The three-minute self-assessment consists of a series of 12 multiple-choice questions. Once completed, it provides an indication of the level of risk to which the organisation might be exposed. An email is also sent, detailing the result and advising the organisation – based on the answers given – whether it needs to take further action or not.
John Carter, Managing Director of DMSL, said: “Most resellers are probably fed up receiving GDPR emails, so we have designed this test to be different. It’s a simple three-minute test on what you know and what you don’t. If resellers do need help getting compliant, we can point them in the right direction. Then – if they choose to – they can sell their services to their own customers and help them be compliant too.”
The company has already made checklists and policy guidelines for GDPR available to partners, so that they can conduct more detailed assessment. It is also encouraging resellers to get in contact with Metanoia Partners, who can provide detailed needs assessments and action plans for GDPR.
DMSL has itself used Metanoia to ensure it is ready for GDPR. In the process it has also achieved the government’s Cyber Essentials certification, which verifies that a business is able to protect itself and its data against common cyber threats.
A number of resellers have been in contact with Metanoia to discuss their compliance plans. Dennis Scott, Director of the firm and a qualified GDPR practitioner, said it is not too late to act. “Most firms will need to carry out a risk assessment on their business and then introduce appropriate controls and policies, including regular staff training. Once the gap analysis has been completed, firms will need to mitigate against areas of potential vulnerability in terms of information security.
“We also recommend resellers take steps to get the Cyber Essentials certification. That sets out a baseline and introduces a standard level of security that will defend against 80 percent of common cyber-attacks. The whole process ought to take no more than two or three weeks. However, they should not leave it too late – May will soon be here, and no business can afford not to be compliant.”
GDPR will come into force on 25 May 2018. In part a response to the rise of data breaches and cyber-attacks, it is designed to protect an individual’s personal data and make organisations accountable for the way they handle information.
Organisations will need to record how and when an individual gave consent for their details to be used and respond quickly to Subject Access Requests (SARs) from individuals demanding to know what data the organisation holds on them. Any data breach will need to be reported within 72 hours and businesses could face heavy fines of up to €20m or four percent of their turnover for breaches.