EUGeneralDataProtectionRegulation

Transcription

1 EUGeneralDataProtectionRegulation SMEDiscovery,AssessmentandPlanningService The Data Protection Act has now been in force for more than two decades and any organisation should see it as an integral part of their approach to dealing with personal data held in core systems, PCs and mobile devices. With the introduction of the European Union General Data Protection Regulation (GDPR) in May 2018, the rights of the individual (the data subject) and the responsibilities of your organisation to process data lawfully and for legitimate reasons with adequate protection will greatly increase. Failure to do so can have significant financial impact with fines up to 4% of annual global revenue or 20,000,000, whichever is higher. In some cases, the cost to your brand could be significantly more. With our experienced team, certified to industry-recognised qualifications including Certified EU General Data Protection Regulation Foundation and Practitioner (GDPR), we can guide you through compliance including your systems, infrastructure, processes and technology strategy.

2 There s a lot in the GDPR you ll recognise from the current law, but make no mistake, this one s a game changer for everyone. Elizabeth Denham Information Commissioner ICO Whilst probably no SME or larger organisation is perfect, the less prepared or poorly protected you are, undoubtedly the harsher the response you will receive from the UK Data Protection Authority (the ICO for the UK) if a breach occurs. This is emphasised in the State of the art article (SOTA) within the directive, which encourages organisations to implement appropriate technology solutions and develop good processes so that they always protect personal data in the best possible way. We recently discovered an employee of our international health insurance division had inappropriately copied and removed some customer information from the company. Around 108,000 international health insurance policies are affected. Sheldon Kenton MD of Bupa Global The ICO issued a 60,000 fine to Boomerang Video Ltd after it suffered a cyber attack. An investigation found the Berkshirebased company failed to take basic steps to stop its website being attacked. This cuts across all elements of your technology ranging from system security (including data access rights and compartmentalisation), infrastructure (such as firewall protection and device encryption), the appropriate processes controlling the use of the data and finally, the type of data staff and suppliers have access to (now, historic and future). Furthermore, add in the complexity of data subjects possibly requesting data portability, the right to be forgotten, the management of your third parties with access to the data and its movement or access across geographical boundaries, the task of managing personal data has become far more complicated and time consuming. Even after you have complied with the regulations, maintaining your compliance must become a standard approach in your organisation. Like many regulations, it is easy to ignore them and think it will never happen to you but if it does, you have no opportunity to take retrospective steps to either mitigate your argument to the ICO, appease your customers or protect your brand value. Like business continuity and disaster recovery planning, your GDPR approach must become an integral part of your overall technology, operations and human resources strategies. 2

3 Is there a tick list for reaching compliance? If a business can t show that good data protection is a cornerstone of their practices, they re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation. Elizabeth Denham Information Commissioner ICO Unfortunately not. There are some things that you definitely should not do such as lose or abuse the personal data you hold and process. Also, you are now fully accountable for your service providers and partners that you share information with, the old answer of it wasn t us will not be acceptable. After that, it is about demonstrating that you understand the legislation across the different elements of your organisation, then putting in place the appropriate controls, systems and technology. Also recording that these measures are reviewed periodically to assess changing internal and external factors will demonstrate that you are actively taking your GDPR responsibilities seriously. You should also demonstrate that new projects and your change management activities incorporate assessment and implementation of the various GDPR requirements throughout their lifecycle. Every organisation is different but accountability must be held by your Data Protection Officer (if you require one under the new regulation), the management team and Board. Think before you press the button, both literally and metaphorically! An ICO investigation into Honda Motor Europe Ltd revealed the car company had sent 289,790 s aiming to clarify certain customers choices for receiving marketing. Even when you think you are doing the right thing, it could turn out to be the wrong thing as Honda Motor Europe Ltd discovered. By sending customers an to clarify their marketing preferences, they actually broke the rules. They believed that the s were not classed as marketing but instead were customer service s to help the company comply with data protection law. However, Honda could not provide evidence that the customers had ever given consent to receive this type of , and consequently received a fine by the ICO. So if you do not have a very clear mandate from your customers or staff etc to do something, do not do it without serious consideration and potentially legal advice. 3

4 So how can Great Benefit help you? Our sector experience includes distribution, health and social care, finance, media, retail and remote workforce sectors such as security, FM, cleaning and domiciliary care. Our background is managing and implementing customer technology projects for all sizes of organisations ranging from the small SME through to designing IT Strategies for 250m+ turnover multinationals. So rather than being a consultancy that works with the theoretical, we work in the real world, embedded with our customers to achieve success. Over the last 15 years, we have also forged many strong strategic partnerships including technology companies such as Microsoft, WatchGuard and Lenovo. We also work closely with a number of trusted partners that include telephony, data centres and desktop support providers. Taking that as our base, our Systems and Infrastructure Architects are certified EU General Data Protection Regulation Practitioners so we understand both the requirements and the technology involved in practice. Our service approach has three distinct phases to help you. 4

