Data protection is a necessity to ensure public trust in organisations, and to allow fair use of information about people.
GDPR stands for “General Data Protection Regulation” that sets out the key principles, rights and obligations for most processing of personal data. It came into effect on 25.05.2018.
It’s a new privacy law that proposes to govern how different parties collect consumers’ data. The parties include government agencies, non-governmental agencies, online business properties by companies such as websites and website apps, games and payment processing services. This law affects companies such as manufacturing, retail, any business that have been known to collect user information when selling their goods and products. Although the stress will be on those companies and organisations that sell within the European Union. This law will affect companies and organisations in the UK as well despite the choice by the United Kingdom to leave the European Union. ICO (Information Commissioner's Office) regulates data protection in the UK.
If you are looking to read on UK data protection regime only, please head to our DPA 2018 section here.
Securing your network is cheaper than breach fines as high as 4% of the global turnover
Why it's important to protect data?
Data protection is a necessity to ensure public trust in organisations, and to allow fair use of information about people.
Who does GDPR apply to?
This law applies if (official wording below):
You have information about people for any business or other non-household purpose. The law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.
GDPR is applicable to both 'controllers' and 'processors'. An example to understand this would be a payroll processing company . A controller is the payroll company client who determines "the purpose and manner in which data is to be processed" . A processor is the payroll handling company. A processor is acts on behalf of and only on the instructions of the controller.
What is ‘personal data’?
Personal data means information about an individual (anyone no matter client, vendor, partner, employee, public official). This could be private or public information or about someone's professional life. Even if the information is somewhat anonymous however by relating it with other information allows identification of an individual, counts as personal data.
The following service offerings are in line with GDPR technical readiness and compliance. For detailed read on each of the areas, please visit the assessment section here.
Supporting your staff to help them manage their data securely, including devices, technologies they use. Read more on our training service here.
You need to ensure the systems processing the personal data are monitored for user activity including anamolous user activity.
Technical assessments around secure configuration, encryption, software vulnerabilities, common application security vulnerabilities such as OWASP Top 10
Technical controls to prevent unathorised or unlawful processing of personal data through the unauthorised access or use of user devices/storage media, backups, interception of data.
Technical Risk Assessments include secure configuration reviews, vulnerability scans and penetration testing. A good penetration should assess GDPR related aspects such as identity & access controls as part of active directory environment, password policy reviews, patching, information in transit & storage mechanisms and measures in place.
Adhere to technical controls as laid out in appropriate frameworks such as Cyber Essentials. Defendza are a certifying body who can assess, validate and certify organisations based on the controls in scope for CE (Cyber Essentials) and CE Plus assessments
This is basically a quick exercise to help you identify and reduce the data protection risks of your processing activities.
