In order to achieve the intended outcomes of our data protection and information security management system (PIMS & ISMS) and meet our (PIMS & ISMS objectives we have identified the internal and external issues that may impact the business. Our approach is to be reactive, but aware, changing our approach to the data protection and information management system when a particular issue changes or a new issue appears. We have highlighted a list of what we believe currently affect us achieving our strategic aims and objectives with regard to meeting requirements around data protection and information management.
values – the values of KSG are ingrained in our staff and ensure we satisfy data protection and information management requirements.data and information shall be processed lawfully, fairly and transparently. Not doing so could result in legal action and repetitional loss.
culture - creating a culture all staff are aware of the value of personal data and information and that the whole business is accountable for its protection and safeguarding. Without a data culture risk becomes unmanageable.
risk - understanding risk and what is acceptable for the effective management of our (PIMS & ISMS) ensuring a measured approach to data and information. Certain risks cannot be accepted under law, so the use of impact assessments need to be conducted and documented to support decisions made around risk.
knowledge – having knowledge of the legislation surrounding data protection and information management, particularly the GDPR and DPA 2018. Understanding how our operations and systems enable safeguarding data and securing information. Other knowledge gained through network meetings and training courses are essential. Additional and specific knowledge around GDPR and IT is available to the business as an external resource.
responsibility and accountability - taking responsibility for the data and information we protect. Ensuring lawful processing, storage and security. Appointment of a DPO to liaise with the ICO and support the business in delivering its PIMS & ISMS. Accountability is a key principle (7) under GDPR and non-compliance could result in a fine.
internal processes and procedures - having effective processes and procedures for reporting data breaches, handling access requests, conducting information and data risk assessments and carrying out audits and reviews.
performance – our internal performance is monitored. Results are important in determining whether we are meeting legal and customer objectives, Breach reporting, subject access requests, training are all measurable, set in law and important in meeting our strategic objectives. A strategic scorecard ensures we monitor this performance on a regular basis.
legal – changes in data protection legislation likely to have an impact on the way we manage data and the support required to effectively, meeting legal requirements and avoiding fines and repetitional loss
market place – very competitive market and opportunity to differentiate ourselves from the competition through a responsible approach to personal data and information.
social and economic – social and economic climate sees a change in way people think and attitudes towards privacy, information and on-line safety. Social media, global cyber attacks, cyber criminality are all impacting the rights and freedoms of individuals. The value of information continues to rise and support terrorism and criminality. Protecting individuals and businesses from these threats is essential for all.
competition – very competitive market place, vying for the same contracts mean that every little edge can count. Accreditation around data and information improves our chances against some of our competitors. ISO 27001, BS10017 and cyber essentials plus are areas which we shall explore.
technology – the introduction of new technologies brings opportunities but also brings with it risks. Impact assessments and risk assessments can be used to identify these risks and mitigate them. Under GDPR, a high risk is an unacceptable risk by law.
political - brexit, national agreements, privacy shield can all affect how we control and process data and information in the future. Regular checks of the ICO website will identify any changes or updates.
customers – need confidence that their information and data is being managed responsibly and in accordance with legal and contractual requirements. Customers expect us to have certain measures in place like data protection and IT policies, privacy notices, processes for managing breaches and subject access requests. Encryption and 3rd party certification are all desires of the customer to give them the confidence that their data and informationis safe and secure.
staff – data confidentiality, data protection and data security are all requirements of staff in context of their data. Providing staff with knowledge and informations is key, particularly around their own, their colleagues and others data and information.
certification bodies – meeting the requirements of standards (ISO 27001, BS10012, cyber essentials plus), Transparency and honesty are an integral requirement of Auditors.
regulators (ICO) – meeting the requirements of data protection laws, reporting breaches within 72 hours, conducting DPIA's, dealing with SAR's within 30 days.
insurers – risk management, data security, physical security of buildings, servers and data storage, asset management, business continuity, disaster recovery.
external support partners - IT, DPO's and legal teams need to understand the operation in order to make judgement calls on actions around data breaches and other information security incidents.
suppliers – keeping their data and information safe. Advising them on information and data related matters. Where appropriate, establishing contracts, particularly around the controller/processor roles.
Scope of our ISMS & PIMS
Static Security Guarding, Mobile Services, CCTV, Fire & Security Installation & Maintenance
It applies to our head office and regional business units, our company vehicles and site activity and anywhere else we control or process information and personal data. We have considered the internal and external issues mentioned in our organizational context as well as our interested parties. We operate only in the confines of the EU and hold all of our data within the EU.