Genreal Data Protection Regulation

What you should know

At CyberDefence, we can help you understand where you are with respect to the GDPR requirements, what you can put in place to protect personal data and help you design a data protection strategy that is future-proof.

Professional InfoSec Advisory Services

Privacy is really important for your Business
Subjects Data Protection could be crucial for your organization.



General Data Protection Regulation - Key points

One of the new ambitions that the GDPR promotes is to give natural persons residing in the EU, the "data subjects", an increased level of control over their information. It also aims to improve the environment by ensuring that data controllers and processors are safe custodians of data through promoting behavioural change. The GDPR provides for enhanced supervision by increasing the powers of the regulator as champion of the data.

Initial requirements to comply with that a business should look at are:

Data protection by design

Controllers must implement appropriate technical and organisational measures and procedures to ensure that data processing safeguards by design the rights of the data subject. There are a few key steps to follow if a business does not want to embark on a full review and overhaul: minimise data collected; do not retain data beyond its original purpose; and, give the data subjects access and ownership of that data.

Right to be forgotten

This is the right for consumers to erase their data. This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.

Be aware of breach penalties

For serious penalties, the GDPR allows for fines of up to EURO 20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational companies.

Potential for brand damage

The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight. If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told.

Data Protection Officer

Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.


In order to be ready for the GDPR, entities will need to set their vision, agree their strategy and constitute their structures for achieving data protection and privacy operational change and compliance. These are not simply legal questions: getting ready for the GDPR requires multi-disciplinary skill sets. The CyberDefence  team has all of those skill sets to provide an end-to-end solution to the challenges ahead.
 


Our Solutions for your business

GDPR Consultancy

CyberDefence can help you understand and implement the EU regulation in your organisation.

We will plan your project for implementation, conduct data privacy impact assessment(DPIA), design and integration of security controls and then will provide you blank policies, procedures, guidelines and forms that must be used in future.

You will use your own human resources for the necessary tasks related to the implementation of the requirements.

GDPR Implementation

CyberDefence will help you and will cover all the tasks related to the implementation of EU regulation. Services that can help you build on your existing structures and controls to improve your personal data protection approach and controls.

We will cover the entire process from the beginning - planning of the project to the end - implementation of formal documentation and train your staff for maintenance.

CyberDefence can help you with the following challenges:

Your responsibility will be to assist us during the planning process and then to be available for collaboration process during the designing and integration of privacy controls and countermeasures.

GDPR Compliance Assessment

Services that can help you understand where you are positioned with respect to GDPR requirements.

CyberDefence can help with understanding where your data assets are, and what are the controls in place to protect those assets.

We can help you conduct data asset inventory/mapping, data protection assessments, Data Privacy Impact Assessment(DPIA), gap analyses, risk assessment and overall evaluations of the data protection maturity within the organisation.

Enhancing Data Governance

Services that can help you build and customise your own governance approach to data protection.

CyberDefence can help you design your own program to improve data protection maturity within the organisation. Specific points in this design include:

"Adversaries have more tools at their disposal than ever before. They also have a keen sense of when to use each one for maximum effect. The explosive growth of mobile endpoints and online traffic works in their favor. They have more space in which to operate and more choices of targets and approaches."

Cisco 2017 Annual Cybersecrity report

Information Security is important part of your business. When was the last time when you evaluated the security in your organization?

Insider threats pose significant risks to your organization. According to the Verizon 2016 Data Breach Investigations Report, the actions of insiders are among the most difficult to detect and the majority of these incidents are taking months or longer to discover. The key to defending against this class of threats is to understand the who, the why, and the when. Let's look at those critical elements and what you can do to protect yourself.

Andrew Costis(LogRhythm)

The cybersecurity landscape is changing rapidly, making current and actionable guidance on the latest trends more important than ever.

CYBERSECURITY TRENDS REPORT (ICS)2

What can I do NOW to prepare for the GDPR

In order to provide clear guidance and a practical starting point, CyberDefence has compiled the following checklist to assist you in your move towards 2018 GDPR compliance

1. Becoming Aware - AwareReview and enhance your organisation's risk management processes - identify problem areas now.

2. Becoming Accountable : Make an inventory of all personal data you hold. Why do you hold it? Do you still need it? Is it safe?

3. Communicating with Staff : Review all your data privacy notices and make sure you keep service users fully informed about how you use their data.

4. Personal Privacy Rights : Ensure your procedures cover all the rights individuals are entitled to, including deletion and data portability.

5. How will Access Requests change? : Plan how you will handle requests within the new timescales - requests must be dealt with within one month.

6. Review the 'Legal Basis' : Are you relying on consent, legitimate interests or a legal enactment to collect and process the data?

7. Using Customer Consent as grounds to process data : Review how you seek, obtain and record consent, and whether you need to make any changes.

8. Processing Children's Data : Do you have adequate systems in place to verify individual ages and gather consent from guardians?

9. Reporting Data Breaches : Be ready for mandatory breach reporting? Make sure you have the procedures in place to detect, report and investigate.

10. Data Protection Impact Assessments (DPIA) and Data Protection by Design : Data privacy needs to be at the heart of all future projects.

11. Data Protection Officers: Make sure that you have someone who has the knowledge, support and authority to do the job effectively.

12. International Organisations and the GDPR : The GDPR includes a 'one-stop-shop' provision which will assist those data controllers whose companies operate in many member states. Identify where your Main Establishment is located in the EU in order to identify your Lead Supervisory Authority.d


IMPORTANT

This document is purely for guidance, and does not constitute profesional advice or legal analysis. All organisations that process data need to be aware that the General Data Protection Regulation will apply directly to them. The responsibility to become familiar with the Regulation and comply with its provisions from 25th May 2018 onwards therefore lies with the organisation. This guide is intended as a starting point only, and organisations may need to seek independent profesional advice when reviewing or developing their own processes and procedures or dealing with specific legal issues or queries.