The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 and impacted every organisation which holds or processes personal data. It introduced new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the previous Data Protection Act (DPA) which it supersedes.
We are committed to addressing the GDPR requirements applicable to us as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures and products. CyberSmart places a high priority on protecting and managing data in accordance with accepted standards such as Cyber Essentials, IASME and ISO 27001. The company has two main areas of focus in preparing for GDPR overseen by an internal cross-functional team:
- Building on our existing information security management systems and ISO 27001 certification to ensure our own compliance
- Support compliance for users of the CyberSmart platform
It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.
CyberSmart has a robust ISO-based Management System (ISMS) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. Led by our internal GDPR team, updated information security policies and procedures have built on existing management systems (including ISO 27001 and IASME) and the foundation of our Information Classification Policy, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.
Compliance has been supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.
CyberSmart’s Data Protection Officer will inform, advise and monitor compliance. The company has implemented tools as appropriate that support the process, provide the necessary security and ongoing delivery of objectives.
In many areas, the hosted services provided by CyberSmart already conformed. As data processor, the company undertook risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention have been reviewed and updated.
CyberSmart’s platform was built with security and privacy by design in mind. We perform regular penetration tests and we are also working on a bug bounty program. More information on security can be found here.
All organisations will need to be confident, for example, that personal and transactional data can be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.
Customers should contact their account manager to understand what features are available to enable this, from data cleansing and subject access reports to specific data retrieval and disposal tools which create efficiencies by allowing organisations to locate, anonymise and remove data with minimal administrative effort and to enable a quick and efficient response to information requests.