Hi, My name’s Jo Walter, and I’m Information Assurance Manager at Gradwell. It’s my job to make sure that the information Gradwell has access to is safe, secure and adheres to best practice including ISO27001, of which we are very proud to be accredited with.
With the Easter break over and waistbands straining under the recent excesses our attention has returned once again to the looming deadline for General Data Protection Regulation (GDPR) compliance. Our mailboxes are inundated with the many GDPR seminar, conference and training emails carefully designed to ensure even the most organised security manager is thrown into a panic that they have overlooked something.
Our Information Assurance team are looking forward to the day after… the 26th May, when we can once again focus on security and privacy being our daily remit, business as usual, and our mailboxes may get a small reprieve too!
What is GDPR?
I’m sure all businesses are by now aware of General Data Protection Regulation (GDPR), but for those that aren’t here’s a quick rundown. GDPR is a new framework that will replace the Data Protection Act 1998 and is relevant to all businesses who process, store and use data of EU citizens in their operations. So what’s the main change? Individuals have new rights to access the information companies hold on them, companies have an obligation for better data management and face a new regime of fines for data breaches.
Gradwell and GDPR
Gradwell have long recognised the investment in information security, for the lifecycle of our services, access control through to secure storage and a robust framework to recognise and respond to risks using industry recognised best practice methodology. We have had an ISO/IEC 27001:2013 certified ISMS framework in place since 2015 and plan to review this in full over the coming months.
We see continual improvement as an ongoing project, cybersecurity is an ever-changing landscape and so too should be our approach to maintaining security, we must identify and adapt to the environment to maintain our high standards of data protection.
Incorporating compliance for the impending EU General Data Protection Regulation(GDPR) has been a project involving all areas of the organisation. Firstly understanding the requirements and changes to the existing Data Protection laws to training an in-house team, identifying and later implementing the actions required alongside existing frameworks and systems.
With guidance still being produced at this late hour, there have been phone calls to the ICO (Information Commissioner’s Office), the Supervisory Authority for England, in control of assessing compliance, investigating complaints and dishing out those hefty fines we’ve been reading about. Our enquiries result in reassurance we are doing the right thing, taking the correct approach and on the right lines, as, with no defined instructions, it is about applying General Data Protection Regulation(GDPR) to your organisation in a tailored, bespoke approach.
Gradwell GDPR Timeline
So, with the days ticking down, what have we done? Here is a brief timeline of actions to date and plans for the next couple of months:
• GDPR Practitioner Training
Appoint DPO, Barrie Millett
• Information gathering and data privacy impact assessments
• Document Subject Access Request Procedure• Data Flow
• Supplier Readiness Questionnaires
• Risk Assessment
• Consent Implementation work underway
• Updates to Information Security pages on Gradwell.com
• Legal requirements with Solicitors
• Complete Consent Functionality
• Complete Supplier Risk Assessment Activities
• Data Cull
• PIMS Framework & Documentation updates
• Contract Reviews