SERVICE DESK 020 3463 4800

General Data Protection Regulation (GDPR)

GDPR Compliance Services

The General Data Protection Regulation (GDPR) comes into force in May 2018 with maximum penalties for non-compliancy of 4% of annual revenue or €20 million, whichever is the higher. Thus, data protection becomes a board-level responsibility for many UK businesses and the challenges associated with better data protection and data processing methods will require a fundamental change to the security operations deployed.
Unfortunately, GDPR compliancy is not just an easy-to-follow guide, but more of an on-going process. Its impact is organisation-wide (business process, legal, governance, people and training).

Introducing GDPR Compliance
as a Service

We offer a complete service for a monthly charge which covers:
  • An initial GDPR Assessment
  • Remediation Services
  • GDPR Approved Documentation
    – Regularly scheduled mandatory reports, as required by GDPR
    – Demonstrate your company’s “best efforts” to comply
  • Ongoing GDPR Compliance
    – Regular, automated network scans detect and document any ongoing issues
This is a cloud-based service with a local appliance that provides regular scheduled internal network scans to find Personally Identifiable Information, and external scans to identify vulnerable IP addresses. All the required GDPR documentation is produced to demonstrate continuous improvement, including:

GDPR Primary Documents

GDPR Auditor Checklist

The GDPR Auditor Checklist gives you a high-level overview of how well the organisation complies with the GDPR provisions. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be remediated in order to achieve compliance.

ISO 27001-2013 Auditor Checklist

The ISO 27001 Auditor Checklist gives you a high-level overview of how well the organisation complies with ISO 27001-2013. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be re-mediated in order to achieve compliance.

EU GDPR Policies and Procedures

One of the first requirements is to have a set of policies and procedures used to implement Personal Data security and compliance with GDPR. Some organisations don’t have a set of data protection policies – or at least one that conforms to GDPR provisions. The service provides an “out of the box” version of policies and procedures for GDPR for use by those organisations.

ISO 27001 Policies and Procedures

Guidance suggests that compliance with ISO 27001 can be used as a means to demonstrate technical compliance with the information security aspects of GDPR. The service provides an “out of the box” version of policies and procedures for ISO 27001 for use by your organisation. These work in tandem with our GDPR P&P.

Risk Treatment Plan

Based on the findings in the GDPR Compliance Assessment, the organisation must create a Risk Treatment Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, the GDPR Compliance Service provides a risk-scoring matrix that an organisation can use to prioritise risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Treatment plan defines the strategies and tactics the organisation will use to address its risks.

Data Protection Impact Assessment

The Data Protection Impact Assessment (DPIA) is the foundation for the entire GDPR compliance and IT security program. The DPIA identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of Personal Data at rest and/or during its transmission.

GDPR Evidence of Compliance

Compiles compliance information from both automated scans, augmented data, and questionnaires. Gathers evidence into one document to back up the Auditor Checklists with real data.

GDPR Supporting Documents

External Port Use Worksheet

This worksheet allows you to document business justifications for all of the allowed external ports, the protocol configured to use a specific port, and the documentation of any insecure configurations implemented and in use for a given protocol.

User Access Review Worksheet

The User Access Worksheet is used to augment the user data that was collected during the internal network scan. Complete the worksheet to provide the additional information requested.

Asset Inventory Worksheet

The Asset Inventory Worksheet is used to augment the asset data that was collected during the internal network scan. Details include the asset owner, acceptable use, environment, backup agent status, as well as device and sensitive information classification. The Sensitive Information Classification is used to determine the risk to the organisation in the event of a security incident where the asset’s information is compromised.

GDPR Compliance Questionnaire

The GDPR Compliance Questionnaire will collect information about the network and environment that cannot be discovered through automated scans. This includes information about the Data Protection Officer, principles relating to processing of personal data, privacy policies, and third-party information processors.

ISO 27001 Compliance Questionnaire

Guidance suggests that compliance with ISO 27001 can be used as a means to demonstrate technical compliance with information security aspects of GDPR. This questionnaire will collect information required to demonstrate ISO 27001 compliance that cannot be discovered through automated scans.

Site Walkthrough Checklist

Assess the physical security and the workplace environment as it relates to information security. The worksheet will guide you through your assessment of the physical security. It is best done on-site as it requires identifying risk that may currently exist in the client’s environment outside the computer network itself.

