A holistic strategy to GDPR Compliance for SMEs

Get GDPR Readywith SOLA Consulting

SOLA Consulting part of SOLA Group Ltd.

Contents

What does GDPR really mean to your business?

What is GDPR?

Where does the responsibility lie?

SOLA Consulting GDPR Readiness Assessment

GDPR Readiness Assessment Outputs

GDPR Readiness Assessment Sample Report

Why SOLA Consulting?

Page 2

Page 3

Page 4

Page 5

Page 6

Page 6

Page 7

SOLA Consulting part of SOLA Group Ltd.

Getting GDPR wrong can cost your organisation 4% of global turnover; with our in-house GDPR experts, extensive network of people and technology partners, SOLA Consulting are perfectly positioned to help you solve the complex challenges GDPR will bring to all departments across your business in as little as 2–4 weeks.

The major shift, with the implementation of GDPR, will be in protecting customer and employee Personal Data and Personal Sensitive Data. The cybersecurity landscape is rapidly changing due to the explosion in digital and the ever changing ways in which we all share information. GDPR strives to protect ours and our customers’ sensitive information in this new digital age. Good news for your customers, but challenging for your organisation.

Through our workshops and seminars we have found that organisations are at varying stages of their GDPR journeys. Certainly some larger organisations are well on their way to being compliant. SOLA Consulting are here to support smaller to mid-sized organisations who need hands-on expertise and support to tackle the significant adjustments GDPR will bring to their businesses.

So what does the new EU GDPR really mean for your business? In short, from the post room to the board room, GDPR will have an impact on every department in your organisation; your people, your processes, your technology, your systems and your data.

GDPR comes into force on 25th May 2018.

From the post room to the board room, the regulation will have an impact on every vital part of your organisation; your people, your processes, your technology, your systems and your data.

2

Fines of up to 4% of global turnover or 20M EUR, whichever is higher

SOLA Consulting GDPR Readiness Assessments can be delivered in as little as 2-4 weeks

3For more information visit the ICO website here

What is GDPR?Those of you in the know can skip this section, but for those of you who need a little education, here’s our GDPR Snapshot.

Download our GDPR Snapshot Infographic here

GDPR comes into effect on the 25th May 2018GDPR supersedes the Data Protection Act of 1998

GDPR provides increased privacy protection for all UK & EU citizens

GDPR is a regulation, now legally enforcea-ble with agreed penalties of up to 4% of your annual turnover

GDPR harmonises data protection laws across the European Union’s 28 Member States, which will make the complex data protection landscape easier to navigate for multinational organisations

When enforced, the GDPR stipulates that data breaches must be reported to the relevant authorities within 72 hours of discovery if they’re likely to jeopardise the rights and freedoms of individuals affected, and records must be kept of all such incidents

GDPR will impact virtually every department within your organisation; from IT, Finance and Marketing to Legal, HR and Customer Service

Brexit will not negate the regulation here in the UK. In or out of Europe, the regulation is the new data protection standard

The UK ICO have already stated they will continue to adhere to the EU adequacy laws post Brexit

All organisations hold personal information (an IP address or a business email that can be linked to an individual is classed as personally identifiable)

Non-compliant organisations now face fines of up to 4% of their global revenue or 20M EUR – whichever is higher

GDPR enhances the requirements for obtaining consent, mandating affirmative consent for data processing, and requires explicit consent for special categories of data

GDPR extends new rights to individuals such as the right to be forgotten and the right to data portability

GDPR requires that organisations in specific circumstances appoint a Data Protection Officer (DPO)

Where does the responsibility for GDPR lie in your business?All company employees produce and manipulate data, using technology and according to your organisation’s policy and processes. Therefore the responsibility lies with everyone within your organisation including all your departmental heads of business.

But where do you start? With your systems? Your employee education and awareness? Your data? Your policies? And who should lead this process in your organisation? Your legal department? IT? Your CEO? Marketing?

Something of this scale needs structure.

