GDPR Compliance Journey - 19 Review and Wrap up

Gydeline
21 May 201805:11

Summary

TLDRIn the final part of their GDPR compliance journey, Mike Savile reviews their progress, revealing they are 88% compliant, with most efforts now focused on enhancing security measures like firewalls and user accounts. They emphasize the importance of a culture of compliance, ongoing documentation, and continuous improvement to remain GDPR ready. Savile advises that organizations should embed data protection by design into their operations and maintain vigilance beyond initial compliance. The series concludes with encouragement to adopt these practices for successful compliance.

Takeaways

  • 🚀 We are 88% compliant with GDPR and Cyber Essentials.
  • 🔍 We have minor tasks remaining to improve our security and achieve full compliance.
  • 🛡️ Key areas for improvement include firewalls, user accounts, and device access.
  • 📋 Our action list is short, mainly involving firewall rules, anti-malware, access rights, and autorun.
  • 📜 We can access the full text of GDPR to review compliance with specific articles like data protection by design and default.
  • 👍 We consider ourselves GDPR ready rather than just compliant, staying updated with new guidance.
  • 🏢 Embedding a culture of compliance in the organization is crucial.
  • 📝 Documenting everything is essential for proving compliance efforts.
  • 🔄 Compliance is an ongoing activity; we must continue our efforts even after the bulk of the work is done.
  • 💬 Feedback and comments on the series are appreciated, aiming to make compliance simpler.

Q & A

  • Who is the speaker in the video script?

    -The speaker is Mike Savile.

  • What is the main topic of the video script?

    -The main topic is the journey towards achieving compliance with the General Data Protection Regulation (GDPR) and Cyber Essentials.

  • What percentage of compliance is the speaker's organization at according to the guidelines software?

    -The organization is at 88% compliance according to the guidelines software.

  • What does the speaker suggest is the key to achieving GDPR compliance?

    -The speaker suggests that having a culture of compliance embedded in the organization is key to achieving GDPR compliance.

  • What is the speaker's view on the organization's readiness for GDPR?

    -The speaker believes that the organization is not just compliant but ready for GDPR, as they are actively working on continuous compliance.

  • What areas does the script mention as needing improvement to achieve full compliance?

    -The areas needing improvement include firewalls, user accounts and devices, access, and anti-malware.

  • What is the significance of Article 25 in the context of the script?

    -Article 25 of the GDPR focuses on data protection by design and by default, which is a principle the speaker's organization aims to adhere to.

  • What is the speaker's advice for other organizations on their compliance journey?

    -The speaker advises other organizations to establish a culture of compliance, document everything thoroughly, and treat compliance as an ongoing activity.

  • What does the speaker mean by 'data protection by design and default'?

    -It refers to the GDPR principle that requires organizations to consider data protection from the outset of designing systems, rather than as an add-on.

  • What is the final message the speaker conveys to the audience?

    -The final message is that compliance is an ongoing process and organizations should strive to be 'GDPR ready' rather than just 'GDPR compliant'.

  • How does the speaker describe the current state of their action list?

    -The speaker describes the action list as very short, indicating that there are only a few minor tasks left to complete for full compliance.

Outlines

00:00

📊 Compliance Progress and Final Steps

In the final part of the GDP and compliance journey, Mike Savile reviews the company's progress towards compliance with cyber essentials and GDPR. The dashboard shows an 88% compliance rate, with minor tasks remaining, mainly focused on enhancing security measures. Key areas needing improvement include firewalls, user accounts, and access control. The action list is short, with tasks such as quick disabling of firewall rules and anti-malware measures for Apple devices. The script emphasizes the importance of being 'GDPR ready' rather than just compliant, acknowledging the evolving nature of data protection regulations. It stresses the need for an ongoing commitment to compliance and the establishment of a culture that prioritizes data protection by design and default.

05:02

🔒 Final Thoughts on Compliance

The second paragraph briefly wraps up the series on compliance, suggesting that the process should be straightforward and simple. Although the content is minimal, it implies a conclusion to the discussion, possibly hinting at the ease of achieving compliance if the right steps and culture are in place, as previously discussed.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside these areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. In the script, GDPR is the main focus, with the speaker discussing their compliance journey and emphasizing the importance of being 'GDPR ready' rather than just compliant.

