The first step towards The European Union General Data Protection Regulation (GDPR) compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides. How prepared are you?
Cordon Sanitaire encompasses the extra territorial scope of GDPR in conjunction with our US partner company 'TaskCentral'. This enables us to address the demands of both local European organisations as well as multi-nationals.
Preparing for the GPDR is complex. We recommend customers approach the regulation by focusing on an overall set of key controls and capabilities. These can be summarized by four vital areas: Discover, Manage, Protect, and Report.
The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
A Privacy Impact Assessment will help identify if your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed, or stored outside the EU if the data is tied to EU residents.
To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal data, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation provides information on the processing of data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.
To satisfy your obligations to data subjects, you will need to understand what types of personal data your organisation processes, how, and for what purposes. A data inventory and process map is a first step to achieving this understanding. Data Protection Impact Assessments (DPIA) are the starting point.
Once that inventory is complete, it provides clarity into develop and implement a data governance plan. A data governance plan can help you define policies, roles, and responsibilities for the access, management, and use of personal data, and can help you ensure your data handling practices comply with the GDPR. For example, a data governance plan can give your organisation confidence that it effectively respects data subject demands to delete or transfer data.
GDPR raises the bar on the importance of information security. It requires that organisations take appropriate technical and organisational measures to protect personal data from loss or unauthorized access or disclosure.
Data security is a complex area. There are many types of risk to identify and consider—ranging from physical intrusion or rogue employees to accidental loss or hackers.
Building risk management plans and taking risk mitigation steps, such as password protection, audit logs, and encryption, can help you ensure compliance.
The GDPR sets new standards in transparency, accountability, and record-keeping. You will need to be more transparent about not only how you handle personal data, but also how you actively maintain documentation defining your processes and use of personal data.
The processing of personal data demands the need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries personal data is transmitted to, and the legal basis of such transfers; organisational and technical security measures; and data retention times applicable to various datasets.
One way to achieve this is using auditing tools, which can help to ensure that any processing of data—whether it be collection, use, sharing, or otherwise—is tracked and recorded.
Your will receive a report that provides a status appraisal and recommendations to reduce your cyber and compliance risk across the following key areas:
The GDPR engagement identifies technologies and additional steps that organisations can implement to simplify their GDPR compliance efforts. The application of GDPR is highly fact-specific. We encourage all organisations to engage our process with a legally qualified professional to discuss how GDPR applies specifically to their organisation and how best to ensure compliance.
For larger organisations, a separate quotation will be determined by:
For Small Medium Enterprise organisations we provide a fixed price for a single site based on a three-day consultative engagement with remote vulnerability assessment and a fixed GDPR assessment scope as outlined above.