| 2.2 Service Level
16. Service Fragmentation | |
|---|
| 2.2.16 Service Fragmentation: | | 1. In this context, fragmentation means that a company splits its operating data into different departments so no single view of how the company of working can be determined. Each departments data fragment needs to comply with legal data protection regulations and compliance evidence created from each fragment. It is self-evident that managing many data fragments is higher than managing one integrated set of data. |
| People own their own data: | | 1. An objective is to give people the right to control their own data and data about them. People have the right to see all the data about them and to have changes made if anything is wrong. People have the right to have their data deleted and the right to know how their data will be used. People must willing give consent for their data to be used by a company and the company must be able to prove that consent was freely given. People have the right to withdraw consent at any time. | | 2. GDPR applies to all personal data stored in a CRM, in spreadsheets, in emails, in paper documents and in all computers, tablets and phones. People must be told what data is stored, why it is stored and when it will be destroyed. |
| Motivation: | | 1. The Information Commissioners Office (ICO) have stated that every company shall fully comply with the law or will be fined until they comply. Fines of up to four percent of world-wide revenue have been set with a special fine for a company that chooses not to comply. Where a company gains an advantage over other companies by no compyling with all Data Protection Regulations, then a special fine will be imposed to counter the advantage gained. | | 2. The intent is clearly stated - every company that trades in Europe and most countries in the world will follow the same data protection rules or will not trade. The Information Commissioners Office web site has a whistle blowers page where non-complient companies can be named. |
| Email Regulation: | | 1. Privacy and Electronic Communication Regulation (PECR) is part of GDPR and regulated by the ICO - Electronic Communication means all kinds of emails. Before an email containing a marketing message can be sent to a person, that person must formally opt-in and subscribute to receive such an email. A person can opt-out and unsubscribe at any time - every email must give the person the opportunity to opt-out. | | 2. Subscription history must be managed for each person - when and how they subscribed and unsubscribed from each type of email. This is data about a person and each person has the right to view their own subscription history. |
| Data Protection Officer: | | Every company that stores data about people (including staff), must appoint a qualified, skilled and experienced Data Protection Officer. The Data Protection Officer must implement technical and organisational measures as:- | | 1. Pseudoanonomisation (hiding personal data). | | 2. Encryption (hiding personal data). | | 3. Ensured confidentiality. | | 4. Restoring availability in the event of an incident. | | 5. Process of regular security testing that sufficiently guarantees data protection. | | 6. Data protection education must be provided. |
| Data Processor: | | ASP as the data processor of certain data provide the role as the Data Protection Officer with:- | | 1. ASP has people with international standard security qualification, have the proven skills and at least ten years experience in the security sector. | | 2. ASP encrypt all personal data for staff, customers, suppliers and other business associates - extreme levels of many encryption methods are deployed. | | 3. ASP provide and enforce adequate authentication services and automated evidence services with 24*7 monitoring. | | 4. ASP replicate encrypted data to many secure data centers to provide business continuity with recovery-restart delays - downtime has been eliminated. | | 5. ASP provide subscription management with automated business messages using the public-envelope and private-letter technique. | | 6. ASP deploy business rules rather than software so no software errors can exist, no software versions exist, no software updates exist, no software maintenance downtime exists. |
| Other Data Fragments: | | 1. The ASP has a proven record of managing data protection for certain data, but all other data must be managed by a local Data Protection Officer. Unstructured email data is a key topic where personal data will be hidden in private inboxes. It has been recommended that all emails should be improved to become automated business messages driven by Eliza and the CRM. Data in spreadsheets regarding people as contacts and staff need special management to comply with legal obligations. It has been recommended that such spread sheet data should be uploaded into a safe, secure, encrypted environment of multiple data centers. | | 2. The most cost effective method to comply with the law is to evolve procedures so all business data is stored in the same secure CRM - minimise local data. The most expensive method would be to build a unique compliance method for each fragmented island of data. A third option is not to comply with the law. |
| Benefits: | | 1. Engagement with customers, suppliers and business associates is enabled by granting online access rights so people can access their own data. Eventually people will simply assume that they can access their own data, so the company that leads with such provision will be treated as somebody to be trusted. | | 2. ASP stored personal data is so well encrypted that a data breach is not possible, even if an agency gains access to a data center. All personal data is simply a set of numbers that are meaningless to any criminal. | | 3. ASP have more than ten years of regular penetration testing - a culture of data protection has evolved with no gaps and no exceptions. ASP has not only first class authentication, but 24*7 monitoring to stop criminal behaviour the instant it happens. | | 4. ASP provide data protection education to graduates, apprentices and interns for international corporations. ASP undertake security audits to help businesses with governance, regulation and compliance. |
|
|