Reference 2018-303

REF:           2018-303

Subject:       GDPR compliance

 

 

Request:

Have you invested in technology specifically to comply with GDPR?

o   Yes

o   No

Which information security framework(s) have you implemented?

 

Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?

o   Yes

o   No

Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?

o   Yes

o   No

Do you use encryption to protect all PII repositories within your organisation?

o   Yes

o   No

As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:

Mobile devices

Cloud services

Third party contractors

Does the organisation employ controls that will prevent an unknown device accessing PII repositories?

o   Yes

o   No

Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.

o   Yes

o   No

Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?

o   Yes

o   No

Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?

o   Yes

o   No

To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.

 

 

Response:

Please find information attached.

2018-303 – FOI Request – GDPR compliance [129 kb] PDF