VBC

- Always One Step Ahead

GDPR Readiness

The first step towards The European Union General Data Protection Regulation (GDPR) compliance is to assess whether the GDPR applies to your organisation and if so, to what extent. This analysis starts with understanding what data you have and where it resides. How prepared are you? 

Cordon Sanitaire encompasses the extra territorial scope of GDPR in conjunction with our US partner company 'TaskCentral'. This enables us to address the demands of both local European organisations as well as multi-nationals.

Preparing for the GPDR is complex. We recommend customers approach the regulation by focusing on an overall set of key controls and capabilities. These can be summarized by four vital areas: Discover, Manage, Protect, and Report.

Preparing for the GPDR is complex. We recommend customers approach the regulation by focusing on an overall set of key controls and capabilities. These can be summarized by four vital areas: Discover, Manage, Protect, and Report.

GDPR Scorecard

DISCOVER: Identify what personal data you have and where it resides

The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.

Action: Does the GDPR apply to my data?

The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.

A Privacy Impact Assessment will help identify if your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed, or stored outside the EU if the data is tied to EU residents.

Outcome: Building your inventory

To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal data, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.


MANAGE: Govern how personal data is used and accessed

The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation provides information on the processing of data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.

Action: Do You understand what types of personal data your organisation processes?

To satisfy your obligations to data subjects, you will need to understand what types of personal data your organisation processes, how, and for what purposes. A data inventory and process map is a first step to achieving this understanding. Data Protection Impact Assessments (DPIA) are the starting point.

Outcome: Data Governance Planning

Once that inventory is complete, it provides clarity into develop and implement a data governance plan. A data governance plan can help you define policies, roles, and responsibilities for the access, management, and use of personal data, and can help you ensure your data handling practices comply with the GDPR. For example, a data governance plan can give your organisation confidence that it effectively respects data subject demands to delete or transfer data.


PROTECT: Establish security controls to prevent, detect and respond to vulnerabilities and data breaches

GDPR raises the bar on the importance of information security. It requires that organisations take appropriate technical and organisational measures to protect personal data from loss or unauthorized access or disclosure.

Action: Have you identified and considered all the risk?

Data security is a complex area. There are many types of risk to identify and consider—ranging from physical intrusion or rogue employees to accidental loss or hackers.

Outcome: Risk Impact Assessment

Building risk management plans and taking risk mitigation steps, such as password protection, audit logs, and encryption, can help you ensure compliance.


REPORT: Execute on data requests, report data breaches and keep required documentation

The GDPR sets new standards in transparency, accountability, and record-keeping. You will need to be more transparent about not only how you handle personal data, but also how you actively maintain documentation defining your processes and use of personal data.

Action: How

The processing of personal data demands the need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries personal data is transmitted to, and the legal basis of such transfers; organisational and technical security measures; and data retention times applicable to various datasets.

Outcome: Track & Record Flows of Personal Data into and out of your organisation.

One way to achieve this is using auditing tools, which can help to ensure that any processing of data—whether it be collection, use, sharing, or otherwise—is tracked and recorded.


The Deliverables

Your will receive a report that provides a status appraisal and recommendations to reduce your cyber and compliance risk across the following key areas:

  • GDPR readiness maturity Scorecard leveraging Data Protection Impact Assessment & Risk Impact Assessments
  • Provide detailed remediation checklist
  • Remediation roadmap and next steps
  • Recommendations for People, process and technical controls
  • Business ready scorecard to monitor progress
GDPR Scorecard

The GDPR engagement identifies technologies and additional steps that organisations can implement to simplify their GDPR compliance efforts. The application of GDPR is highly fact-specific. We encourage all organisations to engage our process with a legally qualified professional to discuss how GDPR applies specifically to their organisation and how best to ensure compliance.


The Costs

For larger organisations, a separate quotation will be determined by:

  • Number of sites
  • Number of IP’s and web applications in scope for any vulnerability scans
  • Number of employee’s and languages for personnel assessments

For Small Medium Enterprise organisations we provide a fixed price for a single site based on a three-day consultative engagement with remote vulnerability assessment and a fixed GDPR assessment scope as outlined above.


*Visit the Microsoft GDPR site for full details of Microsoft s commitment to GDPR Cloud and Services Compliance.