Data Protection
Compliance with applicable laws and regulations is essential for all organisations that handle data as part of their daily tasks. The interpretation of the legal requirements and their application to your organisation is a complex matter, even more so when operating in multiple jurisdictions. In addition, case law and precedence, for territories where Common Law is instated, may complicate matters further.
The ISO 27001:2022 standard makes reference to the protection of Personally Identifiable Information (PII) in control A.5.34, highlighting the importance of compliance within information systems.
Along with the GDPR, and its counterpart in the UK, the UK GDPR, laws and regulations worldwide are on the increase, with the inclusion of CCPA in California, the DPDP in India, or the PIPL in China, to the existing ones like COPPA, PIPEDA, and HIPAA.
What we do
At Dionach, we take all of the factors mentioned above into consideration, adding any relevant guidance issued by Supervisory Authorities, to assess your current Data Protection practices and provide sound recommendations towards compliance and to enhance your privacy posture.
Dionach can assist with conducting gap analyses, reviewing and improving internal documentation in the terms of policies, processes, procedures, Data Processing Agreements (DPAs), Records of Processing Activities (RoPAs) and Data Protection Impact Assessments (DPIAs). Although good documentation is essential for accountability, we analyse the correlation between the design effectiveness and the operational effectiveness too.
Our subject matter experts can also offer guidance on Data Protection tier-based training, management of Data Subject Requests, and the state of the cookie banner and the cookie policy.
Our consultancy services include horizon scanning of Bills and legal drafts ahead of their entering into force, to help your organisation prepare and be proactive.
Need help with Compliance? Talk to our Experts Today!
Data Protection Solutions
ISO 27701 – Privacy Information Management System (PIMS)
The gap assessment is a high-level review of the current privacy information management in place. The ISO 27701 expands the ISO 27001 – ISMS, with regard to the role fulfilled by your organisation, as Data Controller or Data Processor.
Dionach will provide an overview of the requirements in these areas during the gap assessment and where other areas are discovered for which the requirements of the standard are not in place.
GDPR/UK GDPR Gap Analysis
The gap analysis is a high-level review of the current state of data protection practices in place. Dionach experts will assess compliance with data protection principles at the operational level, reviewing the suite of policies, including the Privacy Policy, Cookie Notice and Cookie Banner, and other documentation such as the Records of Processing Activities (RoPAs).
For entities established in the UK, we can base our report on the ICO’s Accountability Framework, with its main ten areas to cover.
Dionach will provide an overview of the requirements in these areas during the gap analysis and where other areas are discovered for which the requirements of the GDPR are not in place.
Data Breach Support
When becoming aware of a data breach, your organisation needs to act promptly and effectively, in order to reduce the potential impacts. Dionach experts can offer different types of support during the incident, collaborating with your Incident Response Plan (IRP), or employing best practice in the containment, eradication, and recovery phases.
The flow of communications with internal stakeholders and external parties must be restricted to what is necessary, whilst allowing remediation activities.
Dionach experts can help decide whether the data breach should be reported to the Supervisory Authority, and to the data subjects whose personal data has been affected by the incident.
Data Subject Requests
This type of requests can be made by any individual, and range from ‘what personal data do you hold of me?’, to request corrections to keep personal data accurate, or demand a cease to marketing communications. It is important to understand that not all requests are absolute; some can be rejected based on an overarching lawful basis of processing, or in the case where requests are manifestly excessive.
Dionach privacy experts can help your organisation discern how to meet the requirements, prepare templates for communications, and devise ways to improve efficiency to meet the target timeframes.
Cross-border Transfers
Transfers of personal data beyond the 27 Member States in the European Union or those countries that have achieved an adequacy decision by the European Commission need to follow Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs) for the transfers to be lawful.
Currently, the mechanism for lawful transfers between the EU and the US is the Privacy Management Framework (PMF), with a bridge between the US and the UK.
Dionach experts can review all relevant documentation, or draft new ones, to ensure that your operations are sound and safe from a data protection perspective.
Data Protection Training
Provision of training, education, or awareness programmes can be customised around the needs of your organisation, for specific teams, or be tier-based, accommodating to the different needs of your workforce.
Training modules can be delivered onsite or remotely, and aim to engage the audience in an interactive manner, enticing participation. Drawing from Dionach expertise, real-world examples and current supervisory guidance are embedded in the syllabus, using pedagogical methods to impart the information and make the content more memorable.
Documentation on the Spotlight
Some of the documentation that needs to be maintained towards data protection compliance can be complex in nature, especially for geographically dispersed organisations handling large volumes of personal data. Dionach experts can assist with the following, either by creating bespoke templates, completing the documentation, or reviewing existing documentation with the aim to ensure that no deficiencies or oversights exist.
- Records of Processing Activities (RoPAs): These provide an overview of the data life cycle, from creation, storage, sharing, and processing, to its ultimate destruction. Sometimes, existing Information Asset Registers (IARs) or Data Flow Diagrams (DFDs) can be leveraged to create a thorough RoPA.
- Data Protection Impact Assessments (DPIAs): Prior to implementing new technologies, or novel uses of existing technologies, conducting extensive profiling, or when the processing may entail risks to the rights and freedoms of individuals, a DPIA triage should be conducted to identify the risks and the mitigating measures. If warranted, a full DPIA would be required.
- Legitimate Impact Assessments (LIAs): When relying on legitimate interest as the lawful basis of processing, a LIA should be completed, consisting of three tests: the purpose test to identify the legitimate interest, the necessity test to consider necessity and proportionality, and lastly, the balancing test to consider the individual’s interests. The results may lead to a DPIA, in case the risks are high.
6 Key Benefits of Data Protection for Your Business
- Data protection helps your business comply with laws like GDPR, HIPAA, or CCPA, avoiding fines and legal penalties.
- Safeguarding personal and financial data minimises the risk of breaches, ensuring customer trust and avoiding reputational damage.
- Demonstrating strong data protection practices can enhance customer loyalty, showing that their data is safe with your business.
- By preventing data breaches, you reduce the potential financial losses from lawsuits, fines, and downtime.
- Implementing data protection policies promotes better data organisation, making it easier to access, store, and process information securely.
- Structured data protection procedures streamline security protocols, reducing the time and resources needed to manage and secure data.
HOW WE WORK
We deliver the whole spectrum of cyber security services, from long-term, enterprise wide strategy and implementation projects to single penetration tests.
Our team works with you to identify and assess your organisation’s vulnerabilities, define enterprise-wide goals, and advise how best to achieve them.
Our recommendations are clear, concise, pragmatic and tailored to your organisation.
Independent, unbiased, personalised – this is how we define our services. We guide you to spend wisely and invest in change efficiently.
Find out how we can help with your cyber challenge
dISCOVER OUR LATEST RESEARCH
How to Fast-Track Your PCI DSS v4.0 Compliance
Navigating Data Protection Regulations and Compliance
