SRM's GDPR team
SRM's GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic implementation of GDPR. We can also take on the full DPO role.
At the outset we conduct a pre-audit type exercise to establish a level of readiness, using a gap analysis process to determine what areas need to be addressed, assist with any required remediation activities and establish a detailed action plan roadmap.
We are trusted by clients from all sectors. We are cybersecurity suppliers to HM Government and work with all types of organisation including charities, large corporates and SMEs.
"The SRM GDPR team provides an outstanding service. They have a clear and business-driven strategy which ensures that all data is identified and mapped before providing a detailed roadmap for the next stages. They are highly professional and trustworthy and a joy to work with."
"We had been rather at a loss as to where to start with GDPR but the SRM GDPR team came in and provided clear direction which was focused on delivering effective implementation without trying to sell us products we didn't need. It is refreshing to work with such a professional outfit who really understood our organisation"
"We knew we needed to address the issue of GDPR but were unsure as to where to best direct our investment in pursuing this end. The SRM GDPR team is superb. They took the time to work out exactly what we needed to adhere to the regulation and helped us to develop an achievable strategy. I couldn't recommend them highly enough"
Are you GDPR ready?
To gauge your level of GDPR readiness, take our step by step self-assessment guide.
We all know that the deadline has passed and businesses should have already taken the recommended actions, but this Self Assessment Questionnaire has been developed to outline the key areas that need to be addressed and to provide a guide as to your current state of GDPR readiness.
SRM's approach to GDPR
Analyse: With GDPR’s focus on risk analysis, we use advanced scanning techniques to identify sensitive card holder data with the capability to scan over 100 types of PII and card holder data across 100s of data targets. The technology is built to allow an organisation to identify, remediate and then monitor their data from a single endpoint. Using in-built scheduling and real-time alert features, data is kept secure while becoming an integrated aspect of a company’s Business-As-Usual practices.
Assist with a data mapping exercise to determine:
- what data you hold
- where it is
- why you have it
- when is it to be destroyed & what is in place to protect it
Evaluate information security risks, taking into account the impact of company threats and vulnerabilities.
Amend or design and implement a comprehensive suite of information security controls and appropriate documentation and other forms of risk management to address company security risks.
Adopt an overarching management process to ensure that the information security controls meet the information security needs and those of the GDPR, on an ongoing basis.
Investigate: In the event of a data breach, SRM has a fully accredited forensics lab that is able to assist in any investigation. We can also handle communications to relevant bodies, should the worst happen. Planning how to handle an incident is a key part of any Information Security program and SRM has a wealth of experience in running exercises and working with policy makers to ensure that impact to the business is minimised.
The compliance issue
Although the principles of GDPR are enshrined in UK law and failure to adhere to them can lead to significant fines, there is currently no concrete GDPR compliance process. It is expected that a GDPR compliance standard will be drawn up in the near future, but for now, organisations can use the organisational governance requirements provided by the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001 to provide a helpful framework. It is then the responsibility of the organisation’s Data Protection Officer (DPO) or Chief Information Security Officer (CISO) to ensure that the additional requirements of GDPR are included in their systems
GDPR: next steps
Board level involvement
GDPR is not simply the responsibility of the IT department. It affects all aspects of a business and board level involvement is essential to ensure that the process runs smoothly, with adequate support and resource.
Appointment of a Data Protection Officer
GDPR requires a named individual to be responsible for following the data protection rules contained within GDPR. As a guide, most organisations with more than 250 member of staff this will be a resident Data Protection Officer (DPO). In other organisations the role will usually be taken by whoever holds the CISO brief. To hold responsibility for satisfying GDPR requirements in-house, the named individual will need expert knowledge of data protection law and have the ability to assess the required risk based approach and the capability to fulfil all the tasks referred to in the regulation. The alternative is an external person who is contracted to take on the service role.
Plan for Mandatory Reporting
Under GDPR, the DPO will be under a legal obligation to notify the Supervisory Authority of any infringement of the regulations within 72 hours of detection. Responding to a crisis as it unfolds will not be sufficient: a planned strategic approach needs to be in place to ensure that efficient reporting systems are in place. It is also worth noting that under the new regulation any third parties which process data on someone else’s behalf will be just as accountable as the data controller.
Implement a Data Discovery / Data Mapping process
In addition to fines, sanctions will include regular data protection audits. Data Discovery is therefore a key part of compliance as it helps to identify any sensitive data that is held. The process will determine what data you hold, whether it is secure and which elements should be encrypted. It will also assist in the removal or sanitisation of any data that is no longer required.
