What is GDPR?
The EU General Data Protection Regulation (GDPR) introduces new legislation to enforce data privacy measures for data controllers and processors. It came into effect in 2015, and organisations must implement by 25th May 2018. The new regulation supersedes the existing EU 95/46 EC directive which was not mandatory.
The new legislations objective is to: –
- harmonise individual country level laws and ensure that Customer data is adequately protected
- apportion penalty levels for non-compliance. Penalty levels are assessed at up to “the higher of 4% of an enterprise’s worldwide turnover or €20m”.
The legislation is designed to provide “data subjects” (Customers) with several new rights including: –
- more transparency over how their data is being used,
- a need for explicit permission from the customer for how the data is being used,
- right to withdraw consent
- more rights to transfer and delete data
- limits on data profiling customers
- mandatory breach notifications when their data may have been compromised.
Bridewell Consulting’s readiness offerings are designed to help organisations understand the impact and to prepare and implement the changes that GDPR will impose on organisations.
Organisations are ultimately accountable if they fail to protect the personal and sensitive personal data of their staff and customers. Processes will need to be amended to account for the additional operational and administrative overheads GDPR will bring. But these are all for the benefit of protecting both customers and the organisation processing the customer data.
So the question is are you ready?
The GDPR will impose several changes on organisations that processes personal and sensitive personal data. Understanding where the organisation is today and what needs to be done in advance of the 25th May 2018 to address the requirements of GDPR will have a number of benefits:
- Action now will address the challenges in a phased manner and will not leave it to the last moment.
- It can demonstrate to customers the importance the organisation places on the protection of personal and sensitive personal information.
- Taking a proactive approach can lead to a competitive advantage and position the organisation to capitalise on new markets or service opportunities.
- Improves the ability to respond and reduce the damage of any data breaches, and in turn the reduce the impact of any fines that the GDPR could impose.
Proactively addressing the GDPR will inspire customer confidence within your organisation.
How We Can Help
Bridewell have been working in data privacy for over 20 years and have experienced data privacy consultants, industry proven methodologies and have supported several organisations in various sectors of industry in complying with applicable privacy requirements. We have individuals with leading privacy experience and certifications such as the Chartered Information Privacy Professional / Europe (CIPP/E), Chartered Information Privacy Technologist (CIPT) and Data Protection Practitioner (PC.dp) as well as certifications in the new General Data Protection Regulation. We pride ourselves on acting as a trusted advisor for our clients and being able to interpret privacy legislation and ensure it is practically implemented into our client’s business operations.
Our GDPR Readiness modules offers the following to organisations: –
- GDPR – Enterprise Readiness Assessment
- GDPR – System Readiness Assessment
- GDPR – Global Data Flow Mapping (GDFM)
- GDPR – Global Data Flow Compliance
- GDPR – Privacy Impact Assessment
- GDPR – Privacy by Design Technology Assessment
- GDPR – Security and Privacy Assessment
- GDPR – Incident Response Support Service
- Data Protection Officer as a Service, designed for organisations that do not have or cannot afford a full time dedicated data protection officer
GDPR – Enterprise Readiness Assessment
Bridewell’s Enterprise Readiness Assessment consists of Bridewell Consultants working with your organisation at a strategic level, across your key business operations to assess your key privacy touchpoints, data flows and then build a privacy assessment report against an existing and future state. Bridewell give practical remediation guidance and can support organisations in implementing the practical steps required to address the requirements of GDPR.
GDPR – System Readiness Assessment
Bridewell’s System Readiness assessment consists of an in-depth analysis of a specific application or data collection method to understand the full privacy requirements against the lifecycle of the system or service. The assessment consists of:
- Assessment of technology including the detailed assessment of Privacy Enhancing Technologies (PETs).
- Global Data Flow Mapping (GDFM) and Global Data Flow Compliance (GDFC) is completed to understand data types and the privacy touchpoints against the lifecycle of each data type.
- Technical assessment of the technology being used to process the organisations data, gaining a deep understanding of how data is protected and processed in order to inform our clients of any vulnerabilities that require attention.
- Production of a privacy enhancing roadmap. Bridewell provide our client with a roadmap of improving their operations for data privacy, providing practical guidance, which provide guidance around technical and business process improvement.
GDPR – Global Data Flow Mapping (GDFM)
GDFM consists of Bridewell consultants using a series of interviews with key technical and business process owners to develop and understand all data flows, either across an organisations operations or specific systems. We are also able to combine our privacy expertise with cyber security analysis to validate data flows within an organisation as required.
GDPR – Global Data Flow Compliance
Conduct an analysis on data flows and ensure that there is appropriate technical and organisational measures in place, any gaps are identified and we support remediation with the client, which can range from technical changes to policy or procedural.
GDPR – Privacy Impact Assessment
This is conducted in accordance with industry good practice. An enterprise level PIA is strategic in content and focuses on the organisation at a strategic layer. System specific PIA, which is granular in nature and focuses on a specific set of business operations and is targeted with detailed guidance on any remediation activity.
GDPR – Privacy by Design Technology Assessment
We review a company’s application or set of systems to assess privacy by design principles such as:
- Proactive not reactive; Preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security – full lifecycle protection
- Visibility and transparency – keep it open
- Respect for user privacy – keep it user-centric
This can also include technical system testing in addition to hands on privacy consultancy using our own Certified Information Privacy Technologist’s to assist.
GDPR – Security and Privacy Assessment
Bridewell use a set of blended services to provide an organisation with either an Enterprise Readiness Assessment or Privacy Technology Assessment and combine this with technical penetration testing to provide validation that data is secured appropriately.
GDPR – Incident Response Support Service
Having a data breach can be extremely damaging to an organisation’s reputation. Bridewell provide an incident response service, which assist the company in managing a data breach and liaising with the relevant Supervisory authorities. This can be done on an ad-hoc basis or a contracted service throughout the year.
GDPR – Data Privacy Officer (DPO) as a Service.
For many organisations who process personal and sensitive personal data, the GDPR will impose a new requirement of a mandatory Data Privacy Officer As a result of the GDPR it is estimated that within Europe there will be a need for 28,000 Data Protections Officers. Bridewell Consulting can provide a DPO where it is not financially viable or practically viable for organisations to recruit or appoint a DPO that can operate independently in accordance with DPO guidance published by the Article 29 Data Protection Working Party.