💡Compliance

Compliance in this context refers to an organization's adherence to regulations, in this case, GDPR. It involves ensuring that the organization's processes and policies meet the legal requirements for data protection. The script mentions the organization's compliance status at 88% and discusses the steps taken to achieve and maintain this level of compliance.

💡Cyber Essentials

Cyber Essentials is a UK government-backed, industry-supported scheme to guide businesses in protecting themselves against cyber threats. It provides a good baseline of cybersecurity suitable for all organizations, regardless of size. In the script, Cyber Essentials is mentioned as a benchmark for the organization's security measures, with some areas highlighted as needing improvement.

💡Data Protection by Design and Default

Data Protection by Design and Default is a concept under GDPR that requires organizations to consider data protection from the outset of designing systems, as well as to integrate data protection into their processing activities by default. The script refers to Article 25 of GDPR, which specifically addresses this principle, indicating that the organization has guidelines compliant with this requirement.

💡Action List

An action list is a set of tasks or activities that need to be completed to achieve a goal or to address certain issues. In the script, the speaker mentions that their action list is very short, indicating that they have nearly completed all the necessary steps for GDPR compliance, with only minor tasks remaining.

💡Firewalls

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. In the context of the script, firewalls are part of the organization's security measures that need further improvement to achieve full compliance.

💡Anti-Malware

Anti-malware refers to software designed to prevent, detect, and remove malicious software, like viruses, worms, and Trojans. The script mentions the need for work on anti-malware, particularly because the organization predominantly uses Apple devices, which may have different security considerations.

💡Access Rights

Access rights refer to the permissions granted to users or systems to access specific resources within an organization's network or data storage. The script mentions the need to work on access rights, suggesting that there may be areas where permissions need to be reviewed or adjusted to ensure security.

💡Autorun

Autorun is a feature in some operating systems that automatically runs a program or performs a task when a device is connected or a disc is inserted. In the script, autorun is mentioned as an area that requires attention, possibly to prevent unauthorized or potentially harmful automatic actions.

💡Culture of Compliance

A culture of compliance refers to an organizational environment where adherence to regulations and ethical standards is deeply ingrained in the company's values and daily operations. The speaker in the script emphasizes the importance of having such a culture for ongoing GDPR readiness and as a key tip for other organizations.

💡Documentation

Documentation in this context refers to the process of recording and maintaining evidence of an organization's compliance activities and measures. The script stresses the importance of documenting everything to provide proof of compliance with GDPR requirements.

Highlights

Introduction to the final part of the GDP compliance journey.

Current compliance status at 88% according to Cyber Essentials and GDPR.

Review of the guideline dashboard to assess compliance areas.

Discussion on the majority of areas being compliant with GDPR.

Identification of minor tasks needed for full compliance.

Emphasis on improving security and completing tasks against Cyber Essentials.

Red indicators pointing to work needed on firewalls, user accounts, and access.

Explanation of the basics already in place and the need for further improvement.

Short action list for achieving 100% compliance.

Specific tasks mentioned such as quick disabling of firewall rules and anti-malware work.

Challenges with anti-malware due to the use of Apple devices.

Importance of access rights and autorun in the compliance process.

Review of the sources of guidelines and GDPR's Article 25 on data protection by design.

Achievement of compliance and the distinction between being GDPR ready versus compliant.

Cultural importance of compliance and embedding it within the organization.

The necessity of documentation for evidence and records of compliance.

GDPR as an ongoing activity that requires continuous effort beyond initial compliance.

Final thoughts on the importance of a culture of compliance, documentation, and ongoing activity.

Closing remarks and appreciation for feedback on the compliance series.