5 AWARENESSand PLANNING Discovery, Assessment and Planning Service Our first phase is to identify and document the various elements you have and then review them with you for GDPR readiness. All organisations are different and may already have some elements reviewed and documented. Because our service very quickly changes into a bespoke plan, we can incorporate any existing documentation and review work into the project scope. Data acquired through a combination of existing documentation and meetings (one to one or workshops) with key staff throughout the affected areas of the organisation. Outputs from the assessment include; Summary document of areas reviewed Risk Register High-level roadmap Draft policies and procedures Template documentation for the implementation phase The Discovery phase covers the six key areas affected; An application audit to document the data stored in each system and how it processes personal data. An infrastructure audit to document how you protect data from intrusions, device loss, data storage, and document storage. A review of the existing policies and procedures including other HR elements that may need inclusion. Full lifecycle Dataflow mapping including any terms and opt-in clauses that cover the storage, processing and use of personal data. This also includes data passed to or received from third parties or overseas operations. Capture of the existing Incident Management process and review of historic incidents. Data subject requests and how they are currently fulfilled. Once the different elements have been captured, the Assessment phase starts. Initially we review each area individually and then consolidate them where appropriate to show an overall status for the logical functions or clusters. Once this phase has completed, the risk register can be documented. This is the starting point for creating the highlevel roadmap for the required changes, incorporating any other affected projects occurring during

6 Managing your GDPR compliance programme may be seen by some senior managers as just an IT issue. It is not and for some organisations, it will change processes that have been operating for years or even decades. Understanding the findings from the Audit and Assessment phases must be a collaborative process between both our consultants and your organisation s project manager and the wider management team. The impact may potentially be far reaching and could change how you interact with customers, leads and employees. It may also change elements of your technology strategy or the priority of expenditure. Together we can work through addressing the key issues, creating appropriate documentation and building your highlevel roadmap for reaching compliance. IMPLEMENTATION At the end of the Awareness and Planning phase, you will understand the scale of change required and where they need to occur. They fall broadly into four categories; System changes that are required to cover areas such as data access, segmentation, anonymisation, audit controls and archiving. Infrastructure changes to control external firewall access, PC and mobile device encryption, data theft ( , memory stick, printing) or server security. Operational changes such as website data collection, data usage and marketing activities, proof of age and archiving policies. Staff Training to ensure that your employees understand the regulations, their responsibilities and attempt to mitigate the threat of internal data theft. Our consultancy services range from supplementing your existing resources through to implementing projects for you. We can also help you source new and appropriate solutions through our wide range of partners. 6

7 COMPLIANCE Once you have reached compliance, you must continue to reaffirm the GDPR principles within your organisation as a business as usual approach. New systems, interfaces, operations and business alliances should all face the same rigorous challenges as the previous work to maintain your compliance and appropriate data usage. WHEREDOISTART? Looking at the vast scope of the regulation, it can be easy to Better three hours too soon than a minute too late." William Shakespeare CALL US NOW ON TO KICK-START YOUR GDPR PROJECT. become overwhelmed by the sheer scale of the project ahead. As we mentioned earlier, we can help you build a pragmatic approach to your compliance project. The key to a successful GDPR project is the initial discovery and assessment. If you do not know the components, issues and interdependencies, you will not be able to build a coherent plan for the changes required. With our Discovery, Assessment and Planning service, we work with you to kick-start your project, identifying and documenting the various elements. Moving forward, once you have the assessment and highlevel road map completed, the project will naturally take shape. We can help you further with the subsequent stages including; Guidance on system upgrades and enhancements Infrastructure upgrades and implementation Staff awareness training Project, policy and procedure documentation Penetration testing Document management, policy/procure tracking and project portals with our Microsoft SharePoint tools Project and Programme Management We can tailor a bespoke project for you based on your needs, existing available resource and skills. To find out more about how we can help you, please contact us to discuss your current position in more detail. 7

8 ABOUTGREAT BENEFIT Founded in 2001, we have provided a wide variety of SMEs and large enterprises with strategic and operational technology consultancy and solutions. Whether helping our customers with discrete projects, interim IT leadership or implementing a full platform solution, we pride ourselves on working closely with our customers to understand both them and their sector demands. Often the final solutions are a combination of robust standard technologies supported by innovations that provide them with true market advantage. As well as being partners with some of the best technology manufactures such as Lenovo and WatchGuard, we are also a Microsoft Silver Development Partner and have our own unique products for document storage and application creation in Microsoft SharePoint. For more information about the wide range of services we can offer, please visit us at info@greatbenefit.co.uk or simply call us on. 8