systems that impose mandatory data collection fields, for example web forms, will need redesign. A Privacy Impact Assessment should be carried out for all new systems or processes that involve the handling of personal data.
6

Data Classification

Personal data must be protectively marked; and data subjects must be able to change or delete personal data upon request. Specific permission needs to be sought should personal data leave the European Economic Area.
7

Internal Security Awareness

The importance of data protection should be stressed to all employees; and included in employment contracts. Suitable policies and procedures should be developed, so that each member of staff is aware of their responsibilities for data protection. Staff that handle sensitive data must be subject to regular criminal records checks.
8

Information Security Management

GDPR Compliance is not a one-off task. Data must be securely managed throughout its life-cycle; and the best way to achieve this is through implementing an information security management system (ISMS), based on a standard that is appropriate to the size of your organisation. Secure data processing must be embedded into the heart of your organisation’s culture and demonstrable to both auditors and regulators.

Contact us, to see how we could help you