GDPR – A Matter of Trust

By Vernon Kitay, Head of GRC & VCISO

In Europe and the UK, the General Data Protection Regulation came into effect on Saturday 25th May 2019. Unfortunately, it’s not too late to get caught for non-compliance with a maximum penalty of €20 million or 4% of Global revenue; whichever is greater, for rights infringements, and 2% for data security breaches.

In 2019 the Information Commissioner’s Office (ICO) announced the intention to fine British Airways £183m and Marriott Hotels Group £98m for data breaches.  This is on top of lost revenue, costs incurred to investigate data breaches and implement controls that will satisfy the ICO and, perhaps most crippling of all, potential class-action lawsuits that may lead to £billion pay-outs.

Getting caught but for what?

Data breaches are the headline-grabbing events, losing tens of thousands of personal data records.  But breaches are not the only concern, complaints from individuals may also get you noticed.  Individuals: that’s customers past and present, members if that’s your line, employees and we all have them, or even suppliers.

What do I really need to do?

Are you managing and using people’s personal data in the way they expect it to be managed and used?  Businesses have historically kept data from the year dot to the present and beyond – ‘just in case we need it’.  GDPR doesn’t allow for that.  It states that personal data can be kept “… for no longer than is necessary …”.  So, do you have an appropriate Data Retention Policy, and more importantly, are you sure that it’s properly implemented?

The GDPR gives rights to the individual over the way organisations gather, use, store and share their data.  These can be inconvenient for a business, but on the other hand, they are also a way of showing that the business is behaving responsibly towards individuals whose data it holds.

It’s a matter of trust: individuals – customers and staff – feeling confident that they can trust the business with their data, and that they have some control over how it is used.

An individual has the right for example to:

  • be provided with all the personal data you have collected on them
  • have inaccuracies corrected
  • request that their data be deleted

and you have 30 days from request to respond to the request.

Of course, you know that, and you know what the individuals’ Rights are, all 8 of them.  You may also know what personal data your organisation has, and how it’s used and controlled, stored and removed.  You know about every spreadsheet data extract.  Or do you?   And what about your employees? Your contractors and third parties who process the data on your behalf?

Are you in a defensible position?  Can you show that you’ve looked at and prioritised your gaps, have taken appropriate action and, more importantly, have an actionable plan to address outstanding issues?

How we can help you?

Blackfoot can provide assurance that you are doing the right things and are on the right path by confirming where you are on the way to fulfilling the GDPR requirements.   We’ll assess your risks and help you set your priorities based on risk with practical action plans to support your progress.   As part of our assessment, we’ll map out your security baseline and recommend improvements which will reduce your risk of cyber-attack while simultaneously addressing your regulatory risk.

If you’ve not yet done it, we will help you identify and document your personal data processing activities, a key requirement under the GDPR, understating what it is you do with the data and why; challenging your perception of the lawful basis for the processing activity.

We will help you track the movement and lifecycle of the data; challenging you to challenge yourselves; is that what we said we’d do? is that why we said we’d do it? is it absolutely necessary? are we upholding the Rights of the individual?

We’ll help you on your journey

Full compliance with the GDPR is a journey – you need assurance that you’re on the right path, that you’re moving at the appropriate speed and that you have the guidance and support you need to make it along the way.

We have a range of options available to support you, and you can opt for the one that suits your situation:

  • On-site Assurance Review – to tell you where you are on the compliance journey and what’s needed to achieve a defensible position
  • Support in completing the requirements – to help you get there and maintain your defensible position
  • Programme management to guarantee success – to get you there efficiently.

Whichever approach you prefer, we will prepare a detailed report setting out your status and a risk-based approach for progressing on areas requiring attention.

Blackfoot bring a wealth of Governance, Risk and Control experience and expertise gained in audit, operational and information security and risk assessment and management.

Recommended Blog:

PCI DSS: Looking ahead to v4.0
The cost of a data breach

Full compliance with the GDPR is a journey - you need assurance that you’re on the right path, that you’re moving at the appropriate speed and that you have the guidance and support you need to make it along the way.