Information Security

• The aim of the Gap Analysis is to provide feedback on the organisation’s position against the GDPR. Through interviews, the consultant gains an understanding about how the business works and the information that is held.  The interviews are held with the ’information owners’ of their department/work stream or someone who understands the information that is handled and processed within that department/work stream. We will also look to understand processes and controls around security of the information you hold and so will need to speak to staff related to security.

Deliverable:

• A living document mapping out the information processes within the organisation;
• A Progress Assessment report – detailing information on gaps identified  against the GDPR and recommendation of  action steps. 

• Policies can be customised to the organisation, taking into account their controls and processes:
  • The customised policy pack is done in conjunction with the various stakeholders and teams within the business,
  • They are customised with full document controls for ease of reference and version control
• Template policies can be provided to assist the organisation in developing the required policies.

• High level employee awareness training including the 12 Steps the ICO recommend you start with;
• What is Personally Identifiable Information;
• Personalised slides relating to your organisation;
• The importance of data protection within your organisation;
• What constitutes a data breach;
• Day to day data awareness;
• How/Where it is being stored
• Process Mapping – what is it and why do it

• A privacy notice is a statement of how your organisation applies data protection principles to the processing of its data. The document should be clear, concise and that it is accessible to all individuals before any collection of data commences;
• As a starting point we can help you map your data, this should show how your data flows through your organisation. We would then:
  • Establish your legal basis for processing.
  • What information you hold that constitutes personal data.
  • What you do with the personal data you process;
• We would write a privacy notice that reflects the above but be specific to your organisation.

• You must appoint a data protection officer (DPO) if you are a public authority, carry out large scale systematic monitoring or process special categories of data relating to criminal convictions / offences;
• NOTE: Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills (or a virtual DPO) to discharge your obligations under the GDPR;
• NOTE: Data Protection Officer is a governed title and if you use it there are prescribed requirement on the individual and on the company;

The DPO service covers the following: 

• Validate internal audit of Personal data held within proprietary and third party systems and applications and confirm necessary data is held;
• Document and advise on how customer data is currently processed and whether is aligned to GDPR;