GDPR & Data Privacy

GDPR Consulting

What is GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). Today, the EU definition of “personal data” is set out in the Data Protection Directive 95/46/EC. It defines personal data as “any information relating to an identified or identifiable natural person”

What does GDPR mean?

GDPR is different from the Data Protection Directive (DPD) or British Data Protection Act 1998. In that it does the following new actions:

• Ensure the safety and protection of personal data.
• Ensure individuals and businesses employ sufficient technological security measures
• Encourage easy data transfer throughout Europe (EU)
• Data breaches must be reported within the first 72 hours
• Sanctions will be imposed against those responsible for non-compliance with the law.

Our Methodology

• Governance
  • Deploying compliant data subject documentation;
  • Dealing with privacy notices, subject access request processes;
  • Staff training and awareness;
• Data Mapping
  • Data Protection Impact Assessment;
  • Identifying what data you have?;
  • Eliminating data archives you don't need?;
• Cyber Resilience
  • Incident response and data breach reporting processes;
  • Cyber security: make breaches much less likely.

Data Mapping

risk management experts will take you through a Data Mapping Exercise to identify, classify and discover the data in your organisation, providing pragmatic consultancy as they assess your data risk.

Benefits

• Independent validation of key data assets.
• A foundation for targeted and prioritised risk assessment and remediation.
• A practical and clear output providing you a data asset tracker and an executive report.
• A holistic view of the people, processes and technology of your data ecosystem.

Background

Cyber-attacks and the resulting data breaches are an ever increasing risk, leading to the exposure of company, customer and employee sensitive data. Regulatory controls are geared towards regulation as opposed to risk based assessments, and failure to comply can result in high financial penalties.

Many organisations do not have the means or methods to identify and locate all of the data they hold to assess.

A Data Mapping Exercise presents a perfect opportunity for organisations to understand what and where their key data assets are and enables them to take a practical approach to prioritising remediation.

Phased Approach

Our Data Mapping Exercise consists of four phases:

Identify

This phase helps to define and understand the data types you hold within your organisation. Through a series of interviews and questionnaires with key staff we will identify its location, which business processes handle or store sensitive data and the data types in use.

• What are your data categories - personal, financial, business operational or intellectual property
• What are your data sub categories (or elements)? Name, address, DOB, financial records?
• What format is it in? Emails, forms, letters, spreadsheets, application data or database records?
• What is it used for and how is it processed?

Classify

This phase determines how sensitive the data is based upon the damage that would be caused due to a breach of its confidentiality, integrity and availability. The result of this phase will be a measurement of the data’s sensitivity rating, enabling the organisation to classify its data and define its protection requirements.

• How sensitive is the data based on its confidentiality, integrity and availability?
• If lost, does it cause damage to individuals, business operations, or company reputation?
• Rate the data for its sensitivity and determine classification.

Discover

We will work together to discover where your data is stored and confirm who receives and processes it.

• Where is the data stored or transmitted and to whom?
• Is it on a local device, in a database, in an application, hosted in the cloud, or with a partner?

Report

Once the other phases are complete, we will provide you with a data inventory matrix showing your data categories, location and sensitivity.

• Generate a comprehensive sensitive data inventory matrix from the information gathered.
• Accompanying report summarising the findings and a way forward, creating a platform for a phrase two risk assessment.

Key Questions

A Data Mapping Exercise project would be a suitable course of action if you are unable to answer any of the key questions below:

• Do we know what is regarded as personal data?
• Do we know where our sensitive data assets are?
• Do we know what type of data assets we have?
• Do we know how sensitive and valuable our data assets are?
• Do we know which business processes handle and store our sensitive data?
• Are we managing the risks to personal data effectively in line with GDPR requirements?
• Are we able to effectively report on our level of compliance?
• Are we able to effectively conduct a response to a cyber incident?
• Are we able to effectively report a breach to the Information Commisions Office?

Our Experience

Having helped several people and organisations with GDPR we are highly experienced in giving the correct advice. GDPR is not a simple tick-the-box compliance exercise, and such advice and actions from other consultancies can be damaging! With more and more breaches announced in the media everyday GDPR has become critical in defending your customers privacy and personal data.

GDPR is more defence in-depth, or defensive design, to ensure that you have thought about data security and privacy pro-actively and incorporated security into the design and implementation of all your business processes. Our processes and documentation go beyond GDPR for dummies, as we give you specific helpful advice, and taylor your business requirements to become inline with GDPR policy.