Personal Data Scan System Selection Worksheet

Understanding where you have Personal Data is an important component of GPDR compliance. The Personal Data Scan System Selection Worksheet allows you to specify which systems are scanned for Personal Data during the assessment process. A comprehensive scan should be performed regularly to help identify and document all potential locations for Personal Data, as defined by GDPR.

Personal Data Validation Worksheet

During the Personal Data scan performed by the GDPR Compliance Service, suspected Personal Data may be detected in files stored on network and stand-alone computers. The Personal Data Validation Worksheet report presents a record of which computer files were verified by a participant in the GDPR assessment process as containing actual instances of Personal Data.

External Vulnerability Scan Detail by Issue

Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.

Internal Vulnerability Scan Detail by Issue

Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers, once inside a network, and internal users from exploiting weaknesses typically protected by external firewalls.

 
To maintain GDPR compliance, in addition to conducting regular audits an effective multi-layered and multi-vector security strategy will need to be implemented that will enable you to:
Protect the perimeter – deploy next-generation firewalls to reduce the network’s exposure to cyber threat, mitigate the risk of data leaks that could lead to a data breach resulting in stiff penalties assessed under GDPR, and deliver the forensic insight required to prove compliance and execute appropriate remediation following a breach.
  • SonicWALL next-generation firewalls from Wem Technology help protect against emerging threats and feature deep packet inspection; real-time decryption and inspection of SSL sessions; adaptive, multi-engine sandboxing; and full control and visualisation of applications on the network.
Protect the network – ensure the latest threats are mitigated by using a patch management system and state-of-the-art antivirus/anti-malware solutions
  • Consider using a Managed Service Provider similar to Wem Technology to help deliver planned system updates in a timely fashion and provide detection, investigation and reporting, helping to comply specifically with Mandatory Breach Notification and Data Protection by Design.
Facilitate secure access to data – foster the secure flow of data while enabling employees to access the corporate applications and data they need and with the devices they choose. Enhance data security by combining identity components and data encryption to improve data protection and GDPR compliance.
  • Office 365 with Enterprise Mobility + Security (EMS) from Wem Technology helps protect your company’s important data, regardless of where it’s being accessed from and on any device, secure your data and devices, identify security breaches, manage user identity authentication, authorisation and administration and encrypt email messages.
Implement Backup and Disaster Recovery– GDPR puts an obligation on companies to have an effective, regularly tested Disaster Recovery (DR) solution in place. Also, to have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Datto Backup and Continuity appliances from Wem Technology provide comprehensive protection for all your data and systems.
    -Image-based snapshot technology
    -Ability to back up as often as every 15 minutes for critical data
    -Easy and fast verification that your backups work
    -Protection for all environments (Windows, Linux, Physical, Virtual),    remote workers and SaaS applications (Office 365 and G-Suite)
    -Replication of backups to an offsite location allowing you to continue in the event of a disaster recovery invocation
    -Fast recovery times and reliability
    -Ransomware detection and mitigation

To discover more, read:

For more information on GDPR Compliance As A Service
E-Mail support@wem.bizCall 020 8150 8410 now

 

Useful GDPR Tips:

  • Build a plan!
  • Provide your staff with GDPR and security awareness training
  • Consider quick-wins such as adding 2-factor authentication, system protection and resilience
  • Implement policies such as clear desks, strong passwords, user access control and the disposal of data (including shredding of sensitive paper-based information)
  • Locate, classify and document your data, then determine who really needs to access it
  • If you have marketing lists, follow the Direct Marketing Alliance guidelines and check GDPR announcements regularly
  • If suppliers are asking you about your GDPR compliance and you are not quite ready, consider providing them with a statement of commitment and let them know what steps you are currently taking in order to comply
  • Securely dispose of all old data (e.g. marketing lists) that you no longer need
  • Implement and modify your processes, policies and procedures to include the GDPR principles
  • Use the data assessment toolkit on the ICO website at https://ico.org.uk/
  • Prevent consumer-type applications from your network as some of these contain terms & conditions stipulating that they may use your data
  • Use the technical resources of a trusted provider of I.T. Security and Continuity solutions

GDPR Key points

Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

Information you hold

You should document what personal data you hold, where it came from and whom you share it with. You may need to organise an information audit.

Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data, ensure it is accurate or provide data electronically and in a commonly used format.

Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach

Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

International

If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.