FTSE 250 Company requires Data Classification to comply with EU GDPR
The Client, a regulated financial organisation with 500+ global users aims to comply with EU GDPR regulation by May 2018. REMORA was contracted to define and implement a data classification policy to provide the basis for managing data consistently across their global operations and to plan for data leakage prevention.
REMORA: Services performed
The challenge: users in multiple global jurisdictions accessing data from multiple sources stored at multiple sites. Faced with 10+ years of accumulated historical data made up of physical, electronic and undocumented intellectual property components, REMORA designed a phased Data Classification project each with its own control points, plan and deliverables addressing scope, regulation, discovery, governance, policy & training, business impact and DLP.
Elapsed Time: 6 months
Observations and Approach
The existing systems and processes in place and the Client’s management experience have significantly assisted in project execution. Whilst the Client had compliance systems that were up to speed with the current regulation REMORA identified gaps; the Client was not fit to comply with EU GDPR. REMORA focussed on 2 key areas crucial for business continuity under EU GDPR:
- Governance and compliance: develop a global data classification policy in line with applicable financial authorities’ regulatory requirements.
- Enforcement: ensure the Client can monitor and track data classification policy adherence at all levels of its internal structures.
The project was run in close cooperation with all 14 of the Client’s functional departments.
Deliverables and Conclusions
A comprehensive set of documentation.
A coherent data management process that is in line with current best practices, including ISO and NIST-approved processes and procedures for:
- Data Classification Policy
- Standard Operating Procedures
- Data Leakage Prevention plan
On completion REMORA then delivered staged training to the Client’s personnel to ensure every employee fully understands and adheres to the new data policies and is aware of the consequences of non-compliance with the policies and regulations that arise under EU GDPR.
- Appropriate controls in place to better manage data infrastructure and fully prepare the Client for EU GDPR;
- A revision of the Client’s Policies & Procedures with Legal, Compliance and HR;
- Client’s personnel trained on new policies and regulations;
- Readiness for introduction of the Data Leak Prevention solution.
The Client is happy with the results of the Data Classification project. The next step, the introduction of data leak prevention (DLP) software, will solidify defences around personally identifiable information and other vital data of the firm. REMORA is now in discussions with the Client to assess the fit of various DLP solutions.