Discover, Prepare, Manage, Protect and Report

The General Data Protection Regulation (GDPR) sees a complete overhaul in data protection and creates one of the strictest regulatory areas in the world.  It has an impact on almost all organisations, regardless of its size or industry.  We have developed and collated some resources that might help; an overview of the regulation, links to additional information and a 5 step model to assist with your self-assessment.

On the 25th May 2018, the biggest change to data protection regulation in almost 20 years comes into effect. The General Data Protection Regulation (GDPR) is a new privacy regulation that changes the rules that govern the ways organisations handle data.

It provides individuals with more control over their personal data, ensures transparency about the use of data and requires security and control to protect data. The GDPR defines “personal data” very broadly as any data that relates to an identified or identifiable EU resident. Any organisation that has or wishes to have such “personal data” either in spreadsheets databases, emails, or any other system must comply with GDPR.

Compliance with the GDPR is a cause for significant concern for many organisations. The GDPR imposes new rules for organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data about EU residents. Consequently, organisations will still have to comply with GDPR regardless of the nature of the future relationship between the EU and United Kingdom (UK). The penalties for breaking the rules are severe with permitted fines of up to EUR20m or 4% of global turnover, whichever is higher.

As with much new legislation, complying with the GDPR can seem like an unnecessary burden, however over the last decade we have seen the very real and significant negative impact that data breaches have had on customer and employee trust for those organisations affected. Preparing for the GDPR forces all organisations to consider the data they hold and assess how they control and use this data. If approached correctly, the GDPR helps organisations increase customer and employee trust whilst minimising the likelihood of a damaging data breach.

Our GDPR Guide

We have developed a 5 step model to ensure GDPR compliance.

Our 5 Step Process »

ICO

The Information Commissioner’s Office data protection reform website provides lots of helpful information.

Visit the website »

Whitepaper

Read Microsoft’s whitepaper for information on what Microsoft are doing about GDPR.

Download the white paper »

Our Audit Service

Preparing for the GDPR is complex. The systems used to create, store, analyse and manage data are often spread across a wide range of environments including personal devices, on-premise servers and cloud services.

Our approach helps organisations prepare by looking at achieving GDPR compliance holistically and within the context of all relevant regulations and obligations.

Our audit service is designed to get you from current state to compliance in the best way possible. We can offer you a full suite of audit services where we take on all 5 steps above or we can tailor this service to focus on a few key areas. We will ensure when 25th May comes you have confidence in your compliance with the new regulations. We will carry out, a discovery audit with full inventory, a gap anaylse, roadmap to compliance and implementation partner for any changes needed. We can also offer you an ongoing service to make sure you maintain your compliance.

We focuss on a set of key controls and capabilities in 5 vital areas:

Discover – identifying what personal data exists, how is it processed, shared and retained

Prepare – making the organisation ready for the GDPR

Manage – governing how data is classified; used and stored

Protect – preventing, detecting and reporting data breaches

Report – ongoing record-keeping, notifications and request handling.

Discover

The first step to achieve GDPR compliance is to identify what personal data your organisation has, where it resides and what policies and procedures currently exist.

We will undertake a discovery audit building an inventory of all the data an organisation has and where this data resides.  Building this inventory helps an organisation understand what personal data they have, identifying where the data is stored, understanding why it was collected and how it is processed, shared and retained.  We help organisations bring together all existing policies and procedures providing organisations with a holistic view of their current position with respect to GDPR compliance.

Prepare

The next step to achieve GDPR compliance is to make your organisation ready. This foundational activity needs to be undertaken promptly.  The ways we assist organisations prepare are by:

Raising Awareness – ensuring that everyone within the organisation is aware what the GDPR is and appreciate the impact it is likely to have

Privacy Notice Review – reviewing existing private notices to ensure compliance with the GDPR and undertaking any remedial action necessary

Procedures Review

  • Personal Data Procedures Review – reviewing existing procedures to ensure compliance with the GDPR with respect to the rights that individuals have in relation to data including data deletion and data transfer
  • Access Request Procedure Review – reviewing existing procedures to ensure compliance with the GDPR with respect to the timely and comprehensive response to subject access request
  • Data Breach Procedures – reviewing existing procedures to ensure compliance with the GDPR with respect to detecting, reporting and investigating data breaches

Processing Basis – identifying, clarifying and documenting the lawful basis for data processing undertaken by the organisation

Consent Management – reviewing how the organisation seeks, records and manages personal consent, assessing and supporting any changes necessary to comply with the GDPR

Data Protection – familiarising the organisation with the Privacy Impact Assessment and undertaking these where necessary ensuring that the organisation can comply with the GDPR’s “data protection by and by default” requirement

Designated Individual – supporting the organisation to designate an individual as having overall responsibility for data protection compliance and establishing how this role will sit within the organisation’s structure.

