GDPR

The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in 20 years.

GDPR Consultancy

The GDPR or General Data Protection Regulations came into force in May 2018 and sets guidelines for the gathering, storage and use of personal data by businesses and public bodies. The knee jerk reaction of most businesses dealing with personal data has been to purge their marketing databases and any records of personal data out of fear of prosecution.

Texaport work with clients around GDPR compliance, liaising with legal advisors to provide the most accurate guidance. While the GDPR implements a new set of regulations it mostly builds on the Data Protection Act of 1998 which businesses already had to comply with and provided they were working on this or working within the scope of this Act has not required a great deal of change.

For businesses unfamiliar with Data Protection or bewildered by the volume of information concerning GDPR, Texaport offers a wide range of support.

Our standard process around Cyber Security is a 5 step process preceded by an informal chat with our Data Protection guru.

72 Hours

When a company identifies a breach of any personally identifiable information controlled or processed by them they have 72 hours to inform the ICO and the data subjects affected.

Identifying and Reporting

Does your business have a procedure for verifying the security of your data, particularly Personal Data?Does your business have a documented process to prove your ability to comply?
Click Here for Help

Security by Design

The Basic Principle of the GDPR is that the security of Personally Identifiable Information should be considered at the start and/or core of business processes.

Not an Afterthought

The GDPR highlights the need to operate with security as the default state. Forcing non-compliance to be identifiable and outside of normal operating procedures.
Click Here for Help

Subject Access Request

Individuals have the right to request access to the information held about them. This must be made available in a "portable" format for them.

Portability

Companies have 30 days to provide an individual with a copy of the data held about the requesting person including emails and personnel records. This should be in a format which they can transfer to another party.
Click Here for Help

GDPR FAQs

Some key questions which we encounter regularly about GDPR and Personal Data.

What is GDPR?

The GDPR is a new European Law and set of rules which are intended to give individuals more control over their personally identifiable information. This includes your name, address, credit card number, date of birth, religion and more. Any company who stores and/or uses this information for marketing, payroll or any other purpose has to comply with these rules.

What Constitutes Personal Data?

PII or Personally Identifiable Information is defined in the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

What Is the Penalty for Non-Compliance?

The maximum fine is €20 million or 4% of “worldwide turnover”, whichever is greater.

The scale of the fine depends on the extent and impact of  the error or breach.

Is My Business Compliant?

Unless you have taken on specialist help in data protection there is a good chance that you will not be compliant with the GDPR.

Where Is My Data Stored?

This is an important question you will be entitled to have an answer to from all of your suppliers. These storage locations will be subject to the same regulations as the companies who have requested or use your information.

Do I Need to Buy New Hardware?

The main implications of GDPR are policy, process and software based. Hardware will factor into this when newer, more secure, software has been released which the hardware cannot run. If that software patches vulnerabilities to your secure system or prevents the compromise of personal data your hardware could cost €20 million.

Where Can I Find Out More?

The full text of the GDPR can be found here.

Or you can go through our process below.

Our Process

Scope

Audit

Report

Implement

Review

GDPR Scoping

The General Data Protection Regulations concern Personally Identifiable Information, or PII, and the gathering, storage and use of this by businesses and public bodies. When considering liability for personal data, or vulnerability to persecution, businesses first need to identify their processes, procedures and need for data. Texaport work with clients to complete detailed “Data Scoping” documents which help to identify, locate and “map out” Personally Identifiable Information throughout the organisation. This data can take many forms and be scattered throughout the organisation so will involve a cross-department approach to complete. Once data has been scoped throughout the organisation Texaport can work with clients to ensure compliance with the regulations.

Hardware Scoping

Texaport provide a “Hardware Scoping” document to Clients which should be completed with all company assets including (but not limited to):

  • End-Points (PCs, Macs, Laptops, Desktops etc)
  • Servers
  • Network Infrastructure (Switches, Routers, Firewalls)
This will allow Texaport to accurately project the time and effort required to audit the client’s physical assets against Cyber Essentials, IASME and GDPR governance standards during the Audit phase.

