What is GDPR?
Most organisations are aware that the new EU General Data Protection Regulation came into effect on the 25th May 2018 and of the administrative fines that can be levied by the supervisory bodies if a data subject's rights are breached. This new regulation provides a coherent personal data privacy law across all EU member states and the Information Commissioners Office (ICO) is the UK’s supervisory authority for regulating this.
The focus of GDPR is on people, and protecting their personal Identifiable information (PII) and grants them rights over how their data is collected, stored and processed.
The GDPR significantly impacts the approach organisations take to data privacy compliance. Businesses need to be continually reviewing their processes and procedures to ensure they remain compliant, and that they can demonstrate continuous compliance with GDPR. They need to ensure they can identify and are able to manage the risks accordingly.
Businesses need to develop a managed system or framework which includes governance practices, communication, technical and risk controls for maintaining GDPR compliance.
GDPR – How can you demonstrate and maintain compliance?
Article 5 of the GDPR is Accountability, being able to demonstrate how you have complied with the principles. Both the data controller and data processor have responsibility, and must be able to prove compliance with all GDPR Principles. Key ways to do this are demonstrating that robust processes and effective documentation are in place to handle PII. The recommendation is to have your organisation comply with recognised standards such as:
ISO 27001:2013 - an information management system which can incorporate a personal information management system compliant with GDPR. This requires you to be constantly reviewing and improving your systems, and international certification is available.
Cyber Essentials and Cyber Essentials Plus – which will help to demonstrate that you have put in place technical and organisational controls to help meet GDPR Principle 6, Integrity and confidentiality ensuring appropriate security and article 32 security of processing. Cyber Essentials is recommended by the information Commissioner and the National Cyber Security as a good baseline to start from.
Additional measures to demonstrate compliance
Penetration Testing and Vulnerability Scans will demonstrate that you have a process in place for regularly testing, assessing an evaluation the effectiveness of organisational measures for ensuring the security of processing in line with GDPR Article 32.1 (d)
Data Breaches – you should make sure that you have the right procedures in place to detect, report and investigate a personal data breach. If you are a Data Controller or Data processor for personal data that could result in a risk to the rights and freedoms of individuals or special categories of personal data then a Cyber Security Operations centre will continuously monitor your environment to detect and respond to threats, and help to identify negligent or criminal behaviours. You have a responsibility to identify security breaches involving personal identifiable information and to report these within 72 hours under the new General Data Protection Regulation (GDPR)
GDPR Awareness training – we can provide awareness training for your staff which will help them to understand the new EU GDPR regulations, the principles underlying this, understand what PII includes, and the rights of the data subjects and what this means. We can tailor this to your individual processes and procedures and provide certificates to demonstrate compliance. In the event of a breach, the ICO will want to know where and how the breach happened and what training had been provided to that member of staff.