Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
General Data Protection Regulation (GDPR)
Transcript of General Data Protection Regulation (GDPR)
Programme to make Serco CG and LRG compliant with GDPR requirements by May 2018.
Meet contractual compliance for GDPR, including specific customer requirements, by May 2018.
Minimise risk of non-compliance and avoid penalties by May 2018.
Ensure Project deliverables are practical and proportionate, whilst ensuring cost effectiveness and efficiency.
Upon completion, GDPR controls are to be implemented and embeddded in the business as BAU, with sufficient accountability.
General Data Protection Regulation (GDPR)
The GDPR was agreed in the EU and it comes into force in
. Despite Brexit, this will still apply.
GDPR applies directly to Serco as a Data Controller and Processor.
Increased Risk Exposure due to
higher numbers of Cyber Attack cases
on large business e.g. TalkTalk, Tesco Bank.
Increased fines - from a max of £500,000 to a
max of 4% of global turnover
(approx. £2.5M per breach).
of Serco UK Contracts handle personal data, yet only
of Serco UK Contracts are aware of the impending changes.
Risk mitigation to increased fines.
Reduced risk exposure to debilitating cyber attacks.
Allows us to meet our Customer Requirements in light of their GDPR implementation programmes.
Embedded Data Governance Project in line with national Requirements.
Will strengthen Serco compliance to other Information Security standards e.g. ISO 27001
PwC audit provides feedback on our GDPR readiness.
Support from Group Data Governance Board and UK Security Steering Board.
Data Profiling exercise conducted across Contracts through self assessment Questions.
Classed as a Tier 1 Project, currently 1 PMO resource.
No funding - requested at Executive Committee but was pulled due to the Project not being started.
Project funding not allocated.
Need for coordinated approach at Group/Divisional/Business Unit/Contract level to ensure consistent sharing, roll-out and use of tools.
Key stakeholders identified but resources have not been formally allocated to Project.
New legislation therefore guidance from Regulator still being formulated - Clear direction from regulator on how to roll out across diverse business.
Project to be implemented by May 2018 in accordance with Serco/Customer timelines.
- PM, Emma Green
- AGC, Julie Varcoe-Cocks.
- Head of InfoSec, John Court
- Pip Stewart-King
- InfoSec Managers / Service Excellence?
- CSS (Out of Scope)
Data Governance Board (Steering Committee, Group)
UK Security Steering Board (Divisional)
1 - PwC Audit Report
which highlights red levels of compliance
to be reviewed by:
1a - Group Executive Committee and Plc Board Audit Committee and,
1b - Project Board (Sponsor, SROs, Senior Supplier, Senior User).
2 - Project Scope, Team, Resources and Deliverables to be agreed.
3 - Quality Expectations defined (Quality Plan drafted).
4 - Project Initiation Document drafted.
5 - Project Plan to be created.
6 - Budget to be agreed based on Project Plan activities and resource requirement.
7 - Risk Workshop held with key SMEs involved.
8 - Get Project started ASAP.
Proposed Workstreams (and associated Deliverables)
1 - Operations - PIA / PbD / SAR process and evidence
2 - Legal/Contracts - Guidance Notes
3 - Training - Training programme
4 - Bidding - Updated Bid Methodology Guide
5 - Communications - Comms campaign
6 - Risk and Insurance - Updated SMS insurance
7 - Internal Audit
8 - Third Parties - Updated Procurement Toolkit
9 - Accountability - Data maps, data registers, Assurance procedures
10 - Data Integrity - Data retention policy
11 - Procedures - PIA / PbD / SAR process and evidence
12 - Policies - GDPR policy, updated Security policies
at Group/Divisional level
In scope for CG and LRG:
CG and LRG (inc. customer and employee data), BAU processes (as well as Project work i.e. embedding Project outputs), Customer IT.
Out of scope for CG and LRG:
Group and CSS (Serco IT, Procurement, My HR etc.)