10 steps to GDPR Compliance

  1. Introduction
  2. Conducting a GAP Analysis
  3. Reviewing the GAP Analysis
  4. Unified Threat Management Security Policies
  5. Documented Security Controls and Procedures
  6. A Written Security Policy
  7. Consent to capture personal information
  8. End-Point Security
  9. The need to have Encrypted Hard Drives
  10. Even if you’re following the law, GDPR stipulates you must have controls and procedures in place, to ensure ongoing compliance.


Step one: Introduction

GDPR is soon to be in force (25th May 2018). As the days tick down to enforcement, the time organisations have left to prepare themselves also ticks away.

Given the huge fines involved, GDPR must be the number one priority for any organisation dealing with personal data within the EU. Serious time needs to be spent, budgeting and resources need to be dedicated to complying with the regulation in preparation for May 25th.

If your understanding of GDPR is vague, we have included a link to our E-book to enhance your knowledge and gain a better insight into the regulation and the implications of not being compliant. Click here for the guide that includes the Who, What, Where, When, Why and How of the regulation.

Additional information and our FAQ can be found on our website here: For information regarding GDPR or any other queries, please contact us on 0345 450 9393 opt 1 or email sales@pinkconnect.com. One thing is sure, you cannot afford to ignore this!


Step two: GAP Analysis

On the road to compliance, companies at this point must be considering a GAP Analysis . A GAP analyses will identify where organisations currently are with becoming compliant with this new regulation. GAP Analyses are a great way to plan costs, time and resources to ensure the correct controls and procedures are in place.

Not only does the GAP Analysis provide valuable information on what is needed to comply, but it also delivers additional information on possible risks within the infrastructure. If the time left to comply is running out (it is if your business has not carried out a Gap analysis yet) it can prioritise the action needed immediately and the different aspects of the plan to ensure the most critical changes are applied.

Organisations need to bear in mind that it is an on-going process to review compliance, ensuring that all the controls and procedures are in place and constantly active.

If at this point, if you have not yet considering conducting a GDPR Gap Analysis, we highly recommend you do so without delay! If you would like further information, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com .


Step three: GAP Analysis Review

At this point, organisations should be reviewing the outcome of the GDPR GAP Analysis. It should be clear by now what is needed to be done and how it will be done, giving a clear idea of the cost, time and resources that are required. One of the key areas which could be lacking at this point would be handling subject access requests. This is a big factor in the regulation to be implemented, ensuring transparency on all personal data, knowing every detail about the personal data that the organisation holds. To allow personal data to be manageable its advisable minimise the data stored by removing data that is no longer required or necessary.

If at this point you are still needing to conduct a GDPR Gap Analysis, or need information about any of our security products, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com.


Step 4: The need for Unified Threat Management

Unified Threat Management is essential to being GDPR Compliant. A standard plastic router is just not up to the job for many reasons:

  • Its function is to provide a link between the Internet and your businesses network
  • It has precious few security features designed into it
  • It has many well-known “built in” security flaws
  • It replies to every “ping” request, telling Criminal Hackers exactly where it is
  • It has the software it was originally designed with
  • Its software has never been up-dated
  • It has an IP address known to the world

If you would like to find out more on our Unified Threat Management System, please contact us on 0345 450 9393 opt or email to sales@pinkconnect.com.


Part 5: Documented Security Controls and Procedures

A key area your GDPR Gap Analysis should have identified is the need for documented Security Controls and Procedures. This is very important to any organisation, as it ensures the confidentiality and integrity of personal data in the infrastructure.

A Documented Security Policy is a huge factor under GDPR, as it demonstrated you have identified the risks and are taking the extreme measures needed to guarantee the safeguarding of personal data. Failure to produce this when asked will risk a fine.

The regulation specifically requires organisations to store personal data either encrypted or as pseudonymisation, playing an important part to ensure no unauthorised person can read the information. Ensuring appropriate security on the boundary of the network and on individual machines will dramatically lower attack success, securing personal data.

Pink Connect are experts in GDPR Compliance and Cyber Security. We deploy products and services to mitigate the threats to your business and ensuring protection to personal data from attackers.

If you require further information on any of our security products or services, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com.


Part 6: A Written Security Policy

Most companies do not have an active written Security Policy in place.

The policy is a key tool in complying with GDPR, as it demonstrates ongoing compliance with the regulation and ensures employees are aware of how to keep personal data safe.

Security policies must include employee’s roles and responsibilities, giving them clear instructions on their duties. The security policy must also include how technical controls are to be handled, for example: “Ensure all machines have the latest patches installed within 24 hours of release”.

Security policies also consider external factors, this includes third parties with whom data is shared. It is critical to ensure the security policy is continuously kept up to date and reviewed. It must also be easily accessible to all employees.

If you require GDPR consultancy or any information on our security products, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com.


Part 7: Consent to capture personal information

If you capture personal data either electronically or by any other methods (Application forms, CVs, Business card folder, visitor book, delivery note copies etc) it is important to review how you gain consent to capture that information. Contact forms are one of the main ways organisations capture data, but they often use the data for other purposes that the subject is unaware of.

