Complacency Could be the Downfall to Organisations Effectively Achieving GDPR Compliance
Thursday, April 6, 2017New Services from NTT Security to help organisations to build the right GDPR programme for their business
Businesses are falling into traps of complacency when it comes to preparing for the upcoming Global Data Protection Regulation (GDPR). This is according to NTT Security, the specialized security company of NTT Group, which has launched a comprehensive portfolio of GDPR services* in the UK for organisations looking for clarity about their current readiness.
The stark truth is that businesses are still unsure on the actions needed to ensure full compliance ahead of the 25th May 2018 deadline. Some have proactively implemented programmes, yet found that gaps still exist, leaving them vulnerable to fines of up to €20 million or 4% of annual global turnover – whichever is higher.
“Complacency could well become an organisation's new enemy,” said Rob Bickmore, Principal Security Consultant at NTT Security. “Businesses know that GDPR is fast approaching, but there is uncertainty as to what specifically is required and where the focus needs to be. Our comprehensive range of GDPR services fills the gaps and translates GDPR into a language that everyone, from the top down, will understand and be able to act upon.”
Some of the most common complacency traps include misconceptions that:
- ISO27001 is enough to cover GDPR.
- Implementation of controls aligned to this certification is a great start, but they are only part of the bigger picture.
- The same exercise has already been done when planning for PCI DSS.
- Any controls implemented for PCI DSS will need to be extended to include Personal Identifiable Information (PII), which even then is only part of the GDPR requirements.
- The organisation’s GDPR programme is being handled by the legal or IT team.
- GDPR compliance is actually everyone’s responsibility. It should not be left to one team – legal, IT, HR and other business functions must all be involved with visible support from the executive level.
- It is not the organisation’s problem because they have outsourced all data processing to a third party.
- Processors are indeed liable for protecting PII under the GDPR but the responsibility is still on the data controller to ensure processors implement ‘technical and organisational measures’ to protect the information.
Through its GDPR services, NTT Security can provide an in-depth assessment to help organisations determine the adequacy of their existing programme. Its team of experts can also provide a gap analysis of planned and implemented GDPR mitigations and a prioritised roadmap of remediation activities, as well as identify recommended additional activities.
Rob Bickmore adds: “A successful GDPR programme has sustainable compliance at its heart. The benefits of getting to grips with the requirements of the regulation and using it to improve an organisation’s overall operational and information security processes cannot be overestimated.”
~ ENDS ~
*NTT Security GDPR Services – at a glance:
- Gap analysis: identifies gaps, proposes solutions and defines high-level roadmap to compliance
- PII Identification and Data Mapping: identifies the location and flow of PII data in business and IT processes, uncovers potential compliance gaps and highlights areas for improvement
- Incident management process review: review processes for identification and confirmation of a breach to meet the notification timescale required by the GDPR
- Security Health Check and Maturity Assessment: review against industry standards including the Information Security Forum (ISF) Standard of Good Practice, ISO 27001:2013 and COBIT 5
- Third-party assessments: create and implement processes to evaluate security controls of third parties processing PII data
- Data Protection Impact Assessment (DPIA): define and implement a DPIA process, or deliver DPIAs as a service
- Security architecture consulting: guidance for technical solutions to meet the GDPR requirements and when implementing data protection controls at the project design and development stage of applications and systems
- Data protection by design: define and implement process steps to ensure the GDPR compliance
- DPO consultancy: get advice for your Data Protection Officers from a GDPR practitioner
- Policy Framework Review: defines and establishes policies, standards and procedures to support the customer’s business processes and regulatory requirements.
About NTT Security
NTT Security is the specialized security company of NTT Group. With embedded security we enable Group companies (Dimension Data, NTT Communications and NTT DATA) to deliver resilient business solutions for clients’ digital transformation needs. NTT Security has 10 SOCs, seven R&D centers, over 1,500 security experts and handles hundreds of thousands of security incidents annually across six continents.
NTT Security ensures that resources are used effectively by delivering the right mix of consulting and managed services for NTT Group companies – making best use of local resources and leveraging our global capabilities. NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world. Visit nttsecurity.com to learn more.