Consulting Champions

Transcription

1 Consulting Champions Get GDPR Ready with SOLA Consulting A bespoke GDPR compliance offering covering people, process, technology and data SOLA Consulting is part of SOLA Group Ltd

2 Contents What does GDPR really mean to your business? What is GDPR? Where does the responsibility lie? SOLA Consulting GDPR Readiness Assessment GDPR Readiness Assessment Outputs GDPR Readiness Assessment Sample Report Why SOLA Consulting? Page 3 Page 4 Page 5 Page 6 Page 7 Page 7 Page 8 Get GDPR Ready with SOLA Consulting - Page 2

3 SOLA Consulting GDPR Readiness Assessments can be delivered in as little as 2-4 weeks GDPR comes into force on 25 th May From the post room to the board room, the regulation will have an impact on every vital part of your organisation; your people, your processes, your technology, your systems and your data. Getting GDPR wrong can cost your organisation 4% of global turnover. With our in-house GDPR experts and extensive network of technology partners SOLA Consulting will identify all of your organisation s specific GDPR requirements, in just 2-4 weeks. The major shift, with the implementation of GDPR, will be in protecting customer and employee Personal Data and Personal Sensitive Data. The cybersecurity landscape is rapidly changing due to the explosion in digital and the ever changing ways in which we all share information. GDPR strives to protect ours and our customers sensitive information in this new digital age. Good news for your customers, but challenging for your organisation. Through our workshops and seminars we have found that organisations are at varying stages of their GDPR journeys. Certainly some larger organisations are well on their way to being compliant. SOLA Consulting are here to support smaller to mid-sized organisations who need hands-on expertise and support to tackle the significant adjustments GDPR will bring to their businesses. So what does the new EU GDPR really mean for your business? In short, from the post room to the board room, GDPR will have an impact on every department in your organisation; your people, your processes, your technology, your systems and your data. Fines of up to 4% of global turnover or 20M EUR, whichever is higher Get GDPR Ready with SOLA Consulting - Page 3

4 What is GDPR? Those of you in the know can skip this section, but for those of you who need a little education here s our GDPR Snapshot. GDPR comes into effect on the 25 th May 2018 GDPR supersedes the Data Protection Act of 1998 GDPR provides increased privacy protection for all UK & EU citizens GDPR is a regulation, now legally enforceable with agreed penalties of up to 4% of your annual turnover GDPR harmonises data protection laws across the European Union s 28 Member States, which will make the complex data protection landscape easier to navigate for multinational organisations Non-compliant organisations now face fines of up to 4% of their global revenue or 20M EUR whichever is higher Brexit will not negate the regulation here in the UK. In or out of Europe, the regulation is the new data protection standard The UK ICO have already stated they will continue to adhere to the EU adequacy laws post Brexit When enforced, the GDPR stipulates that data breaches must be reported to the relevant authorities within 72 hours of discovery if they re likely to jeopardise the rights and freedoms of individuals affected, and records must be kept of all such incidents GDPR enhances the requirements for obtaining consent, mandating affirmative consent for data processing and requires explicit consent for special categories of data All organisations hold personal information (an IP address or a business that can be linked to an individual is classed as personally identifiable) GDPR extends new rights to individuals such as the right to be forgotten and the right to data portability GDPR requires that organisations in specific circumstances appoint a Data Protection Officer (DPO) GDPR will impact virtually every department within your organisation; from IT, Finance and Marketing to Legal, HR and Customer Service For more information visit the ICO website here Get GDPR Ready with SOLA Consulting - Page 4