Therefore, CEO’s and MD’s require an action plan. With less than a year to go until GDPR comes into force organisations seriously need to start creating an action plan to move towards compliance.

This is where SOLA Consulting’s Readiness Assessment comes in. Roles, responsibility, and accountability will be established. A critical path will be delivered as part of the outputs, so that the action plan can be agreed at the top, and filtered down throughout the organisation.

SOLA Consulting GDPR Readiness Assessment Comprehensive & invaluable insight into your organisation’s current GDPR compliance status.

Our GDPR Readiness Assessment is a crucial first step on your journey to GDPR compliance. The assessment will give you a comprehensive insight into your organisation’s current GDPR compliance posture and make priority recommendations for the areas you most urgently need to address to meet the regulations come May 2018.

The assessment uniquely examines 4 key business areas:• People• Data• Technology• Policy and Processes

GDPR compliance is not just about the technology and security systems you have in place; people, processes and data play an equal part.

Potentially every individual within your organisation has access to personal data. Organisations need to make sure that they are adhering to the same protection and data processing standards across their entire business.

And then there is the question of where the responsibility for data protection lies. Clearly business leaders need to drive the need for compliance and adherence to the regulation but equally all employees across your business will need to be aware of the implications of a data breach, therefore data protection education programmes will become increasingly necessary.

GDPR requires that you know exactly what data you hold on an individual, where that data is stored, how old it is, how you process it and who has access to it. The ICO stipulates that you should audit the personal data you hold, where it came from, who you share it with and maintain records of your processing actions. Which is why data also forms a crucial part of our GDPR Readiness Assessment.

4

GDPR compliance is not just about the technology and security systems you have in place; people, processes and data play an equal part.

5

Customer 3rd Party AnalysisAnalysis of 3rd party supplier relationships and legal contracts, to determine a strategy for inclusion of GDPR articles into operational policy and standards. This will ensure all 3rd party legal contracts also reach the required compliancy levels.

Customer Data AnalysisData analysis is critical to GDPR compliance. Through a combination of business analysis and due diligence on your technology stack, we will track Personal Data and Personal Sensitive Data from customer input channels through to your endpoints, applications and networks and their storage location.

GDPR Mandatory RequirementsIdentification of the mandatory requirements of the regulation and how they apply to your business. Including the need to appoint a Data Protection Officer (DPO), your customer consent mechanisms, data portability and deletion, privacy management and technical data security.

Technical AssessmentsTechnical control of customer data is key to GDPR compliance. Some of the crucial areas that will be analysed for readiness include (but are not restricted to) structured and unstructured customer data applications, databases and accounting systems, your data centre, firewall system, data storage, cloud service, email services and security systems.

Non-Technical AssessmentNon-technical assessments will be conducted on or off site and include (but are not limited to) your company’s contractual obligations with 3rd parties, operation policy, data policy, security policy, risk management, project methodology and change process.

Education and AwarenessVia the definition workshop, departmental heads of business, technical leads and key members of your organisation will receive 1-2-1 education and awareness on how GDPR is relevant to their specific area of control.

GDPR Definition WorkshopA crucial first step. A facilitated session with the key GDPR business stakeholders across your business to clearly define the scope of the project, set expectations and parameters and define and agree outputs.

Business Analysis & Due DiligenceConsists of 1-2-1 sessions with your business leaders; examining your company and operational policies and scrutinising your current technology stack; including analysing everything from email & web usage to security solutions and storage.

SOLA Consulting GDPR Readiness AssessmentWhat’s covered?

