Achieving GDPR Compliance: Episode V

In this post, I update on the goings on since our independent audit in November and the new date in our diaries.

Prelude

I couldn't draw a reference from Star Wars this time, so didn't bother. :) I thought the update wouldn't really miss it. So...

Where are we at?

If you read my December post, you'll remember we had just come through an external audit of our progress towards GDPR compliance come May 25th this year. The audit wasn't particularly stressful, as it was labelled more a 'health check' than anything else. That said, we took it very seriously and made sure that openness and honesty were on the agenda, when questions were asked.

The outcome tl;dr of the process was that we're doing the right things on the whole, doing some really good things in places and have some things we need to apply some effort to.

Pretty good to be fair.

Since then, we've continued with or made improvements to the things we're doing well and shoved more effort into the things we need to focus on:

  • Policies
  • Processes
  • People

Oh, and of course software :)

And so that's what we're doing. We've moved from a position of agreeing what work needs doing, to well into a position of doing the work. I think you can spend a long time talking about this kind of subject and by doing so, you run the risk of leaving yourself with almost no time to actually change anything.

We've made every effort to avoid this, mostly by getting key decisions made and then securing the resources (and let's face it, I mean folks) to get on with things.

So, we've got action!; people are writing (or rewriting) policies and processes; people are crafting mechanisms by which we'll meet our requirements around consent; we've got people looking at ensuring that our systems aren't hanging onto personal data for longer than we have a legitimate reason to do so. Oh, and we have people working to ensure that everything is trained / rolled out to the wider business as is necessary.

It's all happening. We're on the right track.

A little conjecture

Some of this is speculation, but I don't think it's far off the mark.

When TalkTalk got its dubious time in the infosec sunshine back in 2015, along with Carphone Warehouse, the feeling in the industry was that both the UK Government and the data protection authority would begin to turn their attention towards communication providers and ISPs.

So, at an ISPA summit in 2016, the UK's Information Commissioner's Office represented and effectively gave a clear indication that this was the case.

And so it came as no surprise when we were invited to accept an offer to be audited by the ICO, ahead of compliance deadline day. It wasn't an optional invite.

What next?

On February 21st, the ICO will rock up at our firm and carry out a two day audit, covering the following topics:

  • Governance and risk management
  • Managing third-party suppliers
  • Monitoring, auditing and testing
  • Business continuity
  • Data breach reporting, monitoring and management
  • System access
  • Physical security

A pretty hefty agenda, but also one that is generally based on overall information security, rather than specifically targeted at data protection and / or privacy. My thinking is that if we're / you're doing the above things properly, then data is being processed properly and responsibly (and legally!).

Conclusion

As I've written about in previous posts, we're fairly experienced in the audit space (ISO27001, 9001, 14001, etc), so we go into this one with the ICO feeling reasonably well prepared. Even relaxed! After all, it's about being open when asked and letting the experience of an independent assessor tell us where we're doing it right, but also and crucially where we can do better.

We'll learn and grow as a business from the experience, either way. It's all good.

I'll post again, once the audit is done and we have our assessment.