Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


General Data Protection Regulation (GDPR)

No description

Emma Green

on 11 April 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of General Data Protection Regulation (GDPR)

Current Status
Project SMEs
Project Objectives
Programme to make Serco CG and LRG compliant with GDPR requirements by May 2018.
Meet contractual compliance for GDPR, including specific customer requirements, by May 2018.
Minimise risk of non-compliance and avoid penalties by May 2018.
Ensure Project deliverables are practical and proportionate, whilst ensuring cost effectiveness and efficiency.
Upon completion, GDPR controls are to be implemented and embeddded in the business as BAU, with sufficient accountability.
New legislation
Next Steps
Key Milestones
General Data Protection Regulation (GDPR)
The GDPR was agreed in the EU and it comes into force in
May 2018
. Despite Brexit, this will still apply.

GDPR applies directly to Serco as a Data Controller and Processor.

Increased Risk Exposure due to
higher numbers of Cyber Attack cases
on large business e.g. TalkTalk, Tesco Bank.

Increased fines - from a max of £500,000 to a
max of 4% of global turnover
(approx. £2.5M per breach).

of Serco UK Contracts handle personal data, yet only
of Serco UK Contracts are aware of the impending changes.
Regulatory compliance.
Risk mitigation to increased fines.
Reduced risk exposure to debilitating cyber attacks.
Allows us to meet our Customer Requirements in light of their GDPR implementation programmes.
Embedded Data Governance Project in line with national Requirements.
Will strengthen Serco compliance to other Information Security standards e.g. ISO 27001
PwC audit provides feedback on our GDPR readiness.
Support from Group Data Governance Board and UK Security Steering Board.
Data Profiling exercise conducted across Contracts through self assessment Questions.
Classed as a Tier 1 Project, currently 1 PMO resource.
No funding - requested at Executive Committee but was pulled due to the Project not being started.
Project funding not allocated.

Need for coordinated approach at Group/Divisional/Business Unit/Contract level to ensure consistent sharing, roll-out and use of tools.

Key stakeholders identified but resources have not been formally allocated to Project.

New legislation therefore guidance from Regulator still being formulated - Clear direction from regulator on how to roll out across diverse business.

Project to be implemented by May 2018 in accordance with Serco/Customer timelines.
Project Management
- PM, Emma Green
- AGC, Julie Varcoe-Cocks.
- Head of InfoSec, John Court
- Pip Stewart-King
Operational (BU-Level)
- InfoSec Managers / Service Excellence?
- CSS (Out of Scope)
Data Governance Board (Steering Committee, Group)
UK Security Steering Board (Divisional)
1 - PwC Audit Report
which highlights red levels of compliance

to be reviewed by:
1a - Group Executive Committee and Plc Board Audit Committee and,
1b - Project Board (Sponsor, SROs, Senior Supplier, Senior User).
2 - Project Scope, Team, Resources and Deliverables to be agreed.
3 - Quality Expectations defined (Quality Plan drafted).
4 - Project Initiation Document drafted.
5 - Project Plan to be created.
6 - Budget to be agreed based on Project Plan activities and resource requirement.
7 - Risk Workshop held with key SMEs involved.
8 - Get Project started ASAP.
Proposed Workstreams (and associated Deliverables)
1 - Operations - PIA / PbD / SAR process and evidence
2 - Legal/Contracts - Guidance Notes
3 - Training - Training programme
4 - Bidding - Updated Bid Methodology Guide
5 - Communications - Comms campaign
6 - Risk and Insurance - Updated SMS insurance
7 - Internal Audit
8 - Third Parties - Updated Procurement Toolkit
9 - Accountability - Data maps, data registers, Assurance procedures
10 - Data Integrity - Data retention policy
11 - Procedures - PIA / PbD / SAR process and evidence
12 - Policies - GDPR policy, updated Security policies
Centralised Project
at Group/Divisional level

In scope for CG and LRG:
CG and LRG (inc. customer and employee data), BAU processes (as well as Project work i.e. embedding Project outputs), Customer IT.

Out of scope for CG and LRG:
Group and CSS (Serco IT, Procurement, My HR etc.)
Full transcript