GDPR Advisory & Assurance

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation of EU law on data protection and privacy for all persons in the European Union. It also deals with the export of personal data outside the EU. The purpose of the GDPR is primarily to enable citizens and residents to control their personal data and to simplify the regulatory environment for international companies by standardizing the regulation within the EU.

The GDPR will change how personal information is collected, shared and used worldwide and has been described by experts as ambitious, complex and rigorous. All organizations will need to make changes to policies, processes, contracts, and technical and organizational compliance measures. In some cases, these changes can be complex and significant. Beyond the EU companies, the EU GDPR extends to companies outside the EU who offer goods or services for EU data subjects (“an identified or identifiable person to whom” personal data “refers), even if they are free of charge is behavior of data subjects within the EU.

Our team of subject matter experts in the field of data protection can provide your organization with a range of best practice solutions, from assessing your GDPR compliance position, to developing a solution roadmap, to implementing an optimal data compliance framework. Whether you are an SME or a multinational company, we can customize our GDPR services to your specific needs.

Gap Analysis: Perform detailed assessment that shows your organization’s current GDPR compliance position and possible solutions to address the gaps and mitigate the risks;
Data Flow Audit: Prepare an inventory of the personal data held and shared by your organisation, and a data flow map of your processes.
Data Protection Impact assessment (DPIA): Perform an assessment of the data protection risks associated with your new process and a corrective plan to mitigate those risks.
GDPR Implementation Services: Support in aligning your existing data protection programme to the GDPR.

This includes:

Data protection frameworks
Policies and procedures
Data processor management
Information security
Incident management
International data transfers
Compliance documentation

In-house GDPR Training and Awareness: Deliver awareness sessions specifically customized to your organisation’s requirements.

Cyber Incident Response Management: Assist in defining and implementing an effective incident response approach.

GDPR Compliance Framework

1. Why is Information Security Needed?

2. Information is now globally accepted as being a vital asset for most organizations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organization if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies.

3. ISO 27001 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in whatever form it is held.

4. The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, ISO 27001 helps an organization ensure it is always appropriately protected.

5. Information security can be characterized as the preservation of:

6. Confidentiality – ensuring that access to information is appropriately authorized.

7. Integrity – safeguarding the accuracy and completeness of information and processing methods.

8. Availability – ensuring that authorized users have access to information when they need it.

9. ISO 27001 contains a number of control objectives and controls. These include:

10. Security Policy Management

11. Corporate Security Management

12. Personnel Security Management

13. Organizational Asset Management

14. Information Access Management

15. Cryptography Policy Management

16. Physical Security Management

17. Operational Security Management

18. Network Security Management

19. System Security Management

20. Supplier Relationship Management

21. Security Incident Management

22. Security Continuity Management

23. Security Compliance Management

24. Organizations that do not yet have a privacy compliance framework can use a standardized framework to demonstrate compliance with the GDPR. There are currently two recognized standards or frameworks that could be used: BS 10012: 2017 and ISO / IEC 27001: 2013.

25. GDPR Assessment Services: GDPR assessment service includes program scoping, deep dive assessments, data protection impact assessments (DPIAs).