Governance, Risk
and Compliance
  (GRC)

CIPHER SERVICES > 

> General Data Protection Regulation (GDPR)

Cipher provides an array of General Data Protection Regulation (GDPR) assessment and consulting services to help customers gain a holistic view of their state of compliance.

 

Companies and governments need to comply with GDPR if you process personal data in the context of selling products or services to citizens in EU countries as well the UK.
If your company operates outside the EU but offers products and services or even monitors the behavior of EU data subjects you will need to comply with GDPR.

 

The GDPR requires organizations to understand what data assets they have, what data poses a risk to the organization, and most importantly its data subjects. The work of understanding an organization’s data assets is done using people, processes, and technology. These three important areas provide the situational awareness in the prevention, detection, and response of threats.
GDPR requires that organizations continuously protect EU data subjects and their privacy using a holistic combination of people, processes, and technology. A comprehensive governance strategy and the right security technologies are ideal for maintaining GDPR compliance. Failure to comply with GDPR can result in fines and bad publicity.

Cipher GDPR Services helps you with:

Awareness Workshops

Cipher provides consultative awareness workshops designed to give you a better understanding of data privacy and GDPR.

Employers need to convey the importance of data privacy to the employee as well as the high-level risks associated with non-compliance. Employees will begin to understand the impact through consistent and mandated policies and procedures in place. It is also important to train your employees on how to field and respond to things like subject access requests and the procedures for disclosures. Employees need to know how to handle any call from a customer requesting personal information or their data

Data Discovery

Cipher provides a consultant led data discovery exercise across your organization to produce an extensive and up to date register of your organization’s data processing activities.

Organizations impacted by the GDPR must focus first on data mapping and discovery. Many organizations do not know what data they have or what data could be targeted by attackers in a breach. For GDPR compliance, it is critical that your security and privacy teams know the answers to these questions. A data mapping exercise can help you understand these key questions of how data is used and who has access.
The diagram to the right illustrates an example of the graphical output of Data Process Flow Mapping. Other items of interest in the report look at the following questions:

 

  • Has transparent disclosure been given, and reportable consent received?
  • Is the data encrypted in transmission?
  • Is the data transmitted across EU country borders?
  • Is the data encrypted at rest?
  • What third party processors are involved, and are their responsibilities documented in contracts?
  • What assets are used for collection, processing and storage?
  • What is a catalog of data elements for each business use-case?
  • Who receives copies of the data, or processed results from the data?
GDPR Diagram
Interviewee Interview Goal Control Area
Legal Employee(s) Decide if we need a Data Protection Officer (DPO) Governance
Human Resources Employee(s) Training of all employees Awareness
CISO or Senior Security Obtain data privacy and protection documentation and disseminate Policies and Procedures
Person(s) Designated DPO Documented ability to handle SARs Data Subject Management
Legal Understand contractual matters Third Parties
IT / Cybersecurity Assess data Process, risk measurement, DPIA Risk Management
IT / Cybersecurity Understand how the data is protected Security
IT / Cybersecurity Continuously monitoring and documented Incident Response Incident Management
C-Suite Plan ongoing actions, asset inventories, access and controls audits Compliance

Privacy Maturity Assessment

Cipher is committed to helping organizations better prepare for compliance with the upcoming EU General Data Protection Regulation, and any future updates to the regulation as released.

We will assess your data privacy risks and measure your privacy controls against the GDPR. An Executive-level report which will allow you to demonstrate the need for any additional security and compliance investments. Cipher organizes the GDPR’s 99 Articles and corresponding control items in 9 control areas. The analysis is largely interview-based. A summary of what is covered and whose participation is desired is on the left.

Privacy Impact Assessment

Cipher provides experienced consultants to assist in establishing the appropriate policies, procedures and systems to enable “privacy by design”.

Cipher will perform impact assessments to help your organization integrate privacy by design into project lifecycles. In the course of discovering all business process that handle personal privacy information, Cipher will evaluate each business use-case against 25 aspects of business process design, such as:
  • How is the data collected, and by whom?
  • Exactly what data elements are being collected?
  • What assets are used to store and process the data?
  • Is the data encrypted in transit and at rest?
  • If email is used to collect data, is the data allowed to reside in mailboxes, on local user drives, or unprotected network shares?
  • Does the data get transmitted across EU country borders?
  • Are there third party Data Processors involved? Are your GDPR handling requirements documented in contracts with them?

Managed Services to Support GDPR Compliance

Cipher offers 24x7x365 breach monitoring, detection, and alerting through its highly accredited global Security Operations Centers.

Cipher can arm you with customized governance strategies and cutting-edge security technologies to speed up your GDPR readiness. The GDPR mandates a comprehensive approach to monitoring, detection, and alerting to support ongoing compliance and adequate breach detection. Therefore, a formal process for monitoring and reporting security incidents on personal data is a must.

Other Privacy Regulations

Cipher can provide helpful guidance to comply with different privacy regulations around the world.

Although GDPR is the most wide-reaching privacy regulation in the world, different governments have their own regulations. In California, the California Consumer Privacy Act (CCPA) sets out guidelines for companies. In Brazil, they have a regulation similar to GDPR as well called the General Law for the Protection of Privacy (LGPD). Cipher can consult and advise on different privacy regulations.