1

2

3

5

7

4

6

8

ACME Plc GDPR Readiness Assessment V1.0Readiness Assessment Summary:ACME Plc provided 82.5% of assessment collateral, achieving an overall GDPR Compliance rating of 61.5%.The remaining 17.5% assessment will either need to be completed at a later date, or the Risk accepted by ACME Plc. Full details are given in the full ACME Plc GDPR Report, 20170620

Key Observations:- ACME Plc has shown commitment across the entire organisation to achieve GDPR compaince.- ACME Plc has a mature Data Management model, observing the compliance of both the 1998 Data Protection Act and the 2012 PCI regulations. Only small process changes will be required to reach GDPR compliancy.- ACME Plc recently upgraded their Firewall solution, bringing a solid layer of Data Loss Prevention to the Security Operations Suite.- ACME Plc employees have expressed an interest in an Education and Awareness training session on the practicalities of GDPR.- ACME Plc Security Operations are monitoring and controlling all egress points for the internet, however EMail traffic is uncontrolled and poses a hihg risk to Data Breaches.- ACME Plc endpoints (Laptops, Tablets, Smartphones are unenctypted, which is a direct GDPR breach of regulation.- ACME Plc primary control system (Active Directory) has not been controlled over the 10 year growth of the AD domain. There is a high impact quick win available with an AD review and account consolidation.- ACME Plc Antivirus, Antispam and Malware software is not of a recommended version for todays cyber attacks, it is recommended that the versions are upgraded.

People: 82% completedCompliance Rating: 32%

Process: 64% completedCompliance Rating: 71%

Data: 90% completedCompliance Rating: 89%

Technology: 95% completedCompliance Rating: 54%

Key Issues:1. Operational Policy incomplete2. Data dispersion3. Data ownership / DPO 4. No control over Shadow IT5. Email traffic unmonitored6. Social Media unrestricted7. Insufficient Endpoint Encryption8. HTTPS protocol security

Key Risks:1. No current in-house GDPR Initiative2. Resources for recommendations3. Timescales4. 3rd Party Legal supplier

Critical Path:To reach a safe level of GDPR Compliance, an in-house GDPR initiative will need to be established and controlled, with approved Milestones, Deliverables, and acceptance criteria. It is essential that Legal and HR own the initiative, and drive it to completion before 25th May 2018.

Recommendations:It is recommended that the full GDPR report is analysed, and an internal Risk Assessment is undertaken. Once the risk appetite has been established, it is recommended that a GDPR Project is initiated, addressing the Key Issues and Risks listed above, and all Red and Amber recommendations listed in the full ACME Plc GDPR Report, 20170620.

Quadrant Summary

Issue Breakdown

6

GDPR Readiness Assessment OutputsThe outputs of the GDPR readiness consultancy period will provide solid insight into your current GDPR compliancy posture. It will list the four quadrants (People, Data, Process, Technology) and break them down into circa 30 sub-sections with associated heat maps and diagnostics.

As part of this service offering, we will offer as many quick-wins as possible to assist your efforts to reach compliance with a recommended roadmap taking you through to May 25th 2018. Timescales will vary from organisation to organisation but we expect to deliver readiness assessments within 2 – 4 weeks.

This will be presented through:

• A full GDPR Readiness Report • Dashboard Summary• Risk Assessment• Gap Analysis• Risk and Issue Log• Recommendations & Next Steps• RACI Matrix (The RACI Matrix determines roles and responsibilities for your

organisation’s GDPR activities or groups of activities – Responsible, Accountable, Consulted and Informed)

• ½ day on-site analysis of outputs

Why SOLA Consulting?SOLA Consulting are perfectly positioned to help you solve the complex challenges GDPR will bring to all departments across your business.

At SOLA Consulting we recognise that not all businesses are the same, therefore all of our GDPR practitioners have extensive consultancy experience across a range of verticals and organisational sizes from multinationals to local SMEs. We take a pragmatic, personal approach to understanding and getting under the skin of your business and tailor our industry leading expertise to uniquely identify the impact of GDPR to your specific organisation.

With our extensive network of people and technology partners SOLA Consulting are perfectly positioned to help you solve the complex challenges GDPR will bring to all departments in your organisation.

©Copyright - SOLA Group 2017 - All Rights Reserved

Register for a consultation

e: GDPR@solagroup.comt: +44 (0) 845 460 0160

SOLA Consulting part of SOLA Group Ltd.