our approach to GDPR
The GDPR data protection framework, ratified in May 2016, comes into force in May 2016. In summary, the objectives and principles of Directive 95/46/EC creates a stronger and more coherent data protection approach in the European Union (which has global reach. There are robust penalties for those organisations that fail to provide the appropriate security controls and measures.
In essence the EU is getting much tougher on entities that fail to safeguard EU citizen personal data.
Why should you care?
Organisations are now being warned that data breaches of EU citizens will no longer be tolerated, excuses will no longer be accepted and, very importantly, anyone processing personal data must prove that they have the necessary and effective controls in place, or else!
One continuing topic of confusion is the fines that can be levied: is it 2% or 4% of global annual turnover – actually both are correct. A two-tiered sanctions regime will apply:
- Higher rate levy - infringements of some Articles (5, 6, 7, 9, 12-22) carry the maximum administrative penalty, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater
- Lower rate levy - for other Article infringements (8, 11, 25-39, 42, 43), the authorities could impose a lower rate of penalty of up to €10m or 2% of global annual turnover: again, whichever is greater
It is worth noting that the final bill may be considerably higher, certainly when reflecting on the additional cost of a forensic investigation, the likely loss of clients, potential for customer litigation etc., in addition to losing a competitive advantage whilst diverting valuable resources for remediation effort.
Penalties for GDPR infringements
What should you do?
Time is running out for organisations to get a handle on what they must do to meet their responsibilities regarding the safety and security of personal data. There are key elements which they must address – this is a simple snapshot:
- The new rules apply to the processing of personal information of EU citizens carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to EU citizens
- Organisations with more that 250 staff will require to appoint a Data Protection Officer (DPO) – it matters not if this person is an internal staff member or external appointee
- Data subject will have more rights over your use of their date, e.g. consent for entities to process personal information must now be explicit
- Focus is on both data controllers and the data processors, with more severe fines for the former
- A personal data breach must be notified to the appropriate supervisory authority within 72 hours. Additionally, where there is a high risk to individuals they must be notified “without undue delay”
How we can help?
Our company is founded on trustworthiness, transparency and the continuing quality of our security services. We provide the assurance that organisations require to help them meet their regulatory, legislative and corporate responsibilities.
Our staff have held CISO (Chief Information Security Officer) posts at international organsiations. We have a long history and considerable experience of advising organisations how best to safeguard the protection of personal information.
We are able to use our data management skills, our information security experience and our technical abilities to create a data protection programme to ensure you meet your GDPR obligations.
We take a 4-step approach to ensure that the assessment of GDPR preparedness is clear and straightforward, avoiding unecessary complexity at all times.
Step 1 – Understanding your obligations
Assessing the organisations responsibilities and familiarity of staff with regard to data protection, deliver any awareness training ensuring that staff fully understand their obligations and what GDPR means to your organisation. Additionally, evaluating the need for a Data Protection Officer (DPO).
Step 2 – Identify PII
Data handling policies are examined for currency and completeness. We locate and assess where your personal data is located, validating that data flows are correctly documented and align to business operation / needs. We then identify the owners of data repositories and systems that process PII.
Step 3 – Processes & controls
Once we are comfortable that handling procedures are effective, we conduct a ‘sweep’ of the infrastructure to review and evaluate the processes and maturity of technical cyber security controls. This is followed by a validation of the supporting information management, data protection and incident management functions. Where necessary we will advocate additional processes, controls and technologies to close any gaps uncovered during the previous steps. Additionally, follow-up training sessions (e.g. incident response) may be required.
Step 4 – Review & response
Once the appropriate remediation work (technical and procedural) and awareness is complete we are able to measure the effectiveness of controls and their maturity levels. This allows us to update the company risk register. We are then better placed to complete the design and implementation of an appropriate privacy reporting mechanism. Additionally, we can support the DPO (if required) in meeting all GDPR obligations.