Fintech Company support the e-commerce platform operation worldwide including EU. The e-commerce platform handles customers' sensitive information such as: Full name, phone number, ID number, address, bank account information…etc.
The challenge was the breach between existing data security policy vs GDPR requirement. It is necessary to perform a gap analysis to define the key GDPR requirement and review existing policy document. Identfied all non-compliance areas and design the remediation plan to comply all GDPR requirements before official enforcement date: May 25, 2018.
Nearby consultant was able to define six key requirements and assisted client to certify with ISO10012:
Consent for data
Right to Access
Privacy By Design
Data Protection Officers (DPO)
Our client is now fully comply with GDPR to mitigate all the risks that are threating all sensitive information and minimize the possibility risk of paying 10 million+ euros penalty for not complying with GDPR
The Fintech company is required to ensure that all employees are aware of the GDPR policies and put in place. Nearby has organized a GDPR privacy training for the employees to attend. Moreover Nearby recommended the following controls setup to maintain the GDPR compliance.
Conduct regular reviews of policy manuals and procedures.
Ensure the security and privacy policies meet GDPR requirements and that they are fully tested and evaluated.
Perform regular security testing of the internal and external environments, such as a Network Security Assessment and Gap Analysis to evaluate the effectiveness of the control
Ensure the internal IT security team is sufficient to protect the sensitive data and have the required knowledge and tools to do so.
Invest in a Security Information and Event Management (SIEM) or a Security Operation Centre(SoC) service to streamline alerts.