GDPR and Cyber Security

EU General Data Protection Regulation (GDPR)

The new General Data Protection Regulation (GDPR) enhances the rights of individuals over how their personal data is collected, processed, corrected and erased.  The ICO has been given new investigative, corrective and advisory power and can enter your business to perform a DPA (Data Protection Audit) with little or no notice.

Should a breach occur, the ICO has two levels of administrative fines, the highest being up to €20m or 4% of your businesses annual turnover. In addition to this the results of the Vidal-Hall vs Google case now means that claimants can be awarded damages for ‘distress’ despite there being no pecuniary loss. The deadline for compliance is currently 25th May 2018.
gdpr1

We surveyed delegates at the 2016 National Information Security Conference (NISC) and asked them what why they thought that compliance with the GDPR would be hard to achieve. 43% stated lack of resources.

How We Can Help

Sapphire provides a range of consultative services to help you to achieve compliance to the GDPR in deadlines provided.

Gap Analysis

Sapphire will carry out a full Gap Analysis against the GDPR requirements and offer the client a compliance matrix, which will be the basis for developing a GDPR Improvement Plan.

Improvement Plan & Governance

Sapphire will develop a GDPR Improvement Plan to allow the company meet their GDPR requirements. On completion of the plan, Sapphire will facilitate Governance meetings with Key stakeholders to monitor the progress of the company towards GDPR compliance.

Documentation

Sapphire can assist in the creation of the required documentation for GDPR compliance. (E.g. Data Protection Policy, Training Policy, Fair Processing Procedure, Subject Access Request Procedure, Privacy Impact Assessment Procedure plus 20 more documents)

DPO as a Service

The DPO is similar but not the same as a Compliance Officer as companies are expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data.

The skill set required stretches beyond understanding legal compliance with data protection laws and regulations.  Monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors of the organisation that employs the DPO.

 

GDPR At A Glance: Increased Rights for Individuals
  • Individuals will have the right to request that businesses delete their personal data in certain circumstances, for example, if they withdraw their consent for processing – also known as the right to be forgotten.
  • There will be a right for individuals to request a copy of their personal data in a commonly used portable electronic format.
  • Consent means a clear statement or affirmative action which is freely given, specific, informed and unambiguous
  • The timeframe for responding to subject access requests is being reduced to one month and the £10 fee is being removed. However, you can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  • There are stricter rules surrounding consent – it must be verifiable and silence or the use of pre-ticked boxes does not constitute consent.
  • The GDPR also contains new provisions enhancing the protection of children’s personal data by requiring parental/guardian consent to processing.

      Source: Muckle LLP

GDPR At A Glance: Changes for Data Controllers
  • Accountability is not a new concept, however GDPR formalises it. Accountability means being able to demonstrate compliance and being transparent. There are a number of new relatively onerous accountability obligations regarding maintaining documentation, conducting a data protection impact assessment in certain situations and implementing the concept of privacy by design for certain data controllers, there is a mandatory requirement to designate a data protection officer for certain organisations.
  • Data breaches must be notified in most circumstances (rather than just serious breaches as at present). There is also a 72 hour deadline unless the breach is unlikely to result in risk to individuals’ rights.
  • Data processors will have direct legal obligations and responsibilities which may impact service costs.

      Source: Muckle LLP

 

GDPR Requirements

When processing data an organisation must be aware of:

  • Lawfulness, Fairness and Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Accountability

The last principle of Accountability means that an organisation has to prove through compliance that all of the above principles have been addressed.

Find Out More

For further information around how we can help you to achieve GDPR compliance, please contact info@sapphire.net.

Let’s talk

For greater visibility and control, don’t hesitate to get in touch. We’d be delighted to hear from you!

How can we help?