GDPR

Reference: 

795

Request detail: 

 

1.       Have you invested in technology specifically to comply with GDPR?

o   Yes

o   No

 

2.       Which information security framework(s) have you implemented?

 

 

 

Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?

o   Yes

o   No

 

Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?

o   Yes

o   No

 

Do you use encryption to protect all PII repositories within your organisation?

o   Yes

o   No

 

As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:

Mobile devices
Cloud services
Third party contractors

 

Does the organisation employ controls that will prevent an unknown device accessing PII repositories?

o   Yes

o   No

 

Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.

o   Yes

o   No

 

Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?

o   Yes

o   No

 

Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?

o   Yes

o   No

 

To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.

Response detail: 

1. Have you invested in technology specifically to comply with GDPR?

No

2. Which information security framework(s) have you implemented? N/A

3. Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?

Yes - Please note we have signed contractual assurances for high risk contracts and are in the process of doing so for others.

4. Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?

Yes

5. Do you use encryption to protect all PII repositories within your organisation?

No

6. As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:

a. Mobile devices - Yes

b. Cloud services - Yes

c. Third party contractors - Yes

7. Does the organisation employ controls that will prevent an unknown device accessing PII repositories?

Yes

8. Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.

No

9. Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?

 Yes

10. Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?

No

11. To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.

The Assistant Chief Fire Officer holds the position of SIRO.

Information Released: 

Yes

Received: 

Tuesday, 15 May, 2018

Responded: 

Wednesday, 13 June, 2018

Topic: