Verco DP Report Final - GoodCorporation · 2019-11-29 · Verco’s senior management team has a good understanding of the importance of data protection and how to engage with the

Themeasureofagoodcompany

GoodCorporationStandard

AssessmentReport(Data

Protection)

VERCOplc

August2016

CONFIDENTIAL–forauthoriseddistributiononly

VercoAssessmentReport(DataProtection)2016DRAFT

CONFIDENTIAL

VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly

Organisation: Verco

Activity: TelecommunicationsandInternetServices

Principalcontact: JaneSmith

Sitesvisited: Headquartersand4branchesinLondon,Birmingham,

BristolandNewcastle.

Dateofassessment: 1-19August2016

Assessors: GarethThomasandTillLembke

Documentreference: Verco-DPReport-Template.doc

Documentstatus: Final

Thisreportisconfidentialandisnotforpublicdistribution.Copyright

ofthecontentsremainswithGoodCorporationLtdandallrightsare

reserved.Anyinternaldistributionofthisdocumentoritscontents

mustbeauthorisedbythenamedcontactabove.


CONFIDENTIAL

VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly

Contents

Introduction..................................................................................................................................................1

TheGoodCorporationDataProtectionFramework..........................................................................................1

Assessmentprocessandgrading.......................................................................................................................2

Overalloutcome............................................................................................................................................3

ExecutiveSummary...........................................................................................................................................3

Managementandgovernance..........................................................................................................................4

Securityenvironment........................................................................................................................................4

Legalenvironment.............................................................................................................................................5

Operationaldatapractices................................................................................................................................5

Managingemployeeswhohandledata............................................................................................................6

Managingroutineaccessbythirdparties.........................................................................................................6

Breaches............................................................................................................................................................7

Monitoringandreview......................................................................................................................................7

ActionPlan....................................................................................................................................................8

Appendix1Detailedfindings1.Managementandgovernance...................................................................22

2.RiskAssessment......................................................................................................................................27

3.SecurityEnvironment..............................................................................................................................28

4.Legalenvironment...................................................................................................................................33

5.Operationaldatapractices.......................................................................................................................36

6.Managingemployeeswhohandledata....................................................................................................49

7.Managingroutineaccessbythirdparties.................................................................................................52

8.ManagingRequests.................................................................................................................................55

9.Breaches..................................................................................................................................................57

10.Monitoringandreview..........................................................................................................................60

Appendix2DocumentLog...........................................................................................................................63

[Intentionallyleftblank]..................................................................................................................................63

Appendix3MeetingLog..............................................................................................................................64

[Intentionallyleftblank]..................................................................................................................................64


CONFIDENTIAL

VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page1

Introduction

VercoisVERCOMMUNICATIONCompany’slargestdealerintheUKanditis100%ownedbythegroup.Verco

employsover800peopleintheUK,across40stores.Vercosellsnewhandsetsandothertelecommunication

devices, internetandmobiledataconnectionsaswellastelevisionandentertainmentconnectionpackages.

Productsandservicesaresoldtobusinesscustomersanddirectlytotheretailmarket.

Vercoalsorunsanaftercarebusiness,providingservicingtonewanduseddevicesandanetworkofengineers

whovisitcustomeronsitetohelpinstallanynewlinesorinfrastructureneededtoobtainonlineaccess.

In2015thebusinessmadeacommitmenttobeevaluatedaccordingtotheGoodCorporationDataProtection

Frameworkundertheleadershipofitsheadofmarketingande-commerceJaneSmith.Thebusinessundertook

aninitialreviewofitsoperationsagainsttheStandardin2015andthenundertookafullassessmentinAugust

2016,theresultsofwhicharesummarisedinthisreport.

TheGoodCorporationDataProtectionFrameworkconsistsofalistofgooddataprotectionpracticesandcanbe

usedtodesign,embedandevaluateanorganisations’dataprotectionsystemandculture.

TheGoodCorporationDataProtectionFramework

TheGoodCorporationDataProtectionFrameworkissetoutinAppendixIofthisreport.Itprovidesthecriteria

forthisassessmentreport.Basedonacoresetofprinciplesforresponsibledatamanagement,theframework

setsout76areasofmanagementpracticethatareassessedtodeterminehowwelltheorganisationperforms

againsteach.TheGoodCorporationDataProtectionFrameworkcoverstenkeyareasofmanagement:

• Managementandgovernance;

• Riskassessment;

• Securityenvironment;

• Legalenvironment;

• Operationaldatapractices;

• Managingemployeeswhohandledata;

• Managingroutineaccessbythirdparties;

• Managingrequests;

• Breaches;and

• Monitoringandreview.

This assessment was conducted against the GoodCorporation Data Protection Framework (August 2016

Revision).


CONFIDENTIAL


Assessmentprocessandgrading

Theassessmenttookplace inVerco’sLondonheadquartersandfourbrancheseach inLondon,Birmingham,

Bristol and Newcastle, between 1st-19

th August 2016, and included a number of telephone interviews. The

assessor reviewed documents, interviewed functional managers, and interviewed samples of stakeholders

including employees, service providers and business partners to evaluate Verco’s overall adherence to the

GoodCorporationStandardfordataprotection.