Data Scoping

Texaport provide a “Data Scoping” document to Clients which should be completed with all company information assets including (but not limited to):

  • Supplier Data
  • Client Data
  • Employee Data

An alternative to the data scoping document could be an up to date “Information Asset Register”.

This will allow Texaport to accurately project the time and effort required to audit the client’s information assets against Cyber Essentials, IASME and GDPR governance standards during the Audit phase.

Service Scoping

Texaport provide a “Service Scoping” document to Clients which should be completed with all the services used by the company including (but not limited to):

  • Line of Business Software
  • Microsoft Office
  • Accounting Package
  • File Storage
  • Access Control
  • Security Software
These services can be used to control or process the data held by clients this can include financial data, client history, personal data, email communications and other sensitive data.

Access Scoping

Texaport provide an “Access Scoping” document to Clients which should be completed with all users access levels to each system and service used by the company including (but not limited to):

  • Line of Business Software
  • File Storage
  • Cloud Software
  • Accounts
  • Social Media
  • Marketing software
  • Client Services
Users should only have access to the systems and “privilege” levels which are required to perform their job. Administrator access should be limited and avoided to prevent irreversible changes and unrestricted access to company data and devices.

GDPR Audit

Much like a financial audit where an auditor would investigate the accounts, inventory and processes of an organisation to ensure compliance and correctness, a Texaport audit will look into the Technical capacity of the organisation in relation to GDPR.

Texaport follows a loose process which allows for flexibility of the investigation for clients working from the “outside” going “in” to the organisation.

Initial Analysis

External Analysis

Texaport's initial testing and analysis of the client estate is performed on the periphery of the technical controls deployed to secure and communicate.

Texaport’s Penetration Testing tools are deployed to identify external visibility and vulnerabilities of the client network and connected devices.

This will assist in providing a detailed examination of the security standing of clients particularly for Data.

To minimise business risk clients should be taking a multi-layered approach to security including:

  • Gateway Protection
  • End Point Protection
  • Disabling vulnerable ports
  • User Education
  • Anti-Malware/Anti-Virus
  • Regular off-site backup of data

Internal Analysis

Normally following the "External Analysis", Texaport's internal analysis will identify any vulnerabilities or pathways behind the outer layer to identify and visualise the impact of a compromised network.

Texaport deploys vulnerability scanning agents to identify:

  • Assets
  • Users
  • Group Policies
  • Network Architecture
  • Ports
Other details, assets and processes will be outlined in this. Non-conformances with the initial scoping documents will be noted and brought up with the client to verify rationale, awareness and/or knowledge of the discrepancy.

In-Depth Auditing

File Audit

Texaport will require access to the file storage systems used by the client to evaluate the integrity and security of the structure. This will include assessing permission-based restrictions, data classifications and security measures currently in place.

Business Continuity measures will also be verified at this point along with the policy and processes used.

User Audit

Texaport will work with a sample of users throughout various business areas to identify awareness and processes used.

Texaport recommends regular user training and awareness of risks to data, hardware and business functions.

Application Audit

Texaport will use the information gathered during the infrastructure analysis and user audit to identify applications present and used on individual machines and in key business areas.

IT Management policies will be identified and verified including application management and lifecycles.

Third Party Audit

Where services are provided by third parties in respect of connectivity, applications, data management or hardware support Texaport will require direct lines of communication to identify any potential vulnerabilities and improvements.

A key component of compliance is the security and management of the entire supply chain which will ensure ongoing integrity of data, processes and systems.

Legal, Regulatory and Policy Audit

Texaport will work with the Stakeholders to locate key operational policies related to the management and protection of data, both personal and confidential. Employees and customers should be aware of these policies and this will be verified with employees during the “User Audit” to ensure compliance, and any non-conformances will be recorded and reported on.

Texaport will advise Clients about standard locations and invocations of data protection statements and disclaimers. Areas to consider would be:

  • Employee Contracts
  • Supplier Contracts
  • Customer Contracts
  • Website Statements
  • Data Categorisation
  • Information Asset Register
  • Consideration of Processor/Controller relationship in ALL contracts.
  • Subject Access Requests
  • Right to be forgotten

Process Audit

Texaport will work with the Stakeholders to identify key operational processes which involve data, both personal and confidential. These processes will be verified with employees during the “User Audit” to ensure compliance, and any non-conformances will be recorded and reported on.