Transcripts

play00:00

[Music]

play00:04

hi I'm Mike Savile and welcome back to

play00:07

the final part in our GDP our compliance

play00:10

journey so I guess the big question is

play00:14

did we make it well let's go straight to

play00:18

the guidelines software and have a look

play00:19

at where we are so here we are at the

play00:23

hopefully now familiar guideline

play00:25

dashboard and immediately you'll see

play00:30

that we are 88% compliant according to

play00:34

the absolute regulation of cyber

play00:38

essentials and GDP our and really if we

play00:44

drill down into the GDP are you can

play00:46

hopefully see that across the majority

play00:50

of the areas we've done everything we

play00:52

need to do so a couple of minor tasks

play00:56

and most of our effort really is

play01:00

improving our security and making sure

play01:02

we absolutely done everything we need to

play01:05

do against cyber essentials now we have

play01:08

some red indicators that show that we've

play01:10

got work to do on firewalls user

play01:14

accounts and devices and access but

play01:17

really we've got Basics in there this is

play01:20

about improving and going the extra mile

play01:23

to do more in these areas to make sure

play01:27

that we are as good as we can be and if

play01:30

we look at our actions our action list

play01:33

is very very short we need to do some

play01:37

stuff around quick disabling or removal

play01:39

of firewall rules we need to do some

play01:41

work on anti-malware which is a little

play01:44

tricky because we mostly use Apple

play01:46

devices so we've got some work to do

play01:48

there some stuff on access rights and

play01:51

autorun but really not a lot of activity

play01:55

for us to do to to get 100% and if we

play01:59

just dig into sources of guideline we

play02:04

can have a look at the GDP our and if we

play02:06

have a discussion with anybody now or in

play02:09

the future we can have a look at the

play02:11

full

play02:13

texts off the gdpr and look at the

play02:17

section article 25 on data protection by

play02:20

design and defaults and we can go into

play02:24

that and we can see specifically the

play02:26

little arrow says we at guideline are

play02:29

compliant so that's the final position

play02:35

on where we have achieved we're quite

play02:37

pleased that we've got most of the way

play02:39

there and with just a couple of small

play02:42

activities we should be where we need to

play02:45

be so as you can see we are itching me

play02:52

close to where we need to be but I think

play02:58

more importantly we like to think of

play03:00

ourselves as being gdpr ready rather

play03:03

than gdpr compliant we work in this

play03:06

space every day so we know that it is

play03:09

changing there's new guidance being

play03:11

issued and that will continue past the

play03:14

25th of May so an organisation that

play03:17

thinks we're gdpr compliant we don't

play03:19

need to do anything else

play03:20

I'd be very worried for that

play03:23

organisation into the future so we're

play03:28

pleased to be gdpr ready

play03:30

we are fortunate that we have the right

play03:33

culture in place we do compliance

play03:35

everyday so all of our people are

play03:38

thinking about it and in terms of tips

play03:41

for anybody else out there watching on

play03:43

your journeys really that is the top tip

play03:48

make sure that you have a culture of

play03:51

compliance embedded in your organisation

play03:53

make sure everybody is taking this

play03:55

seriously and doing the right thing

play03:57

really get that thinking at the start

play04:00

because the gdpr

play04:02

is about putting data protection at the

play04:06

heart of an organisation data protection

play04:09

by design and default is one of the key

play04:12

principles so if you have that culture

play04:15

you'll be on the right track the second

play04:18

thing I'd say is to document document

play04:21

document make sure you have evidence

play04:24

make sure you have

play04:25

records make sure you can prove the

play04:28

things that you've done as part of GDP

play04:30

our and the third thing I would say is

play04:34

it's an ongoing activity don't stop just

play04:38

because you've done the bulk of the work

play04:40

you need to keep going complete the long

play04:43

Tyler activity so get the right culture

play04:47

document everything and keep going and

play04:52

that really is it for this series we

play04:55

really do hope you found it useful any

play04:57

comments or feedback will be really

play04:59

appreciated and so until we tackle our

play05:02

next compliance we hope you find your

play05:05

compliance simple

Browse More Related Video

GDPR Compliance Journey - 15 Contracts & Agreements

GDPR Compliance Journey - 12 Data Minimisation

GDPR Compliance Journey - 11 Rights

GDPR Compliance Journey - 08 Privacy Notice

GDPR Compliance Journey - 04 Processing Activity Record

GDPR Compliance Journey - 18 Reviews and Third Party Reviews

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR ComplianceData ProtectionCyber EssentialsSecurity MeasuresCompliance CultureRegulatory GuidelinesContinuous ImprovementPrivacy DesignData SecurityCompliance Tips