5 GDPR compliance is not just about the technology and security systems you have in place; people, processes and data play an equal part. Where does the responsibility for GDPR lie in your business? All company employees produce and manipulate data using technology and according to your organisation s policy and processes. Therefore the responsibility lies with everyone within your organisation including all your departmental heads of business. But where do you start? With your systems? Your employee education and awareness? Your data? Your policies? Who should lead this process in your organisation? Your legal department? IT? Your CEO? Marketing? Something of this scale needs structure. Therefore, CEO s and MD s require an action plan. With less than a year to go until GDPR comes into force organisations seriously need to start creating an action plan to move towards compliance. This is where SOLA Consulting s Readiness Assessment comes in. Roles, responsibility, and accountability will be established. A critical path will be delivered as part of the outputs, so that the action plan can be agreed at the top and filtered down throughout the organisation. SOLA Consulting GDPR Readiness Assessment Comprehensive & invaluable insight into your organisation s current GDPR compliance status. Our GDPR Readiness Assessment is a crucial first step on your journey to GDPR compliance. The assessment will give you a comprehensive insight into your organisation s current GDPR compliance posture and make priority recommendations for the areas you most urgently need to address to meet the regulations come May The assessment uniquely examines 4 key business areas: People Data Technology Policy and Processes GDPR compliance is not just about the technology and security systems you have in place; people, processes and data play an equal part. Potentially every individual within your organisation has access to personal data. Organisations need to make sure that they are adhering to the same protection and data processing standards across their entire business. And then there is the question of where the responsibility for data protection lies. Clearly business leaders need to drive the need for compliance and adherence to the regulation but equally all employees across your business will need to be aware of the implications of a data breach, therefore data protection education programmes will become increasingly necessary. GDPR requires that you know exactly what data you hold on an individual, where that data is stored, how old it is, how you process it and who has access to it. The ICO stipulates that you should audit the personal data you hold, where it came from, who you share it with and maintain records of your processing actions. Which is why data also forms a crucial part of our GDPR Readiness Assessment. Get GDPR Ready with SOLA Consulting - Page 5

6 SOLA Consulting GDPR Readiness Assessment. What s covered? 1 GDPR Definition Workshop A crucial first step. A facilitated session with the key GDPR business stakeholders across your business to clearly define the scope of the project, set expectations and parameters and define and agree outputs. Business Analysis & Due Diligence Consists of sessions with your business leaders; examining your company and operational policies and scrutinising your current technology stack; including analysing everything from & web usage to security solutions and storage. 2 3 Customer 3rd Party Analysis Analysis of 3rd party supplier relationships and legal contracts to determine a strategy for inclusion of GDPR articles into operational policy and standards. This will ensure all 3rd party legal contracts also reach the required compliancy levels. Customer Data Analysis Data analysis is critical to GDPR compliance. Through a combination of business analysis and due diligence on your technology stack, we will track Personal Data and Personal Sensitive Data from customer input channels through to your endpoints, applications and networks and their storage locations. 4 5 GDPR Mandatory Requirements Identification of the mandatory requirements of the regulation and how they apply to your business. This includes the need to appoint a Data Protection Officer (DPO), your customer consent mechanisms, data portability and deletion, privacy management and technical data security. Technical Assessments Technical control of customer data is key to GDPR compliance. Some of the crucial areas that will be analysed for readiness include (but are not restricted to) structured and unstructured customer data applications, databases and accounting systems, your data centre, firewall system, data storage, cloud service, services and security systems. 6 7 Non-Technical Assessment Non-technical assessments will be conducted on or off site and include (but are not limited to) your company s contractual obligations with 3rd parties, operation policy, data policy, security policy, risk management, project methodology and change process. Education and Awareness Via the definition workshop departmental heads of business, technical leads and key members of your organisation will receive education and awareness on how GDPR is relevant to their specific area of control. 8 Get GDPR Ready with SOLA Consulting - Page 6

