GDPR 2018 Small Business Assessment

GDPR 2018 Small Business Assessment

Learn More

GDPR Overview

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The General Data Protection Regulation (GDPR) is likely to impact, in particular, smaller companies as a recent study shows that 82% of SME's are unaware of the new legislation, and will potentially be hit with large fines when it starts being enforced from next year - 2019.

GDPR - General Data Protection Regulation, 2018

Through the GDPR, the EU recognises:

1. The right to private life as a universal human right and

2. The right to have one’s personal data safeguarded as a distinct, standalone universal human right.

It is by attaching rights to an individual’s data separately to the right attached to an individual, that the EU can demand EU-grade data protection standards on businesses in other countries. The legal onus is on businesses to determine if they fall within the GDPR’s confines, asking these three simple questions:

1. Is your business based in the EU?

2. Does your company handle data concerning EU-based individuals?

3. Does your organisation do any kind of business with companies to which Questions1 or 2 apply?

4. If you answered ‘yes’ to any of the three above questions, it is most likely that your company is within extent of the GDPR. Unless you are confident your existing data handling procedures are already compliant with this new regulation, this means action needs to be taken now to prepare for the 2018 deadline.

5. There have been a lot of headlines in the press about the possibility of EU swingeing fines, and GDPR is frequently portrayed as the new corporate villain-of-the-peace. It is somewhat true these fears are not entirely without foundation. A two-tier sanctions regime will apply. Breaches of the law could lead to fines of up to €20 million, or 4% of a company's global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.

6. However, frightening rumours are not a constructive approach. The fortunate news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give conforming businesses a competitive advantage. That is why Hazard 360 Ltd encourages all companies consider GDPR to be a central plank of their business strategy.

Hazard 360 ltd can provide your company with an Analysis, which gives a complete assessment of your current state of compliance and identify areas in need of improvement. For further information contact alan.smith@hazard360ltd.com

What is GDPR (General Data Protection Regulations)?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. Current Data Protection law has changed as of the 25th May 2018, and organisations are required to be compliant with the new General Data Protection Regulation (GDPR).

The GDPR will replace all the existing data protection laws across Europe, and shape the way in which companies handle, protect and profit from data. All businesses, and not-for-profit organizations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based and even if the data is processed outside the EU.

In other words, European data protection law will now apply worldwide, and businesses have until 25 May 2018 to prepare. Hazard 360 Ltd can help you make a smooth transition into GDPR compliance. With our assistance, you can reduce potential risks with a comprehensive GDPR approach and avoid fines, which can equal as much as two-to-four percent of your global revenue.

Who does it Affect?

The regulation must be followed by every organisation that processes personal data of European Union citizens.

The GDPR considers ‘processing’ as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The GDPR considers ‘personal data’ as any information that could be used, on its own or in conjunction with other data, to identify an individual.

What it Signifies

It means that any organisation – whether a private business or public authority – that collects, stores or shares ‘identifying’ data on European citizens will need to comply with the GDPR by May 2018.

It doesn’t matter whether that organisation is located within the EU or not, or if the data processing itself takes place outside of the EU, or if it is conducted by third parties. If you are responsible for the processing of data of EU citizens you need to comply, it is now a legal requirement.

Remember to embed privacy into your operation
This is the only sustainable way to ensure compliance on an ongoing basis. GDPR is here and will be for the foreseeable future, even after BREXIT.

GDPR Compliance Services

Investigatory:

Step 1: GDPR Briefing Presentation

Step 2: Carry out GDPR compliance gap analysis assessment

Step 3: Report on Gap Analysis findings

Step 4: Produce Scoping Document

Step 5: Present Quotation

Step 6: Terms and Conditions Agreed

GDPR Compliance Structure

Develop and Construct GDPR Compliance Manual - Implement GDPR Compliance Requirements

Section 1: Formulate Project Plan Elements

  1. Project Initiation Document
  2. Work Base Structure – Project Plan
  3. Formulate GDPR Document Log
  4. Compliance Evidence Record
  5. Minutes of Meetings
  6. Compliance Evidence Record
  7. Meeting Minutes Template
  8. GDPR Gap Analysis Assessment Tool – Risk Mapping Profile

Section 2: GDPR Roles, Responsibilities, Awareness and Training Elements

  1. Roles and Responsibilities
  2. Competence Development Procedures
  3. GDPR Competence Development Questionnaire
  4. Communication Programme
  5. Information Security Awareness Training
  6. GDPR Awareness Training Presentation

Section 3: Personal Data Analysis Protocols Elements

  1. Personal Data Procedure
  2. Legitimate Interest Assessment Procedure
  3. Record of Processing Activities
  4. Personal Data Analysis
  5. Personal Data Analysis Diagram
  6. Personal Data Initial Questionnaire
  7. Legitimate Interest Assessment Form

Section 4: Privacy Policies and Notices

  1. Record Retention and Protection Policy
  2. Data Protection Policy
  3. Privacy Notice Procedure
  4. Website Privacy policy
  5. Data Subject - Privacy Notice Planning
  6. Data Subject Consent Request form
  7. Privacy Notice Planning Form – Other Source

Section 5: Data Subjects Rights

  1. Data Subject Request Procedure
  2. Data Subject Request Register
  3. Data Subject Request form

Section 6: GDPR – Data Controllers and Processors

  1. GDPR Controller – Processor Agency Agreement
  2. Supplier – GDPR Assessment Procedure
  3. Processor Security Controls
  4. GDPR Readiness Statement
  5. GDPR Letter to Processors
  6. GDPR Contract Review Tool
  7. Supplier GDPR Assessment Form
  8. Processor Employee Confidentiality Agreement
  9. GDPR Readiness Checklist
  10. Data Processing Agreement

Section 7: Data Protection Impact Assessment

  1. Data Protection Impact Assessment Process
  2. Data Protection Impact Assessment Tool
  3. Data Protection Impact Assessment Questionnaire
  4. Data Protection Impact Assessment Report

Section 8: International Data Transfers

  1. Procedure for International Transfers of Personal Data

 Section 9: Personal Data Breach Management

  1. Information Security Incident Response Procedure
  2. Personal Data Breach Notification Procedure
  3. Personal Data Breach Register
  4. Personal Data Breach Notification Form
  5. Personal Data Breach Notification Letter to Data Subject

Section 10: Information Security Policies

  1. Information Security Policy
  2. Mobile Device Policy
  3. Access Control Policy
  4. Cryptographic Policy
  5. Physical Security Policy
  6. Anti – Malware Policy
  7. Network Security Policy
  8. Electronic Messaging Policy
  9. Cloud Computing Policy
  10. Acceptable Use Policy