CIPHER SERVICES >
> General Data Protection Regulation (GDPR)
Cipher provides an array of General Data Protection Regulation (GDPR) assessment and consulting services to help customers gain a holistic view of their state of compliance.
Companies and governments need to comply with GDPR if you process personal data in the context of selling products or services to citizens in EU countries as well the UK.
If your company operates outside the EU but offers products and services or even monitors the behavior of EU data subjects you will need to comply with GDPR.
The GDPR requires organizations to understand what data assets they have, what data poses a risk to the organization, and most importantly its data subjects. The work of understanding an organization’s data assets is done using people, processes, and technology. These three important areas provide the situational awareness in the prevention, detection, and response of threats.
GDPR requires that organizations continuously protect EU data subjects and their privacy using a holistic combination of people, processes, and technology. A comprehensive governance strategy and the right security technologies are ideal for maintaining GDPR compliance. Failure to comply with GDPR can result in fines and bad publicity.
Cipher provides a consultant led data discovery exercise across your organization to produce an extensive and up to date register of your organization’s data processing activities.
Organizations impacted by the GDPR must focus first on data mapping and discovery. Many organizations do not know what data they have or what data could be targeted by attackers in a breach. For GDPR compliance, it is critical that your security and privacy teams know the answers to these questions. A data mapping exercise can help you understand these key questions of how data is used and who has access.
The diagram to the right illustrates an example of the graphical output of Data Process Flow Mapping. Other items of interest in the report look at the following questions:
- Has transparent disclosure been given, and reportable consent received?
- Is the data encrypted in transmission?
- Is the data transmitted across EU country borders?
- Is the data encrypted at rest?
- What third party processors are involved, and are their responsibilities documented in contracts?
- What assets are used for collection, processing and storage?
- What is a catalog of data elements for each business use-case?
- Who receives copies of the data, or processed results from the data?
|Interviewee||Interview Goal||Control Area|
|Legal Employee(s)||Decide if we need a Data Protection Officer (DPO)||Governance|
|Human Resources Employee(s)||Training of all employees||Awareness|
|CISO or Senior Security||Obtain data privacy and protection documentation and disseminate||Policies and Procedures|
|Person(s) Designated DPO||Documented ability to handle SARs||Data Subject Management|
|Legal||Understand contractual matters||Third Parties|
|IT / Cybersecurity||Assess data Process, risk measurement, DPIA||Risk Management|
|IT / Cybersecurity||Understand how the data is protected||Security|
|IT / Cybersecurity||Continuously monitoring and documented Incident Response||Incident Management|
|C-Suite||Plan ongoing actions, asset inventories, access and controls audits||Compliance|
Privacy Maturity Assessment
Cipher is committed to helping organizations better prepare for compliance with the upcoming EU General Data Protection Regulation, and any future updates to the regulation as released.
We will assess your data privacy risks and measure your privacy controls against the GDPR. An Executive-level report which will allow you to demonstrate the need for any additional security and compliance investments. Cipher organizes the GDPR’s 99 Articles and corresponding control items in 9 control areas. The analysis is largely interview-based. A summary of what is covered and whose participation is desired is on the left.
Privacy Impact Assessment
Cipher provides experienced consultants to assist in establishing the appropriate policies, procedures and systems to enable “privacy by design”.
Cipher will perform impact assessments to help your organization integrate privacy by design into project lifecycles. In the course of discovering all business process that handle personal privacy information, Cipher will evaluate each business use-case against 25 aspects of business process design, such as:
- How is the data collected, and by whom?
- Exactly what data elements are being collected?
- What assets are used to store and process the data?
- Is the data encrypted in transit and at rest?
- If email is used to collect data, is the data allowed to reside in mailboxes, on local user drives, or unprotected network shares?
- Does the data get transmitted across EU country borders?
- Are there third party Data Processors involved? Are your GDPR handling requirements documented in contracts with them?