Protecting personal data, through logical and secure mapping. Acuity understands that the need to identify where data moves within the organisation is key and how it is shared with others.
Since the General Data Protection Regulation (GDPR) was enforced, Acuity have been helping clients with the mapping of their personal data types across the business with a view of identifying the relationship it has with it, either as an internal controller or processer.
Our team offer an in-depth understanding of how and why personal data is accepted into the business, along with the treatment of that personal data throughout the business once it’s received.
The spirit of the General Data Protection Regulation (GDPR) is the protection of personal data of a natural person.
GDPR focuses on providing both privacy and protection of personal data. Whilst the majority of the market focuses on the former via legal policy and audit of legacy data, the Acuity Compliance Management System (ACMS) ensures that both aims are addressed avoiding potential risk of negligence. We ensure that administrative control requirements of GDPR including security are met by delivering immediate sustainable change based upon an ICO approved ISO27001 information security platform.
GDPR requires the mapping of personal data types across the business with a view to identifying the relationship it has with it – either as internal controller or processor. This will provide an in-depth understanding of how and why personal data is accepted into the business and the treatment of that personal data throughout the business once it is received.
Our data mapping will identify the logical and physical containers. It will also identify where the data moves within the organisation, and whether or not it is shared with others.
Risks arise in 3 pillars:
Addressed by an organisation's alignment to ISO27001 good practice guidance. ISO27001 will establish up to 114 controls that will protect the information that resides in the logical and physical containers. That programme may need to be uplifted where specific GDPR requirements exceed that of 27001 controls.
Approached by a mapping exercise of the GDPR requirements. This will enable you to identify the articles, defined by recitals, and where fines are specifically associated to recitals. This will help you to prioritise which procedures need to be addressed first.
These will ensure the protection of the data and the mitigation of fines under the GDPR. Once all procedures for the pillars of risk are written, you will be able to leverage the ISO27001 framework and established an Enterprise Risk Management (ERM) inclusion for the board.
Complete your Privacy Impact Assessments (PIA), which will define the ‘Value’ of the personal data your holding. Integrate the PIAs into a Data Protection Impact Assessment (DPIA), which will help define the overall risks and the assignment of Controls / Procedures.
GDPR continues onwards after May 2018. It would be right to continue to raise the budgeting challenge, as this may require administrative procedures, which supports your onwards business as usual needs.
Key risks in terms of resource relate especially to your supply chain and regional offices. The work involved in reviewing supplier agreements and ensuring the security of your data once it has been shared, will be extensive.