7 GDPR Readiness Assessment Outputs The outputs of the GDPR readiness consultancy period will provide solid insight into your current GDPR compliancy posture. It will list the four quadrants (People, Data, Process, Technology) and break them down into circa 30 subsections with associated heat maps and diagnostics. This will be presented through: Full GDPR Report Multiple Quick Wins SOLA Privacy Impact Assessment (PIA) ISO27001/2 Risk Assessment tutorial and template ISO27001/2 Asset Register tutorial and template coaching for key GDPR staff Unstructured data and application mapping Automated unstructured Data discovery Data Classification scheme Security Policy review Active Directory review HR review Legal review 3rd Party Contract review Operational Policy review Full RACI (responsibility) matrix PMAs referencing the specific GDPR articles GDPR compliance Dashboard report As part of this service offering we will offer as many quick-wins as possible to assist your efforts to reach compliance, with a recommended roadmap taking you through to May 25 th Timescales will vary from organisation to organisation but we expect to deliver readiness assessments within 2 4 weeks. ACME Plc GDPR Readiness Assessment V1.0 Readiness Assessment Summary: ACME Plc provided 82.5% of assessment collateral, achieving an overall GDPR Compliance rating of 61.5%. The remaining 17.5% assessment will either need to be completed at a later date, or the Risk accepted by ACME Plc. Full details are given in the full ACME Plc GDPR Report, People: 82% completed Compliance Rating: 32% Technology: 95% completed Compliance Rating: 54% Data: 90% completed Compliance Rating: 89% Process: 64% completed Compliance Rating: 71% Key Observations: - ACME Plc has shown commitment across the entire organisation to achieve GDPR compaince. - ACME Plc has a mature Data Management model, observing the compliance of both the 1998 Data Protection Act and the 2012 PCI regulations. Only small process changes will be required to reach GDPR compliancy. - ACME Plc recently upgraded their Firewall solution, bringing a solid layer of Data Loss Prevention to the Security Operations Suite. - ACME Plc employees have expressed an interest in an Education and Awareness training session on the practicalities of GDPR. - ACME Plc Security Operations are monitoring and controlling all egress points for the internet, however traffic is uncontrolled and poses a hihg risk to Data Breaches. - ACME Plc endpoints (Laptops, Tablets, Smartphones are unenctypted, which is a direct GDPR breach of regulation. - ACME Plc primary control system (Active Directory) has not been controlled over the 10 year growth of the AD domain. There is a high impact quick win available with an AD review and account consolidation. - ACME Plc Antivirus, Antispam and Malware software is not of a recommended version for todays cyber attacks, it is recommended that the versions are upgraded. Key Issues: 1. Operational Policy incomplete 2. Data dispersion 3. Data ownership / DPO 4. No control over Shadow IT 5. traffic unmonitored 6. Social Media unrestricted 7. Insufficient Endpoint Encryption 8. HTTPS protocol security Key Risks: 1. No current in-house GDPR Initiative 2. Resources for recommendations 3. Timescales 4. 3rd Party Legal supplier Quadrant Summary Issue Breakdown Critical Path: To reach a safe level of GDPR Compliance, an in-house GDPR initiative will need to be established and controlled, with approved Milestones, Deliverables, and acceptance criteria. It is essential that Legal and HR own the initiative, and drive it to completion before 25 th May Recommendations: It is recommended that the full GDPR report is analysed, and an internal Risk Assessment is undertaken. Once the risk appetite has been established, it is recommended that a GDPR Project is initiated, addressing the Key Issues and Risks listed above, and all Red and Amber recommendations listed in the full ACME Plc GDPR Report, Get GDPR Ready with SOLA Consulting - Page 7

8 Why SOLA Consulting? SOLA Consulting is a bespoke GDPR compliance offering covering people, process, technology and data. Our network of premium consultants and partners will get you on the right track with every aspect of the GDPR process to get your business ready; ranging from our GDPR readiness assessment right through to on-going support and training. We understand that every business is unique and our consultants are experts at identifying how GDPR will impact your business & what steps need to be implemented so you stay ahead of the game. Supporting you every step of the way and ensuring all bases are covered by providing advisory and practical delivery of the following services: readiness assessment, network scanning, seminars, resources, training and data loss prevention. Register for a consultation e: GDPR@solagroup.com t: +44 (0) Copyright - SOLA Group All Rights Reserved SOLA Consulting is part of SOLA Group Ltd