General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Every organization — regardless of its location — doing business with EU customers will need to make changes to its technology, processes, and people to comply with the new rules.
The threat landscape cannot be ignored
Personally Identifying Information (PII) has become an increasingly important topic in cybersecurity as the focus of cybercriminals has moved from the theft of financial data to personal data. According to the Breach Level Index, over 9 billion data records have been stolen since 2013 – an astonishing 5.2 million per day on average. Your organization will almost certainly be the victim of a targeted cyber-attack at some point and there is a greater than 1 in 10 chance that this will lead to serious data loss and/or reputational damage.
Why you can‘t afford to ignore GDPR
|• Fines of £17.5m or 4% of global turnover, whichever is higher||• The requirement to notify a data breach within 72 hours|
|• Key principles such as the right to be forgotten and information requests||• The need to establish a clear legal basis for holding and processing personal data|
Transition to the GDPR: IT & Security Professionals Must Act Now
At this time, data security implementation details are left to interpretation in the GDPR. While it is binding, enforceable law, we see the regulation as a work in progress. EU regulators informally acknowledge the GDPR sets broad, ambitious goals, while leaving the details to be articulated in the future.
What we do know is the GDPR takes a risk-based approach to requiring particular technical measures. Higher risk mandates more expense and effort to secure data. The overriding issue is whether data is at risk and which practices and technologies will effectively reduce those risks.
We help organizations overcome the hurdles of GDPR compliance. We consult on many of the recommended GDPR technology solution areas and work closely with technology vendors providing best-in-class GDPR solutions. This includes ISMS.online, a powerful cloud-based platform, designed for managing information security, data protection, and GDPR compliance.
GDPR Readiness Technology Assessment
activereach offers a three-step GDPR Readiness Technology Assessment to help get your organization better prepared for the GDPR deadline.
Step 1: Stakeholder interviews conducted by one of our pre-sales team to identify your information flows that are in-scope for GDPR. Information gathering will be conducted under mutual NDA and includes details of third-party processors, applications and infrastructure elements. The service does not include your customers/data subjects by default – but it may be recommended that you survey them as part of GDPR project work.
Step 2: An assessment will be made for each information flow to determine whether a full DPIA (Data Privacy Impact Assessment) is required and/or to identify risks and gaps in the current provision of the information system as identified from information gathered during the stakeholder interviews, combined with any documented information about IT systems and infrastructure the company can provide.
Step 3: activereach will prepare a tailored and individual report capturing the stakeholder information, and analysis and inferences, and the information flows identified. The service will assess the information systems’ readiness for GDPR compliance activities from a technological point of view. Customers should seek, separately, legal or other associated professional advice for non-technical assessments of GDPR readiness.
If you would like to discuss this service in more detail, please contact activereach on 0845 625 9025 and ask to speak to a GDPR Consultant.