Data protection (regulation and act)
The spirit of the General Data Protection Regulation (GDPR) is the protection of personal data of a natural person.
GDPR focuses on providing both privacy and protection of personal data. Whilst the majority of the market focuses on the former via legal policy and audit of legacy data, the Acuity Compliance Management System (ACMS) ensures that both aims are addressed avoiding potential risk of negligence. We ensure that administrative control requirements of GDPR including security are met by delivering immediate sustainable change based upon an ICO approved ISO27001 information security platform.
GDPR requires the mapping of personal data types across the business with a view to identifying the relationship it has with it – either as internal controller or processor. This will provide an in-depth understanding of how and why personal data is accepted into the business and the treatment of that personal data throughout the business once it is received
Our data mapping will identify the logical and physical containers. It will also identify where the data moves within the organisation, and whether or not it is shared with others.
Risks arise in 3 pillars:
Protection and security of the personal data
Addressed by an organisation's alignment to ISO27001 good practice guidance. ISO27001 will establish up to 114 controls that will protect the information that resides in the logical and physical containers. That programme may need to be uplifted where specific GDPR requirements exceed that of 27001 controls.
The other two pillars
Approached by a mapping exercise of the GDPR requirements. This will enable you to identify the articles, defined by recitals, and where fines are specifically associated to recitals. This will help you to prioritise which procedures need to be addressed first.
Policies, Controls & Procedures
These will ensure the protection of the data and the mitigation of fines under the GDPR. Once all procedures for the pillars of risk are written, you will be able to leverage the ISO27001 framework and established an Enterprise Risk Management (ERM) inclusion for the board.
Complete your Privacy Impact Assessments (PIA), which will define the ‘Value’ of the personal data your holding.
Integrate the PIAs into a Data Protection Impact Assessment (DPIA), which will help define the overall risks and the assignment of Controls / Procedures.
GDPR will not stop at May 2018, your work will continue onwards after May 2018. It would be right to raise the budgeting challenge for post-May, as this may require administrative procedures, which supports your onwards business as usual needs.
Key risks in terms of resource relate especially to your supply chain and regional offices. The work involved in reviewing supplier agreements and ensuring the security of your data once it has been shared, will be extensive.