It needs to be explicitly stated what the information will be used for and by whom, ensuring it is not ambiguous to the subject. If any changes are made to the purpose of the data, the subjects will need to be made aware and consent may need to be given again. If the subject is under the age of 16, consent will need to be given by a parent or guardian. A fine can be issued to the organisation for obtaining the data improperly.

For further information regarding consent or anything regarding GDPR, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com.


Part 8: End-Point Security

Endpoint security is essential on every computer in a business. It forms an essential layer of security by constantly monitoring the traffic and file attachments through that machine. Without End-Point Security. Further, a user can simply plug in an infected USB drive and cause a disastrous system wide breach. It’s no good having a hard outer shell if the centre of your network is soft and chewy!

PCs, Laptops, Tablets and Smart Phones should all be protected with End-Point Security, otherwise the devices that are not simply become the easy point of access to the network to which they are connected.

For further information regarding End-Point Security or anything regarding GDPR, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com.


Part 9: The need to have Encrypted Hard Drives

To ensure GDPR security, portable devices like Laptops need to have Encrypted Hard Drives. This ensures that if the machine is lost or stolen, the data it contains remains secure. The best password in the world is no defence to unscrewing four screws and removing the un-encrypted hard drive to read on another device!

To ensure GDPR compliance, we offer DESlock+ encryption. DESlock+ is an encryption software that will encrypt computer hard drives storing personal data. This, in addition to ESET endpoint security will protect individual computers from malicious activity, provide constant updates and real-time monitoring of activity on the machine.

For further information regarding DESlock+ encryption or anything regarding GDPR, please contact us on 0345 450 9393 opt 1 or email to sales@pinkconnect.com.


Part 10: GDPR has finally arrived!

GDPR has finally arrived and with it, Government guidelines on holding personal data are more strictly regulated than ever before. Fines for non-compliance are no longer going to be “manageable” since the Information Commissioners Office have been given vastly increased powers to fine companies that breach compliance.

Maximum fines have risen from £500,000 to £20 Million, a forty-fold increase, giving an indication of how seriously the Government now takes actual Data loss and also potential data loss.

Companies from today, need to ensure that all GDPR requirements are in place and their responsibilities are met. You have four possible routes:

  1. Do nothing – The IOC has a finite number of staff and with luck they will not discover or fine your business – you may also trade for many months before criminals hack your network, data or bank.
  2. Take the DIY approach – Complying with the regulation by following our advice found in our emails listed here (just click the hyperlink in the title):Introduction
    • Conducting a GAP Analysis
    • Reviewing the GAP Analysis
    • Unified Threat Management Security Policies
    • Documented Security Controls and Procedures
    • A Written Security Policy
    • Consent to capture personal information
    • End-Point Security
    • The need to have Encrypted Hard Drives
    • Even if you’re following the law, GDPR stipulates you must have controls and procedures in place, to ensure ongoing compliance.
  1. Call GDPR professionals – to carry out a gap analysis and produce a step by step report on what your business needs to do, to be compliant.
  2. Call GDPR professionals – to carry out a gap analysis and carry out the work needed for compliance.

Even though the regulation is in place, it’s never too late to start making changes to comply (unless you have already been fined of course). As the regulation is law, it is mandatory to ensure all obligations are met, as any breach of the articles in the regulation result in a hefty fine.

The tested and certified security products we offer, protect against the many threats ranged against your business and our certified staff are on hand to ensure the personal data held by your company is handled in the professional manner the law now requires.

GDPR Gap analysis: identifies compliant procedures and the equipment that needs to be in place and looks at what is missing from allowing you to comply with the law. Prices start at £295.00

GDPR Gap analysis: and implementation, identifies compliant procedures and the equipment that needs to be in place and looks at what is missing from allowing you to comply with the law. We then implement the changes and upgrades, carry out staff training and clearly lay out all the changes of practice that will result in GDPR compliance Prices from £295.00

Pink Sentinel: Our key hardware product is the Pink Sentinel, which secures your business network and monitors all inbound and outbound traffic. One of our favourite features is the Sentinel can hide itself from criminal gaze – perfect for anonymity and business security.

DESlock+: Our DESlock+ Security product is a complete ‘must-have’ for any company, school or even home with fixed or portable devices. DESlock+ completely protects your PC or Laptop from physically access – by encrypting all data to bank level (256bit) if the device is compromised or stolen. DESlock+ also scans the physical hard drive and Outlook emails for security vulnerabilities and viruses, allowing sensitive personal data to be stored in accordance with the law.

ESET End-Point Security: Our ESET Endpoint security product, updated in real time, is light on PC and Laptop resources, protects individual computers from harm by warning of possible Phishing, Ransomware or malicious attack and hacking. The software identifies the latest malware activity, minimising the risk of any threats towards the computer and personal data.

Do I really need any of this? Well, you could just cross your fingers and hope for the best (many do) but, given the small cost of doing it right and complying with the law, you could just save your business from a fine that would close it. If you’re not sure about what you need, or would like a conversation with someone who really understands, call us on 0345 450 9393 and set up a meeting and free initial audit.

For more information on anything that has been covered in our GDPR series, or if you have any questions about our security products or services, please contact us on 0346 450 8383 opt 1 or email to sales@pinkconnect.com.