Processes which WILL require to be implemented include:

  • Subject Access Requests
  • Secure Configurations
  • Change Management
  • Patching Process
  • Supplier Vetting
  • Privacy Impact Assessments
  • Incident Management
  • ICO Reporting
  • Business Continuity

Risk Assessment

Texaport will compile the results of the preceding audits into a Risk Assessment document for Clients which will be incorporated into the resulting report which will be produced.

The risk assessment is an important component for ISO, IASME and GDPR conformance and will provide a “baseline” to work from and update on a regular basis.

GDPR Reports

Texaport ensure clients receive the information they require as effectively as possible. During a project or support enquiry, information will be provided as it becomes available in small chunks. However, for larger projects and implementations such as during GDPR compliance, Texaport condense the information into reports for clients to consolidate and clarify the information in a convenient digest following the scoping and audit phases.

Rationale

All Texaport reports are prefaced with an explanation as to the rationale or requirement of the report. Typically the report has been curated at the behest of the client or detailing an unprecedented incident.

For GDPR reporting Texaport will highlight the requirements and key points of the act and the extent to which the client has been audited against this.

Findings

Presenting the information discovered during the scoping and auditing phases of the GDPR compliance project for clients in a clear, concise manner with additional details being made available on request.

These findings can sometimes be lengthy and complicated to break down, however they will be addressed again in the “Recommendations” section.

Recommendations

Understanding why you are looking into your data protection posture and going through the findings of the scoping and findings section can leave some organisations in a more confident position, aware of their strengths and weaknesses in GDPR compliance.

With other clients, they may require assistance with improving their data protection posture. For this, Texaport provide Recommendations to address any vulnerabilities or improvements which can be made within the clients’ IT estate.

Summary

Combining the information of the Findings and Recommendations sections and returning to address the Rationale section, the Summary is a succinct digest and overview of the information presented in the report.

Next steps will be advised at this point.

Post Report

Following the fully detailed report from Texaport, it is advisable that there is a discussion around the findings and recommendations.

Clients will be able to raise concerns and questions about the report as well as decide on the next course of action for both parties.

Typically this is an implementation of some or all of the recommendations of the report.

GDPR Implementation

Implementations in relation to Cyber Security will normally follow the report phase, where the client will decide on the course of action and security posture to be achieved. Outside of this process, Texaport can implement Cyber Security changes for clients as a stand alone project or as an element of our “Holistic Security” package.

The implementation phase is the core of compliance as any non-conformances discovered during the audit phase will have recommended actions to rectify.

Implementation of Cyber Security recommendations

Implementations in relation to Cyber Security will normally follow the report phase, where the client will decide on the course of action and security posture to be achieved. Outside of this process, Texaport can implement Cyber Security changes for clients as a stand alone project or as an element of our “Holistic Security” package.

The implementation phase is the core of compliance as any non-conformances discovered during the audit phase will have recommended actions to rectify.

These elements can involve third parties and inter-departmental action being necessary including:

  • Policies
  • Software deployment
  • Hardware Upgrades
  • Legal Disclaimers
  • Processes
  • Technical Engineering

Hardware Upgrades

Texaport advises clients to implement a “rolling replacement” cycle into organisations to anticipate refresh cycles and prepare budgets accordingly.

Where this has not been implemented previously, it can be highlighted during the Cyber Security process, requiring hardware upgrades, replacements or refreshes.

Software Deployment

Most Cyber Security engagements with Texaport will result in one or more software agents being deployed on client machines either for compliance, security or reinforcement of policies.

The most common software deployment is for anti-malware or password management software to secure client devices and access to services containing Personally Identifiable Information.

Policy Work

One of the biggest weaknesses in Security posture for clients can be their employees and policies. Ensuring that companies have the required policies in place throughout the business is important for Cyber Essentials and GDPR compliance.

Common policies we have assisted to implement are: Acceptable IT Use and Privacy policies.

