SRM's GDPR team
SRM's GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full DPO role.
At the outset we conduct a pre-audit type exercise to establish a level of readiness, using a gap analysis process to determine what areas need to be addressed, assist with any required remediation activities and establish a detailed action plan roadmap.
We are trusted by clients from all sectors. We are cybersecurity supplier to HM Government and work with all types of organisation including charities, large corporates and SMEs.
"The SRM GDPR team provides an outstanding service. They have a clear and business-driven strategy which ensures that all data is identified and mapped before providing a detailed roadmap for the next stages. They are highly professional and trustworthy and a joy to work with."
"We had been rather at a loss as to where to start with GDPR compliance but the SRM GDPR team came in and provided clear direction which was focused on delivering effective compliance without trying to sell us products we didn't need. It is refreshing to work with such a professional outfit who really understood our organisation"
"We knew we needed to address the issue of GDPR compliance but were unsure as to where to best direct our investment in pursuing this end. The SRM GDPR team is superb. They took the time to work out exactly what we needed to become compliant and helped us to develop an achievable strategy to ensure that we remain compliant into the future. I couldn't recommend them highly enough"
SRM's approach to GDPR
Analyse: With GDPR’s focus on risk analysis, we use advanced scanning techniques to identify sensitive card holder data with the capability to scan over 100 types of PII and card holder data across 100s of data targets. The technology is built to allow an organisation to identify, remediate and then monitor their data from a single endpoint. Using in-built scheduling and real-time alert features, data is kept secure while becoming an integrated aspect of a company’s Business-As-Usual practices.
Assist with a data mapping exercise to determine:
- what data you hold
- where it is
- why you have it
- when is it to be destroyed & what is in place to protect it
Evaluate information security risks, taking into account the impact of company threats and vulnerabilities.
Amend or design and implement a comprehensive suite of information security controls and appropriate documentation and other forms of risk management to address company security risks.
Adopt an overarching management process to ensure that the information security controls meet the information security needs and those of the GDPR, on an ongoing basis.
Investigate: In the event of a data breach, SRM has a fully accredited forensics lab that is able to assist in any investigation. We can also handle communications to relevant bodies, should the worst happen. Planning how to handle an incident is a key part of any Information Security program and SRM has a wealth of experience in running exercises and working with policy makers to ensure that impact to the business is minimised.
GDPR: next steps
Board level involvement
GDPR compliance is not simply the remit of the IT department. It affects all aspects of a business and board level involvement is essential to ensure that the process runs smoothly, with adequate support and resource.
Appointment of a Data Protection Officer
GDPR requires a named individual to be responsible for compliance. As a guide, most organisations with more than 250 member of staff this will be a resident Data Protection Officer (DPO). In other organisations the role will usually be taken by whoever holds the CISO brief. To hold responsibility for GDPR compliance in-house, the named individual will need expert knowledge of data protection law and have the ability to assess the required risk based approach and the capability to fulfil all the tasks referred to in the regulation. The alternative is an external person who is contracted to take on the service role.
Plan for Mandatory Reporting
Under GDPR, the DPO will be under a legal obligation to notify the Supervisory Authority of any infringement of the regulations within 72 hours of detection. Responding to a crisis as it unfolds will not be sufficient: a planned strategic approach needs to be in place to ensure that efficient reporting systems are in place. It is also worth noting that under the new regulation any third parties which process data on someone else’s behalf will be just as accountable as the data controller.
Implement a Data Discovery / Data Mapping process
In addition to fines, sanctions will include regular data protection audits. Data Discovery is therefore a key part of compliance as it helps to identify any sensitive data that is held. The process will determine what data you hold, whether it is secure and which elements should be encrypted. It will also assist in the removal or sanitisation of any data that is no longer required.
GDPR: key changes
Regulators will have the authority to issue penalties of up to 10 million Euros or 2 per cent of turnover for violations. In some cases this can increase to 20 million Euros or 4 per cent of an organisation’s gross global revenue.
Increased territorial scope
GDPR has been developed to establish a single set of data protection rules across the whole of the EU. It relates to all sizes and sectors of businesses.