Manage

As the GDPR provides individuals with greater control of how their data is captured and used, organisations need to develop new or enhance their existing data governance and classification policies and procedures.

Data Governance

We enables organisations to satisfy their obligations under the GDPR, by gaining a complete understanding of the personal data organisations process, how and for what purposes.  Building upon the information gathered during initial discover, we enable organisations to create a comprehensive data governance plan that simplifies the definition of policies, roles and responsibilities for the access, management and use of personal data.  This is crucial to ensure that all data handling practices comply with the GDPR.

Data Classification

We will design and implement a data classification scheme that applies throughout the organisation for all types of data.  Having a clear data classification scheme is a critical element of any data governance plan and is particularly helpful for responding to subject access requests by making such requests easily identifiable.

Protect

All organisations are becoming increasingly aware of the impact a data breach can have and the increasing importance of information security.

The GDPR requires organisations take all appropriate technical and organisational measures to protect personal data from loss or unauthorised access or disclosure.

Security

To improve their data security by working with them to identify and consider the many types of security risks the face from physical intrusion or rogue employees to accidental loss or hackers.  We support organisations by building risk management plans and implementing risk mitigation actions to help minimise the chances that a data breach can occur and ensure compliance with the GDPR.

Detection and Response

Regardless of the security measures taken organisations should understand that a breach may occur.  The GDPR requires in certain circumstances that if a data breach occurs, organisations notify regulators and data subjects promptly.  Incremental helps organisations to monitor for and detect system intrusions.

Incremental also helps organisation develop a comprehensive incident response programme following a comprehensive 4-step approach:

Assess – assessing the impact and severity of the incident

Investigate – undertaking a technical and/or forensic investigation then promptly identification containment, mitigation and workaround strategies

Recover – creating a recovery plan allowing the return to normal operation whilst planning longer term mitigations where necessary

Review – undertaking a comprehensive review to assess and revise existing policies and procedures to prevent a similar incident occurring in the future.

Report

Transparency and accountability are crucial in building trust.  The GDPR sets new standards in these areas and record-keeping.  Incremental helps organisation become more transparent in how they handle personal data actively reviewing and maintaining policies and procedures.

Records

improving record-keeping by supporting the introduction and use of new auditing tools which enable organisation to keep track of the categories of personal data process; the identify of third parties with whom data is shares; as well as the legal basis for such sharing; organisational and technical measures in place, and data retention times applicable to various datasets.

Notifications

GDPR employs a new obligation regarding notice of personal data breaches. Under the GDPR organisations must notify the relevant data protection authority within 72 hours. Where this breach presents a high risk to the rights and freedoms of individuals, organisation must notify individuals without undue delay.

We will create new and enhance existing policies and procedures that govern this process. We also help organisations review all existing supplier and customer contracts ensuring that clear expectations are set around data breach notifications.

Requests

At its core, GDPR exists to improve the rights each of has regarding our personal data and core to this are the rights to rectification, erasure, portability and not to be subject to automated decision making. Incremental helps organisations prepare to handle such requests by assessing the implications of such requests on the systems and infrastructure organisations currently use.

Finally, Incremental can help organisations undertake any necessary Data Protection Compliance Reviews and Data Protection Impact Assessments required to ensure compliance with the GDPR.

The Clock is ticking on GDPR, are you ready?

GDPR is just around the corner and many organisations are underestimating the impact this will have on their businesses. Get out infront and start a conversations with us today. Not only can we help get you on the right track but we can ensure you are compliant and avoid any fines.

Contact us today »

Countdown

000 days 00 hours 00 minutes 00 seconds

GDPR Implementation Date: 25 May 2018

Discover how you could optimise your Infrastructure

Cloud and Infrastructure »