Disclaimers and Statements

Some policies require additional disclaimers or statements to be made by the company publicly such as the Privacy policy, which clarifies the company’s position in relation to Personally Identifiable Information under the GDPR.

Texaport work with clients’ HR and Legal teams or third parties to ensure a consistent, acceptable approach to these.

Process Work

Deciding on company policies and making public statements on the company’s position are essential in many cases, but worthless if the organisation does not reinforce policies with processes.

Processes will also help clients adhere to the standards which they have achieved or are working towards, providing a clear step by step guide for employees, contractors and third-party organisations.

Technical Engineering

Along side purchases and implementations, policy work and processes an element of technical engineering is usually required to achieve compliance and improve the Data Protection and Cyber Security posture of a client organisation.

This could be locking down user access, securing the network and company services or more technical work depending on the recommendations of the report.

GDPR Review

Texaport completes GDPR Compliance projects by comparing the implemented actions with the report recommendations and audit findings.

The review process is similar to the previous audit process, but is achieved much quicker as it is for verification and “error checking” to ensure that required actions have been carried out and that the client’s security posture has been improved.

Where clients are re-certifying against previously attained compliance which was supported by Texaport, commonly the review phase forms the “scoping” element of the subsequent project.

Review of Cyber Security Measures

Texaport completes GDPR Compliance projects by comparing the implemented actions with the report recommendations and audit findings.

The review process is similar to the previous audit process, but is achieved much quicker as it is for verification and “error checking” to ensure that required actions have been carried out and that the client’s security posture has been improved.

Where clients are re-certifying against previously attained compliance which was supported by Texaport, commonly the review phase forms the “scoping” element of the subsequent project.

External Review

Texaport’s review testing and analysis of the client estate is performed on the periphery of the technical controls deployed to secure and communicate.

Texaport’s Penetration Testing tools are deployed to confirm that changes have limited external visibility and mitigated vulnerabilities of the client network and connected devices as agreed with the client.

Internal Review

Following the “External Review”, Texaport’s internal review will verify that action has been taken to mitigate vulnerabilities and secure pathways behind the outer layer preventing compromise of the corporate network.

Non-conformances with the implementations and recommendations will be noted and brought up with the client to verify rationale, awareness and/or knowledge of the discrepancy.

In-Depth Review

File Review

Texaport will review access control to the file storage systems used by the client to ensure the integrity and security of the structure. Texaport’s assessor will assess permission-based restrictions, data classifications and security measures enforced or implemented by Texaport.

Business Continuity measures will also be verified at this point along with the policy and processes implemented and already in place.

User Review

Texaport will refer to the initial audit’s sample of users throughout various business areas to verify actions have been implemented to secure access and users.

Following this, Texaport recommends regular user training and awareness of risks to data, hardware and business functions.

Application Review

Texaport will refer to the information gathered during the infrastructure review and user review to verify the security and control of applications present and used on individual machines and in key business areas.

IT Management policies will be verified and referenced including application management and lifecycles.

Third Party Review

Where services are provided by third parties in respect of connectivity, applications, data management or hardware support Texaport will ensure any potential vulnerabilities and improvements have been addressed and/or mitigated to an acceptable level as agreed.

Legal, Regulatory and Policy Review

Texaport will work with the Stakeholders to verify key operational policies related to the management and protection of data, both personal and confidential. Texaport will ensure that the client has made Employees and customers aware of these policies to ensure compliance.

Process Audit

Texaport will work with the Stakeholders to verify key operational processes which involve data, both personal and confidential. These processes will be verified with employees during the “User Audit” to ensure compliance.

GDPR Compliance Affirmation

During our review phase we will have gathered sufficient information, implemented the changes required and worked with the relevant areas, users in and suppliers to the business to provide an assurance certificate from IASME (Information Assurance for Small to Medium Enterprises). This provides peace of mind and confidence to clients seeking to confirm compliance with the GDPR.

Risk Assessment

Texaport will compile the results of the preceding reviews into a dated Risk Assessment document for Clients which will form the basis of any subsequent scoping documents.

Ready to make your IT work for you?

It all starts with a conversation…