GDPR Assessment

Are you ready for GDPR?

The General Data Protection Regulations (GDPR) come into effect on the 25th May 2018, and will bring existing EU legislation surrounding the use and processing of ‘personal data’ up to date.

The aim of the new rules is to ensure businesses are more open about how they use personal data, and what appropriate security measures they are taking to protect it. Increased transparency in these procedures will make sure that individuals who consent to their information being used are completely clear about what they are signing up for.

Helping you prepare...

Our data protection experts have devised a GDPR Awareness Workshop to give you access to everything you need to know. This covers:

  • A 90 minute presentation exploring the key aspects of GDPR
  • An insight into the less obvious implications for every business
  • A review of the potential impacts for your business
  • A Q&A session to remove any uncertainties you have

The workshop is provided free of charge – we’re intent on increasing awareness surrounding GDPR, not to mention the ‘and-and’ impacts it has on businesses of all shapes and sizes!

At the end of the workshop, you will have a clear understanding of:

  • What constitutes a ‘data breach’ – it covers more than you think!
  • How GDPR differs from the current protective rules
  • The principles of lawful data processing
  • Financial penalties for non-compliance
  • Where your business is currently at, and what your next steps should be

Book your Workshop

Reviewing your Processes

Data Privacy Impact Assessment (DPIA) takes a structured approach to reviewing the various processes and data currently being used within your organisation. We’ve found this to be the most effective method to ensuring that likely risks are understood, appropriate remedial steps are undertaken and that your business operations ultimately comply with the new regulations.

As part of this assessment, we document the data-flows within your business, outline the privacy-related exposures and list the remedial activities being undertaken.

Sofia - Project Management

The output of a DPIA should provide:

  • A precise definition of each process and operation
  • A risk analysis relative to the ‘freedoms and rights of individuals’ – including the damage implications for an individual should their personal data be breached.
  • Clearly defined needs, proportionality and a legal basis for requiring the data
  • Counter-measures/activities to tackle the risks identified
  • Details of the compliance processes in place
  • A clear picture of how informed individuals are/can be about the above aspects

A PIA provides clear evidence of the efforts a company has made to identify, assess and remedy any security risks to ‘personal data’. This is crucial in the event of an investigation by the Information Commissioners Office (ICO) – in certain circumstances , evidence of a such an assessment is mandatory.

Book your Assessment

Managing your transition...

For most organisations, once they’ve got to grips with understanding the GDPR requirements and the Data Privacy Impact Assessment, the challenge falls into two categories:

  1. Technical - including system and documentation alterations, to make sure that these adhere to the new requirements.
  2. Mind-set - relating to ‘people processes’, it’s important to ensure those who’ll be conducting the procedures are up to speed with the new regulations, and will stick to them!

So, working through all the necessary processes to gauge the right approach for your business, our GDPR Project Management solution identifies the what, why, how and when for your program of changes – we look at the bigger picture and hone in on how you can create a company-wide ‘Privacy by Design and Default’ culture.

The general approach we take is as follows:

GDPR Awareness Workshop

GDPR Data Privacy Impact Assessment

Managed Support and Services

Telecommunications

This method ensures that your next steps are identified in the appropriate order, enabling you to begin your journey to becoming GDPR-compliant immediately.

Following this initial stage, we can deliver a ‘Privacy by Design and Default’ program. This will help ensure that once we leave, the organisation continues to function in line with the core principles of the GDPR.

Find out more

Overseeing your operations...

For certain companies , there is an obligation to designate a Data Protection Officer (DPO). This individual will be responsible for overseeing the organisation’s compliance and Privacy Impact Assessments, so it’s essential that they also have direct access to the most senior management within the business.

A DPO is mandatory for:

  • Any public body that processes ‘personal data’
  • Organisations whose core activities require the regular and systematic monitoring of ‘personal data’ on a large scale
  • Companies whose main operations involve the large-scale processing of special categories of data. This includes information about race, ethnic origin, sexual orientation, religious beliefs, philosophical beliefs, political views and biometric data (e.g. DNA, fingerprints, photographic images) to name a few.

The nature of the role requires the person undertaking it to be impartial and able to work independently. As a result, the officer cannot be under the direction of either a delivery or functional department within the organisation – this typically prevents anyone from IT, operations, sales, marketing and HR from being able to hold the position. And, because IT often reports directly into finance, this also rules them out by proxy.

The DPO must:

  • Have clear and direct access to the most senior management within the organisation
  • Be accessible by ‘data subjects’ in the event of a complaint or Subject Access Request (SAR)
  • Be bound by confidentiality
  • Have no conflict of interest arising from other duties
  • Have a clear understanding of GDPR compliance
  • Be able to articulate the ‘Privacy By Design and By Default’ approach to all departments within an organisation
  • Have risk assessment and risk management skills
  • Ensure the necessary ‘data subject’ documentation and processes are in place

Fortunately for smaller companies or organisations lacking an existing employee who is able to take on the role, the GDPR framework explicitly allows the use of a third-party, independent individual to take on this role. And with our Accredited General Data Practitioner Regulation qualified staff, it’s a service we’re happy to provide on a part-time basis.

It’s important to remember that even for businesses that aren’t required to nominate a DPO, the same processes and considerations to privacy and security must still be applied.

Get in Touch

Protecting your business...

GDPR is not designed to prevent business – it has been devised to protect ‘personal data’.

Nevertheless, the regulations mean that more effort will be need to be put into ‘mind-set’ changes, along with the necessary updates to IT systems and data handling processes. And whilst the 25th May 2018 is looming, becoming GDPR-compliant needn’t be a huge task for companies if the right approach is taken.

In the UK, the Information Commissioners Office (ICO) will be required to police GDPR compliance. It’s highly unlikely at this stage that the ICO will be knocking on doors and asking businesses to prove their compliance.

Instead – in line with the vast financial penalty increase, ability for individuals to make complaints and the requirement that companies directly declare any data breaches to the ICO themselves – their resources will be spent on investigating such infringements or complaints thoroughly.

It’s therefore vital that companies take the appropriate steps to cover their processes and protect personal data at all costs.

Discover how we can help

To enquire about our GDPR assessment service, please call 01524 581690 or fill our the form below: