GDPR and GDPR Compliance

What is GDPR?

Most organisations are aware that the new EU General Data Protection Regulation is due to come into effect on the 25th May 2018 and of the administrative fines that can be levied by the supervisory bodies if a data subjects right are breached. This new regulation provides a coherent personal data privacy law across all EU member states and the Information Commissioners Office (ICO) is the UK’s supervisory authority for regulating this.

The focus of GDPR is on people, and protecting their personal Identifiable information (PII) and grants them rights over how their data is collected, stored and processed.

The GDPR will significantly impact the approach organisations take to data privacy compliance. Businesses should be preparing to make sure they are compliant when the GDPR comes into effect on the 25th May and be able to manage the risks accordingly.

Importantly, not only do businesses have to initially comply with GDPR, but they must be able to demonstrate continuous compliance.

Businesses need to develop a managed system or framework which includes governance practices, communication, technical and risk controls for maintaining GDPR compliance.

GDPR – How can you demonstrate and maintain compliance?

Principle 7 of the GDPR is Accountability, being able to demonstrate how you have complied with the principles.  Both the data controller and data processor have responsibility, and must be able to prove compliance with all GDPR Principles. Key ways to do this are demonstrating that robust processes and effective documentation are in place to handle PII.  The recommendation is to have your organisation comply with recognised standards such as:

ISO 27001:2013 - an information management system which can incorporate a personal information management system compliant with GDPR. This requires you to be constantly reviewing and improving your systems, and international certification is available.

Cyber Essentials and Cyber Essentials Plus – which will help to demonstrate that you have put in place technical and organisational controls to help meet GDPR Principle 6, Integrity and confidentiality ensuring appropriate security and article 32 security of processing.

Additional measures to demonstrate compliance

Penetration Testing and Vulnerability Scans will demonstrate that you have a process in place for regularly testing, assessing an evaluation the effectiveness of organisational measures for ensuring the security of processing in line with GDPR Article 32.1 (d)

Data Breaches – you should make sure that you have the right procedures in place to detect, report and investigate a personal data breach.  If you are a Data Controller or Data processor for personal data that could result in a risk to the rights and freedoms of individuals or special categories of personal data then a Cyber Security Operations centre will continuously monitor your environment to detect and respond to threats, and help to identify negligent or criminal behaviours. You have a responsibility to identify security breaches involving personal identifiable information and to report these within 72 hours under the new General Data Protection Regulation (GDPR)

GDPR Awareness training – we can provide awareness training for your staff which will help them to understand the new EU GDPR regulations, the principles underlying this, understand what PII includes, and the rights of the data subjects and what this means.  We can tailor this to your individual processes and procedures and provide certificates to demonstrate compliance. In the event of a breach, the ICO will want to know where and how the breach happened and what training had been provided to that member of staff.

QG GDPR Fundamentals

QG Management, our accreditation body for Cyber Essentials, have devised a standard to assist organisations in the compliance with the new requirements. It has been written using the principles of the General Data Protection Regulation (Regulation (EU) 2016/679)

The QG GDPR Fundamentals scheme is recommended for organisations looking for a foundation level of GDPR Management System and is mainly applicable for SMEs where business systems are straightforward and consistent.

The process involves completing a QG GDPR Fundamentals Questionnaire which has 17 requirements These include Data protection Policy,  Data Protection objectives, consent, collection, processing, and safeguarding of personal data, subject requests for access, data portability, restrict processing, erasure and use of profiling,  training and awareness, complaints and management review and audits.

How much does QG GDPR Fundamentals Cost?

For Organisations > more than 250 staff, process personal data that could result in a risk to the rights and freedoms of individuals, special categories of personal data OR criminal convictions and offences:

  • Assessment £600 + VAT
  • GAP analysis based on one day on site plus reporting  £850 + VAT
  • Assistance with implementation £650 + VAT per day

For Organisations < less than 250 staff,  process personal data that could result in a risk to the rights and freedoms of individuals, special categories of personal data OR criminal convictions and offences:

  • Assessment ( Micro £300, Small £400, Medium £500) + VAT
  • GAP analysis based on one day on site plus reporting  £850 + VAT
  • Assistance with implementation £650 + VAT per day

Organisations that employ > 250 staff,  do not process personal data that could result in a risk to the rights and freedoms of individuals and do not process special categories of personal data OR criminal convictions and offences:

  • Assessment ( Micro £300, Small £400, Medium £500) + VAT
  • GAP analysis based on one day on site plus reporting  £850 + VAT
  • Assistance with implementation £650 + VAT per day

> Contact us

Ready to discuss your specific requirements?

© Securious Cyber Security 2018. All rights reserved.

Privacy policy

Registered in England and Wales: 06337870