Understanding our own business context and the legislative framework in which we operate is imperative to us meeting our strategic objectives with regard to our ISMS & PIMS.
By considering risk and establishing effective processes to mitigate risk, the likelihood of achieving our stated ISMS & PIMS objectives is improved and the outputs from those processes are more consistent
establishes a proactive culture of ISMS & PIMS improvement
assists with statutory and regulatory compliance
assures the ISMS & PIMS that it can achieve its intended outcome
improves customer confidence and satisfaction with our approach to managing information and personal data
Risk based thinking is not new and something we do as a matter of course. It ensures greater understanding of risks and improves preparedness, increases the probability of reaching objectives and reduces the probability of negative results. We have identified the key risks in our company risk register.
We have documented the risks and opportunities that are relevant to our ISMS & PIMS and shall consider risk and opportunity when embarking on new information or data related ventures, taking on new contracts, implementing new processes or technologies and meeting new legal requirements.
Data Inventory and Data Flow Analysis
We have created a data asset register that establishes the following:
personal identifying information (name, address, email, SIA number, IP address etc)
processing (collection, storage, transporting etc)
purpose (DBS, screening, credit checks etc)
lawful process (contract, legitimate, vital interests, interests of the public, consent)
retention and disposal (number of years the personal information is held for)
juridiction (inside or outside of the EU)
Any special categories of personal information as defined in the GDPR shall be clearly identified and the appropriate protection applied.
Data Protection Impact and Information Security Risk Assessments
We have established processes for conducting data protection impact and information security risk assessments. Risk acceptance criteria is known and understood, particularly where personal data is concerned where risk acceptance criteria is defined in law, such as high risk activity under GDPR.
We operate through a concept of "privacy by design" building in data safeguards from the start.
Data protection impact assessments and information security risk assessments are not conducted singularly but shall utilise all of the knowledge and experience we have in the business including any external support we require. Risks shall be evaluated and assessed for risk treatment with risk owners being established. The Data Protection Officer shall co-ordinate the risk process and update the control objectives that we have established in our statement of applicability and formulate the security risk treatment plan.
Data protection impact assessment (DPIA) is used to systematically analyse, identify and minimise the data protection risks of a particular project, plan or where a process is changed. It is a key part of our accountability obligations under the GDPR.
DPIAs are flexible and scalable tool and can apply to a wide range of sectors and projects. Its objectives are to minimise risk around personal data and privacy.
ISMS & PIMS Objectives and Planning to Achieve them
We have established ISMS & PIMS objectives (as above) at all levels of our organisation. Our objectives are consistent with our ISMS & Data protection policies and take into account the particular regulatory requirements that are relevant to our information and data. Objectives have targets, are mostly measurable. They are monitored on a regular basis. We have created a strategic scorecard that enables us to measure our performance against ISMS & PIMS objectives. ISMS & PIMS objectives are communicated and updated accordingly.
When planning how to achieve environmental objectives we shall ensure that responsibility is designated and adequate resources are made available for achievement.
ISMS & PIMS Objectives
report data breaches to data controllers within 2 hours (where we act as a processor)
report data breaches to the ICO within 72 hours
complete subject access requests to the ICO within 30 days
reduce the number of information or data incidents to zero
reduce the number of information and data complaints
complying with ISO 27001 & BS10012 requirements
Information and Data Protection awareness training to all staff