Keeping your DATA and PRIVACY protected.
Data Protection & Privacy
With the introduction of the EU’s General Data Protection Regulations (GDPR), the UK’s Data Protection Act 2018 and other international privacy laws, all updating its procedures and implementing tougher rules on how personal information must be handled and protected, there has been an increased focus on securing data.
Data protection rules are clear and concise, yet they potentially carry substantial financial penalties for non-compliance and significant reputational harm. We guide organisations through the process and improve their posture around protecting personal data and compliance, including Audit & Assessment, Virtual Data Protection Officers and Breach & Incident Response.
Audit & Assessment
The General Data Protection Regulations (GDPR) came into effect on 25 May 2018 and replaces most of the provisions of the UK’s Data Protection Act 1998 (which became the DPA 2018) and other local data protection laws and directives across the European Union. It introduced new procedures and tougher rules on how personal information must be handled and protected.
Both the UK’s DPA2018 and the EU GDPR is clear and concise, but carries substantial financial penalties for non-compliance and significant reputational harm, than ever before.
Working with decision makers and key management to assist in implementing DPA and GDPR measures, we will help audit your organisation’s readiness and resiliency by testing systems, processes and infrastructure for security soundness.
How we can help
- Conduct information audits across the organisation to review, identify and assess the data being held
- Conduct specific Data Flow assessments providing Gap Analysis to identify control weakness, strengths and areas for development
- Work with the organisation to, design and implement appropriate technical and internal measures to ensure Data Protection is designed into all processes
- Work with the organisation to design a Data Privacy Impact Analysis framework linking to pre-existing risk management and project management processes
- Review the processing of data, identify and document the lawful basis for the processing activities, including clear and concise consent mechanisms
- Review the DPA & GDPR risks on the organisation’s Risk Register and create the critical list of control weaknesses versus actions required by legislation
- A complete review and/or develop framework of policies and procedures needed to ensure DPA and GDPR compliance and provide a plan for Data Protection or Privacy by Design documentation
- Monitor compliance with data protection policies and regularly reviewing the effectiveness of handling/processing personal data and updating security controls
- Develop and provide a clear Road Map needed for regular review of security access and controls to ensure privacy and security of personal data resulting in a documented Data Protection Impact Assessment framework
- Help the organisation develop a staff training and awareness program
Virtual Data Protection Officer (DPO)
Even where a business is not required by the DPA and/or GDPR to appoint a Data Protection Officer (DPO), they are encouraged under the regulation to appoint one.
A DPO is expected to have an expert understanding of data protection law and practices. You may already have an employee to do the DPO role, TenIntelligence can support that role, or provide a dedicated subscription service for an appointed qualified person, that holds no conflict of interest within your organisation.
How we can help:
- Review the DPA & GDPR risks on the business risk register and create the critical list of control weaknesses
- Define and maintain the required records of all activities related to processing data including ‘high risk’ processing activities
- Provide leadership support, business focal point and training to all staff on DPA & GDPR matters
- Ongoing virtual support using all forms of appropriate communication
- Assist with Data Subject Access Requests (DSARs)
- A monthly, bi-monthly, quarterly bespoke report on the current state of the organisation
- Provide tailored alerts and current global insights
- Providing real-time assurance through the provision of appropriate reporting mechanisms
- Short notice or specific 24-hour breach and incident response support service as required
Breach & Incident Response
Organisations do not have to look far for recent examples of high profile incidents that capture the media’s imagination and result in a consequential loss of customer confidence and damage to its brand.
The senior executive team should own and regularly review their incident response procedure. The procedure should enable responses to be effectively managed, including staff and third-parties or contractors.
How we can help:
- Advise on developing procedures to effectively detect, report and investigate a personal data breach or incident. Under the DPA 2018 and GDPR, failure to report a breach could result in a fine.
- Design and develop a Breach & Incident Response Plan.
- As an appointed DPO, act as the incident responder working with those identified within the Breach & Incident Response Plan.
- Support the regular testing regime of breach and incident response including specific development of bespoke desktop and play book exercises to test decision-making procedures.
- Develop a communication plan for internal and external messaging to clients and staff, offering specific support for press and media handling.
- Provide support to the appointed nominated DPO or business lead in the incident response critical hours.