An introduction to GDPR

What is the fuss about?

Are you ready for it? The regulation comes into force in May 2018 and it’s going to be huge to borrow a trumped up term. The Regulation will increase the complexity of cyber security greatly. It’s a European Regulation, therefore legally binding, and will apply to most organisations worldwide that hold any personal data on any EU citizen. Brexit doesn’t change anything – we already know that the UK Government will implement the regulation. If you control or process data that includes the personal information of any EU citizen, then the regulation is likely to apply to your organisation. The exceptions are where organisations have an exemption – these apply in state security scenarios rather than for business size or purpose reasons. Outsourcing a process does not absolve you of responsibility for data you control.

Is GDPR the same as the Data Protection Act?

No. This is a considerable step up. The DPA was introduced before we had social media or digital business, and at a time when hacking was a computer geek’s hobby rather than a cyber criminal’s occupation. The term ‘identity theft’ didn’t exist and we didn’t live our lives online. GDPR goes well beyond data protection controls. It places data protection obligations on organisations supported by severe fines for failure (up to the greater of €20m or 4% of turnover) and mandatory data breach reporting. It gives consumers greater control over their data, including the right to correct it, to have it deleted or to withdraw consents previously given, all within relatively short timescales.

Will it be a problem for me?

This is quite possibly the biggest legislative change in any of our careers. Therefore, we would urge you to begin this process now. Most organisations with 250+ staff will need to appoint a Data Protection Officer. In order to meet the timelines of the regulation we would suggest early appointment of your DPO is critical so they can coordinate the overall plan of action.

The larger and more diverse the organisation, the more complex and challenging this activity becomes. And because risk is at the heart of the regulation (the standard mentions risk some 75 times) we believe that it is best managed by your risk management system. Proteus®GDPReady™ helps organisations become and remain compliant with the regulations, providing a roadmap for compliance with recommendations for immediate action.

Proteus-Cyber's Proteus®GDPReady™ software can help you:

• Perform enterprise wide online audits against the
  REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
• Guides you through the process with an integrated project plan
• Easily survey the business for processes using personal data
• Maintain a process/data mapping register (Article 30)
• Model your business processes
• Report your levels of compliance against the regulation
• Breach notification (Article 33)
• Identify non compliances and manage them with project plans
• Perform data privacy impact assessments (PIAa/DPIAs)
• Perform risk assessments against business processes with pre defined threats and vulnerabilities
• Maintain a register of assets, what data is on them and levels of data protection
• Cross reference your documents and controls against your business processes
• Graphically view your data flows across international borders
• Audit your data processors and make sure those suppliers are protecting your data properly
• Educate your staff with online privacy Awareness Training and create a security culture within your business
• Processor risk management for audits