5 Steps to lead the way on GDPR and Information Security
I recently joined Newman Stewart as Head of Marketing, and was immediately impressed by the overriding values which the business lives by, values which were evident before I started and since arriving. Those values include integrity, transparency, always seeking to exceed clients and candidates expectations and to build lasting relationships. These values have stood the company in good stead leading to a high proportion of repeat and referred clients, and an impressive track record of growth. I know what you’re thinking. That’s easy for us to say, but can we actually back up these auspicious claims?
I arrived at Newman Stewart at an interesting time. With less than a year until the introduction of the General Data Protection Regulation (GDPR) and part way through working towards ISO 27001 accreditation, there was a definite focus on information security and in achieving excellence across all of our business practices. Rather than seeing GDPR as an inconvenience, at Newman Stewart, we are embracing GDPR compliance and building it into our ISO certification procedures as a way to demonstrate our commitment to clients, candidates, suppliers and employees that we are continually striving to be the best we can be.
“In my mind every challenge presents a business opportunity. GDPR is an opportunity for us to improve on our already impeccably high standards and hence improve the relationships we have with our candidates. Given we are always trying to build long lasting relationships with the people we interact with, I can’t see any reason why everyone isn’t getting a head start.” John Tilbrook, Managing Director, Newman Stewart.
However, it would seem UK businesses are not taking the opportunity to prepare. Recent findings from leading law firm Collyer Bristow suggest that over half of UK SMEs surveyed are still unfamiliar with GDPR with around 6 months until it is introduced. Further findings reveal:
- 57% of businesses’ senior management have little or no direct involvement with data protection
- 34% of businesses have no plans to perform a data risk assessment in 2017
- 23% of businesses have no data breach contingency plan in place
- 20% of businesses have still not taken steps to prepare for GDPR
Here’s five things we’ve already done to prepare for GDPR and as part of the ISO 27001 certification process:
As an executive search company, it goes with the territory that we hold a large amount of personal candidate and client information on our database. We take this responsibility very seriously. As part of GDPR compliance, in 2017 we conducted a full information security audit. As a result, all candidates held in our database have been contacted to seek consent to hold their details and in addition, we have put steps in place to continually monitor consent and to ensure we only hold details where we have express consent. The response we have seen from those candidates has been very positive demonstrating the calibre of the candidates we have developed relationships with over the years. Equally, we have taken advice to ensure any client data we hold meets GDPR guidelines.
Working towards certification
The GDPR requires organisations to take the necessary steps to ensure the security controls work as designed. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data. What’s more the GDPR recommends the use of certification schemes, which is why Newman Stewart are investing in gaining certification in the highly recognised standard ISO 27001, as a way of providing the necessary assurance that the organisation is effectively managing its information security risks. By undertaking both of these hand in hand, we are demonstrating our commitment to taking information security seriously.
Accountability and Continual Improvement
ISO 27001 requires your security regime to be supported by top leadership and incorporated into the organisation’s culture and strategy while GDPR mandates clear accountability for data protection throughout the organisation. All key members of the Newman Stewart management team are fully aware of and invested in GDPR compliance, with each assigned a key role to ensure any future data breaches are protected and reported, and that policies are continually reviewed using a process of continual improvement. Something which will be key as we scale the business.
“The standards provide a framework for excellence that are independently audited annually, meeting these standards ensures consistency in our processes as we continue to grow.”
ISO 27001 compliance means conducting regular risk assessments to identify threats and vulnerabilities that can affect information assets, and to take steps to protect that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data. In the last 6 months we have undertaken a full risk assessment which has highlighted areas of improvement. We are now putting steps in place to minimise these risks and to ensure any data we have is fully secure. Something that should put our candidates and clients minds at rest.
Key to compliance of GDPR and meeting an information security management standard such as ISO 27001, is employee buy-in. All employees must be aware of and be shown to be following these new procedures. Over the course of the next few months, we will be implementing an internal communications plan to help employees understand and comply with best practices to maintain the core values of Newman Stewart. This may seem like a tough ask, but having a culture built on core values, embedded into everything we do, means that our employees are already invested in company policies which help them do their job better.
“As a business built on quality of service, we care about the confidential information we hold and take that responsibility seriously. We wanted to demonstrate to our candidates and clients (through independent validation) the high standards that we have and work to every day. It will allow us to build upon the trusted partnerships we already have and build new partnerships with clients and candidates alike.”
For more information on GDPR and the steps you should be taking to prepare, visit the Information Commissioners Office website