We manage compliance responsibility for our own company and provide that service on behalf of clients, to manage compliance with areas such as the Data Protection Act (DPA), General Data Protection Regulation (GDPR) and Privacy & Electronic Communications Regulation (PECR), and to provide advice on how to best achieve business objectives within those requirements.

We can advise on required policies and implementation via training and awareness, data subject rights and obligations to them, breach notifications and the broader topics of Information Security as well as the technical measures deployed to achieve this.

What are GDPR, DPA & PECR?

GDPR stands for General Data Protection Regulation (2016) and is the EU’s new framework for data protection laws, regulating how organisations process and manage their data. The European Parliament and Council agreed in April 2016 to replace Data Protection Directive 95/46/ec with the new requirements of GDPR, requiring each country to enact it in their local laws by 25 May 2018 at the latest. The aim is to deliver a higher degree of protection to personal data for the consumer, and more consistently so across the EU.

DPA in a current context means the Data Protection Act 2018 (DPA) is the UK’s implementation of GDPR and came into force on 25th May 2018. Older sources will be referring to the DPA 1984, amended in 1998 which was a very different beast. GDPR is the EU legislation, that required each EU government to implement their own version, and DPA is the UK implementation. When people talk about ‘GDPR’, they almost always actually mean the many local and consistent implementations of it (DPA in the UK’s case), or to highlight the new GDPR-compliant DPA, as opposed to the substantially different older one. But in general usage they mean the same thing and have the same requirements and responsibilities – so ‘GDPR’ has become an industry standard shorthand.

PECR is the Privacy and Electronic Communications Regulations (2003). The full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003. They are again derived from EU law, and are the UK implementation of European Directive 2002/58/EC, also known as ‘the e-privacy Directive’, and setting out specific rules for marketing channels, use of cookies, and the regulation of telecommunication services for instance. It complements the general data protection regime (the last updates specifically take account of GDPR) and set out more specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.

Data Protection

The DPA controls how personal information is used by organisations and is reflects the requirements of GDPR. In a nutshell, it mandates a baseline set of standards for organisation’s that handle EU personal data to better safeguard the processing and movement of that data, and give the owner of that data more transparency, and more rights.

Analysis shows GDPR to be the most comprehensive, and strongest data privacy regulation in the world, and applies to all EU citizens – even to companies outside the EU that possess any data on EU citizens. Organisations failing to comply will be subject to strict penalties and fines – potentially up to the greater of; 4% of annual turn-over or €20m.

PECR

PECR gives people specific privacy rights in relation to electronic communications:

Because PECR is derived from an EU directive, rather than an EU regulation (like GDPR), there is a much greater amount of local variation possible. Many European countries have much stronger protections for companies versus Direct Marketing for example. Whereas UK GDPR Compliance is sufficient for all the EU, this is not the case for PECR compliance, and any planned activities that would cross national boundaries need checking against each country’s regulations, even within the EU.

We can also advise on the impacts and requirements of other Information Security regulations such as:

• Data Retention and Investigatory Powers Act 2014 (DRIPA)
• Communications Act 2003
• Regulation of Investigatory Powers Act 2000 (RIPA)
• Human Rights Act 1998 (esp. Article 8)
• Computer Misuse Act 1990
• Copyright, Designs & Patents Act (1988) and as amended Copyright (Computer Programs) Regulation (1992)
• Malicious Communications Act 1988
• Payment Card Industry Data Security Standard (PCI DSS)

ISO 27001

We maintain an ISO 27001 Information Security Management System (ISMS), which is the foundation of our policies and data governance in daily use, and we can consult on the implementation of a customers’ ISMS if desired.

Project Management

Projects are the means by which change is introduced, and whilst many of the skills required are the same, there are some crucial differences between managing business as usual and managing project work. More specifically, a project is a temporary organisation that is created for the purpose of delivering one or more business products according to an agreed business case.

As part of our Service Delivery function we have several certified Project Managers (Prince2 and APM), and are experienced in delivering projects via both Waterfall and Agile methodologies, choosing the best fit to the task at hand (or in some cases utilising a hybrid approach). We normally provide the bulk of the project team, with customer representation where required, and take on the running of the Project but can also integrate with an existing client Project Management structure that is in place where required.

Here is a project overview

Asset Management

Asset management, broadly defined, refers to any system that monitors and maintains things of value to an entity or group. Asset management is a systematic process of deploying, operating, maintaining, upgrading, and disposing of assets cost-effectively.

We can provide a full IT asset management service, with a single physical Asset list maintained within our Service Desk system, and accessible to our customers, providing a single view on each asset, linked to procurement, support and configuration details, enabling lifecycle replacement planning, as well as managing interactions with the Service Desk. All asset that we procure will be populated here before shipping to you, and we can provide Asset tagging if a process is not in place already.

If not already in place we can provide templates and guidance for a company-wide Information Asset Register (IAR) itself a requirement of GDPR and other legislation – in essence the first stage in any Information Security process is to catalogue what you have, where, and why, and what it’s value is, before assessing the risks, and establishing the correct controls to mitigate them.