This is defined as any information relating to a person who can be identified, directly or indirectly. It includes names, identification numbers, location data, and online identifiers which include any factor relating to the physical, physiological, gender, economic, cultural or social identity of an individual.
Controllers and processors
GDPR identifies the responsibilities and duties of data controllers and processors and provides a specific approved code of conduct or an approved certification to demonstrate compliance. The controller/processor relationship must be documented and managed with contracts that mandate privacy obligations.
Under GDPR consent should be demonstrable. Organisations must be able to show how and when consent was given. It must also be possible for an individual to withdraw consent.
Under the GDPR, the DPO (or assigned equivalent) will be under a legal obligation to notify the Supervisory Authority of any infringement of the regulations within 72 hours of detection.
Right to access
Individuals will be able to request to know how their data is processed and what information is held. Data Subject Access Requests (DSARs) must be executed without ‘undue delay and at the latest within one month or receipt of the request’.
Right to be forgotten
An individual will have the right to have their data removed if that data is no longer required for the reasons for which it was collected.
The regulation mandates a ‘risk based approach’ and, where appropriate, that privacy impact assessments need to be completed to evaluate this risk.
Privacy by Design
Data protection safeguards must be designed into products and services in the early stages of development.
Data Protection Officers
The GDPR requires a named individual to be responsible for compliance. For larger organisations this will be a Data Protection Officer (DPO).
The General Data Protection Regulation (GDPR) is the directive that is due to become law throughout the European Union on 25th May 2018.
It was designed to harmonise data privacy laws across Europe, and to improve the protection of personal data of all EU citizens. Encompassing all kinds of personal data from names and phone numbers to bank details and posts on social networking sites, GDPR compliance has an extensive scope.
Despite the Brexit vote, GDPR will affect the UK because where EU personal data is processed, geographical boundaries do not apply. This means that UK organisations which hold any data belonging to an EU citizen will be legally required to comply with the GDPR standard. But its reach goes further than that.
Although GDPR relates to the information held on EU citizens, its principles are being incorporated into British law through the new UK Data Protection Bill. Once approved by Parliament, this will become the new UK Data Protection Act (DPA), replacing the existing Data Protection Act 1998. So, effectively GDPR is being enshrined in UK law meaning that if an organisation is compliant with the new UK Data Protection Act 2018, it will be GDPR compliant too. As and when the UK leaves the EU the new DPA 2018 will replace GDPR.
The reason for GDPR
GDPR is intended to establish one single set of rules across Europe, making it mandatory to practise good information security and providing individuals with more control over their data.
This is because personal data is valuable which means it is sadly inevitable that there are members of society who want to steal it. In most cases these thefts deliver financial rewards to criminals. Sometimes data is sold for illegal marketing purposes. But data theft can also be significantly more sinister. For example, taking control of information held about an individual, identity theft or its use in terrorism.
What data is covered by GDPR?
The answer is everything. The definition of personal data is ‘any data relating to an individual, whether it relates to their private, professional or public life’.
This can be anything from a name, photo, email address, bank details, payment card number, mobile phone identifier (IMEI code) or computer IP Address. It even applies to posts on social networking sites. Also in scope is biometric data (face, finger prints, and voice recognition), DNA, IP addresses and mobile device identifiers. Many of these pieces of unique data are being considered by UK banks for authentication purposes and consequently, it is even more important that we protect them from unauthorised access.
How will GDPR affect UK organisations?
It may appear that GDPR compliance will be a costly and time-consuming exercise, involving structural change, new business processes and complete control of data within a company.
With the right advice, however, the process can be done simply and cost-effectively, securing benefits for a compliant business.
This is because the effect of the GDPR compliance will be positive. Compliance will ensure your customer and third party data is secure. Being seen to comply with GDPR will also enhance your reputation with potential customers and business partners.
If, however, a breach occurs and your organisation is non-compliant, the maximum fine is 20 million Euros or 4 per cent of gross revenue. It is estimated that fines under GDPR have the potential to be 70 times higher than under previous legislation.