How prepared are you?
VBC also addresses the demands GDPR is placing on Small Medium Enterprise (SME) organisations with the GDPR Fundamentals scheme. GDPR Fundamentals is a UK accredited Scheme designed for SME’s by QG Managament, one of the UK Government Accreditation bodies for Cyber Essentials. This is an end to end SME tailored framework, available in 3 tiers depending on the size of your organisation that concludes in GDPR Readiness Certification.
Preparing for the GPDR is complex. We recommend customers approach the regulation by focusing on an overall set of key controls and capabilities. These can be summarized by four vital areas: Discover, Manage, Protect, and Report.
DISCOVER: Identify what personal data you have and where it resides
The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.
Action: Does the GDPR apply to my data?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
A Privacy Impact Assessment will help identify if your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed, or stored outside the EU if the data is tied to EU residents.
Outcome: Building your inventory
To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal data, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained
MANAGE: Govern how personal data is used and accessed
The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation provides information on the processing of data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.
Action: Do You understand what types of personal data your organisation processes?
To satisfy your obligations to data subjects, you will need to understand what types of personal data your organisation processes, how, and for what purposes. A data inventory and process map is a first step to achieving this understanding. Data Protection Impact Assessments (DPIA) are the starting point.
Outcome: Data Governance Planning
Once that inventory is complete, it provides clarity into develop and implement a data governance plan. A data governance plan can help you define policies, roles, and responsibilities for the access, management, and use of personal data, and can help you ensure your data handling practices comply with the GDPR. For example, a data governance plan can give your organisation confidence that it effectively respects data subject demands to delete or transfer data.
PROTECT: Establish security controls to prevent, detect and respond to vulnerabilities and data breaches
GDPR raises the bar on the importance of information security. It requires that organisations take appropriate technical and organisational measures to protect personal data from loss or unauthorized access or disclosure.
Action: Have you identified and considered all the risk?
Data security is a complex area. There are many types of risk to identify and consider—ranging from physical intrusion or rogue employees to accidental loss or hackers.
Outcome: Risk Impact Assessment
Building risk management plans and taking risk mitigation steps, such as password protection, audit logs, and encryption, can help you ensure compliance.
REPORT: Execute on data requests, report data breaches and keep required documentation
The GDPR sets new standards in transparency, accountability, and record-keeping. You will need to be more transparent about not only how you handle personal data, but also how you actively maintain documentation defining your processes and use of personal data.
The processing of personal data demands the need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries personal data is transmitted to, and the legal basis of such transfers; organisational and technical security measures; and data retention times applicable to various datasets.
Outcome: Track & Record Flows of Personal Data into and out of your organisation.
One way to achieve this is using auditing tools, which can help to ensure that any processing of data—whether it be collection, use, sharing, or otherwise—is tracked and recorded.
Your will receive a report that provides a status appraisal and recommendations to reduce your cyber and compliance risk across the following key areas:
- GDPR readiness maturity Scorecard leveraging Data Protection Impact Assessment & Risk Impact Assessments
- Provide detailed remediation checklist
- Remediation roadmap and next steps
- Recommendations for People, process and technical controls
- Business ready scorecard to monitor progress
The GDPR engagement identifies technologies and additional steps that organisations can implement to simplify their GDPR compliance efforts. The application of GDPR is highly fact-specific. We encourage all organisations to engage our process with a legally qualified professional to discuss how GDPR applies specifically to their organisation and how best to ensure compliance.
For larger organisations, a separate quotation will be determined by:
- Number of sites
- Number of IP’s and web applications in scope for any vulnerability scans
- Number of employee’s and languages for personnel assessments
For Small Medium Enterprise organisations, we provide a fixed price GDPR Fundamentals workshop engagement. The output provides visibility of your organisational specific GDPR roadmap from which you can decide to:
- Kick off a program you execute in-house.
- Engage us to providing structured support.
- Full end to end engagement whereby we work in-house with you.
The end result of each of these is GDPR Fundamentals Certification.
*Visit the Microsoft
GDPR site for full details of Microsoft s commitment to GDPR Cloud and Services Compliance.