By Chris Butler, Principal Consultant, Cyber Resilience & Security.
The framework outlined by the EU General Data Protection Regulation (GDPR) is admirably designed to facilitate digital transactions, promote transparency, improve governance and enforce accountability. But implementing and maintaining GDPR-compliant processes within an organisation is no easy task. With the deadline now just months away, Sungard Availability Services can help.
Our experience of successfully implementing and managing data governance and regulatory compliance programme makes us well-placed to achieve a practical, pragmatic implementation of the GDPR that takes into consideration your corporate culture and finite financial assets, industry good practice and the latest regulatory guidance.
One security expert claims GDPR could drive cyber criminals’ ransom demands higher. Previously, sums demanded have been fairly arbitrary because there was no way to determine exactly what data was worth to a targeted organisation. But this will change after the GDPR compliance deadline on 25 May 2018 when companies can be fined up to 4% of their global annual turnover or $20m, whichever is greater, if data is leaked and they are found to have not looked after it properly. He argues that this gives criminals a price point as they know companies might be willing to pay anything less than the full amount of the fine to avoid reputational damage by keeping the breach secret.
How we can help
We can work with you to develop a suitable framework to comply with the GDPR’s provisions including:
- Raising awareness
Recognising that implementing the GDPR could have significant resource implications, Sungard AS can help develop awareness campaigns, as well as prepare and deliver training and awareness materials such as the Sungard AS GDPR Masterclass©.
- Data Protection by Design & Data Protection by Default
Under the GDPR, organisations have a general obligation to implement technical and organisational measures to show that they have integrated data protection into processing activities. In GDPR terminology this is known as data protection by design and by default. Sungard AS can review and improve your organisation’s processes.
- Conducting Data Protection Impact Assessments (DPIA)
Our GDPR-compliant DPIA tool, which can be run in French and English, is an efficient way for companies to identify how best to comply with data protection obligations and meet individuals’ expectations of privacy. It allows different business teams to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
(Note: Despite the similarity between their names, the newly-defined Data Protection Impact Assessment (DPIA) is not the same as the more well-established Privacy Impact Assessment!)
- Personal Data Breaches Management
Companies should have procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the Supervisory Authority and, in some cases, to the individuals.
Sungard AS has an unsurpassed global reputation for helping organisations to improve their crisis management capabilities with services including simulations and exercises. We can advise you on developing your response to a breach.
- Consent Management
Perhaps one of the biggest changes brought in by GDPR is moving from implicit to explicit, purpose-bound consent, which must be “freely given, specific, informed and unambiguous”. This means organisations need to be clear what they intend to use an individual’s personal details for, and make that purpose clear. We can guide you on the ramifications you need to consider in light of this clause.
- Lead Supervisory Authority
Companies that have processing activities in several countries will typically fall under the jurisdiction of multiple supervisory authorities. We can help controllers understand how the GDPR applies to their processing activities in the different national contexts across the EU.
- International Transfers of Personal Data
If personal data needs to be transferred, adequate safeguards must be in place. Sungard AS can advise on the best mechanisms to perform personal data transfers lawfully.
- Privacy Seals
For years, certification marks and seals have served as a mark of trust for consumers, showing the organisation adheres to certain principles. Sungard AS can help companies attain the relevant Privacy Seal.
Reasons to choose Sungard AS
- Comprehensive proprietary methodology based on:
- The GDPR itself and the available regulatory guidance
- BS10012: 2017 - Data protection (Specification for a personal information management system)
- BS ISO/IEC 29134:2017 - Guidelines for privacy impact assessment
- ISO/IEC 27001 - Information Security Management
- DPA 1998 and PECR
- WP29 – Article 29 Working Party (European Commission) guidance
We follow the Plan-Do-Check-Act (PDCA) model used in ISO/IEC 27001 as our structure for developing and delivering assignments as the four-step process supports continuous improvement.
- Expertise and experience - Our GDPR-certified data governance and data protection consultants are all highly experienced. Sungard AS is a corporate member of the International Association of Privacy Professionals (IAPP), which has appointed one of our consultants a Fellow of Privacy.
- Comprehensive range of services spanning the data protection spectrum – These can be tailored to your organisation’s needs and strategy and include:
- High level GDPR gap assessment
- Data protection programme management
- Coaching for data protection officers and data protection programme managers
- Advisory services covering:
- Data protection governance and policy
- Subject Access Request (SAR) management
- Data subject rights
- Lawful pathways for processing personal data
- Policies, plans and procedures (including website cookies and privacy statements).
GDPR presents opportunities for companies that manage their data well to grow and exploit new markets, build a more sustainable bottom line and gain an enhanced reputation in the marketplace. But, with sanctions coming into force in May, the clock is ticking!