Big Picture - GDPR across the piece
Getting there – Getting the organisation ready for GDPR
This section sets out how Il7 will help an organisation approach GDPR compliance. As IT security consultants with an emphasis on information assurance and risk management, IL7 propose to address compliance from an ICT departments perspective. This brief paper gives advice on the steps organisations have to take now and demonstrates IL7’s awareness and ability to help.
Already on this site is a paper saying how working towards, indeed achieving ISO/IEC 27001:2013 will help. But it will not go the whole distance. Achieving Cyber Essentials (or CE+) will also take you close. While CE addresses configuration and derives an excellent security posture, ISO 27001 will provide organisational governance as well as policies and procedures based on best practice for when business is going good – it will also ensure processes are in place for when things go wrong. But neither ISO 27001 or CE+ are enough. For GDPR we need to develop the full picture. If you are not collecting, storing, processing or transferring Personally Identifiable Information then the regulation need not apply. But if you are, and importantly if you are using data analytics and profiling personal data, the regulation applies and goes further than the DPA 1998.
In the first instance, conduct a risk assessment of the business – does it have to comply? What will happen if it doesn’t? When does it need to comply? Briefly catalogue the main systems and third part relationships and ask what sort of personal data is processed?