GDPR: key changes
Regulators will have the authority to issue penalties of up to 10 million Euros or 2 per cent of turnover for violations. In some cases this can increase to 20 million Euros or 4 per cent of an organisation’s gross global revenue.
Increased territorial scope
GDPR has been developed to establish a single set of data protection rules across the whole of the EU. It relates to all sizes and sectors of businesses.
This is defined as any information relating to a person who can be identified, directly or indirectly. It includes names, identification numbers, location data, and online identifiers which include any factor relating to the physical, physiological, gender, economic, cultural or social identity of an individual.
Controllers and processors
GDPR identifies the responsibilities and duties of data controllers and processors and provides a specific approved code of conduct or an approved certification to demonstrate adherence. The controller/processor relationship must be documented and managed with contracts that mandate privacy obligations.
Under GDPR consent should be demonstrable. Organisations must be able to show how and when consent was given. It must also be possible for an individual to withdraw consent.
Under the GDPR, the DPO (or assigned equivalent) will be under a legal obligation to notify the Supervisory Authority of any infringement of the regulations within 72 hours of detection.
Right to access
Individuals will be able to request to know how their data is processed and what information is held. Data Subject Access Requests (DSARs) must be executed without ‘undue delay and at the latest within one month or receipt of the request’.
Right to be forgotten
An individual will have the right to have their data removed if that data is no longer required for the reasons for which it was collected.
The regulation mandates a ‘risk based approach’ and, where appropriate, that privacy impact assessments need to be completed to evaluate this risk.
Privacy by Design
Data protection safeguards must be designed into products and services in the early stages of development.
Data Protection Officers
The GDPR requires a named individual to be responsible for meeting the requirements of GDPR. For larger organisations this will be a Data Protection Officer (DPO).
The General Data Protection Regulation (GDPR) is the directive that became law throughout the European Union on 25th May 2018.
It was designed to harmonise data privacy laws across Europe, and to improve the protection of personal data of all EU citizens. Encompassing all kinds of personal data from names and phone numbers to bank details and posts on social networking sites, GDPR has an extensive scope.
Despite the Brexit vote, GDPR will affect the UK because where EU personal data is processed, geographical boundaries do not apply. This means that UK organisations which hold any data belonging to an EU citizen will be legally required to adhere to the GDPR standard. But its reach goes further than that.
Although GDPR relates to the information held on EU citizens, its principles are being incorporated into British law through the new UK Data Protection Bill. Once approved by Parliament, this will become the new UK Data Protection Act (DPA), replacing the existing Data Protection Act 1998. So, effectively GDPR is being enshrined in UK law meaning that if an organisation is compliant with the new UK Data Protection Act 2018, it will satisfy the requirements of GDPR too. As and when the UK leaves the EU the new DPA 2018 will replace GDPR.
The reason for GDPR
GDPR is intended to establish one single set of rules across Europe, making it mandatory to practise good information security and providing individuals with more control over their data.
This is because personal data is valuable which means it is sadly inevitable that there are members of society who want to steal it. In most cases these thefts deliver financial rewards to criminals. Sometimes data is sold for illegal marketing purposes. But data theft can also be significantly more sinister. For example, taking control of information held about an individual, identity theft or its use in terrorism.
What data is covered by GDPR?
The answer is everything. The definition of personal data is ‘any data relating to an individual, whether it relates to their private, professional or public life’.
This can be anything from a name, photo, email address, bank details, payment card number, mobile phone identifier (IMEI code) or computer IP Address. It even applies to posts on social networking sites. Also in scope is biometric data (face, finger prints, and voice recognition), DNA, IP addresses and mobile device identifiers. Many of these pieces of unique data are being considered by UK banks for authentication purposes and consequently, it is even more important that we protect them from unauthorised access.
How will GDPR affect UK organisations?
It may appear that meeting the requirements of GDPR will be a costly and time-consuming exercise, involving structural change, new business processes and complete control of data within a company.
With the right advice, however, the process can be done simply and cost-effectively, securing benefits for the business.
This is because the effect of the GDPR will be positive. Following the rules of GDPR will ensure your customer and third party data is secure. Being seen to follow these rules will also enhance your reputation with potential customers and business partners.
If, however, a breach occurs and your organisation is not adhering to GDPR, the maximum fine is 20 million Euros or 4 per cent of gross revenue. It is estimated that fines under GDPR have the potential to be 70 times higher than under previous legislation.