All stakeholder interviews were conducted in confidence and this report does not attribute individual

comments.Whereproblemswere foundorsensitive feedbackwasgiventhishasnecessarilybeenstated in

generaltermsunlessspecificconsentwasgrantedtogivedetailsofindividualcases.

Eachevidencepointwasassessed,andgradedaccordingtoascaleasshownhere:

Please note: ‘best practice’ corresponds to ‘commendation’, ‘no action required’ corresponds to ‘merit’,

‘improvement recommended’ corresponds to ‘observation’, ‘action required’ corresponds to ‘minor non-

compliance’and‘significantactionrequired’correspondsto‘non-compliance’.


CONFIDENTIAL


Overalloutcome

ExecutiveSummary

Vercohasobtainedmeritsorcommendationsinjustoverhalfoftheassessedpractices.Infivepractices,Verco

hasdemonstratedexemplaryconduct.Itspoliciesondataprotectionareparticularlycommendable(MG1),as

isitsapproachtoriskassessmentstoconsiderdataprotectionrisks(RA1),whicharethoroughlyconductedon

aregularbasis.Inaddition,Vercoisverystrongincompilingguidelineswhichareclearandcomprehensive,and

includesectionson, interalia, identifyingvulnerablecustomers,practical tipsonhowtoengagewith them,

specificconsiderationsforfrontlinestaff,andguidanceonhowtheirpersonaldatashouldbeprotected(OP8).

Theprocessesemployedtodestroydataortorenderitirrecoverablearealsoofaveryhighstandard(OP21).

Finally,Vercohassucceededinconveyingclearlywhomtospeaktoincaseofasuspecteddatabreach,andall

employeesinterviewedbaronehaveaclearandaccurateideaofwhomtoaddressshouldtheysuspectanydata

breach(BR2).

Conversely,justunderafifthofVerco’spracticeswhichbenefitfromapolicyorasystemdonotalwayswork,

andrequirecorrectiveactionstoreducerisk.Thisincludesalackofclarityinrelationtoprivacynotices(MG4),

negligentlockingofcabinets(PS2),andarelaxedapproachtotheuseofnon-encryptedUSBdevices(IS5)and

training on information systems security (IS8). Four operational practices, touching on consent (OP1), data

collection (OP4), privacynotices for childrenandother vulnerable individuals (OP10) and themonitoringof

employees; useof internet, email andother communication systems (OP13),would especially benefit from

improvements.Inaddition,job-specifictrainingforrelevantemployeeswouldberecommended(ME1).Verco’s

engagementwithservicesproviders’orbusinesspartners’dataprotectionpracticesandverification thereof

(TP2andTP5)alsoprovidesroomforimprovement.Vercocanlikewiseimproveitsownsecuritybyreachingout

toexternalserviceproviderstoconductbreachsimulationsandsimulatedattackstotestitssystems(MR4).

OverallVercohasa verygoodcommitment toadopting responsiblebusinesspractices in the realmofdata

protectionandhasmettheneedsoftheGoodCorporationStandard,withno‘non-compliance’gradeinanyof

the76pointsinitsGoodCorporationassessment.

ThechartbelowshowsthebreakdownofthegradesawardedtoVerco,withjustoverhalfofpracticesworking

wellandgradedasmeritorcommendation.


CONFIDENTIAL


Managementandgovernance

Verco’sseniormanagementteamhasagoodunderstandingoftheimportanceofdataprotectionandhowto

engagewiththekeyprinciplesunderpinningeffectivedataprivacyprograms.Clearpoliciesondataprotection

exist(MG1),andadedicatedintranetwebsiteondataprotectionprovidesawealthofinformation,including

usefulguidancedocumentsand flowcharts, toemployees.AverygoodsummaryofVerco’sdataprotection

policyisavailableonline.Vercostatesthatthecomprehensivedataprotectionpolicyisalsoavailableonrequest,

butthisisnotclearfromthewebsiteandVercomaywishtomakeaccesstoitsfulldataprotectionpolicyeasier

(MG3).Inrespectofprivacynotices,Vercoshouldredraftthemtorenderthemlesslegaleseandmoreplain-

English.Itshouldalsoensurethatprivacynoticesarereadilyavailable,whichisnotalwaysthecase,especially

initsstores(MG4).

Whilethedataprotectionofficeriswellpreparedfortheroleandbenefitsfromtailoredtrainingtoundertake

the relevantwork, justoverhalfof the interviewedemployeeswerenotawareofwho thedataprotection

officeris.Vercomaywishtocommunicatetheroleandfunctionsofthedataprotectionofficermorepro-actively

(MG5).Thedataprotectionofficer’s line to theboard isgoodandworkswell,butdataprotectiondoesnot

featureasastandingorderagenda itemduring theboardofdirectormeetings– thisshouldchange (MG7).

Additionalhelpandresourcesforthedataprotectionfunctionsshouldbeconsidered(MG8).

Securityenvironment

EventhoughVerco’sbuildings’accesscontrolsareofgoodstandards,practicesinrespectoflockingcabinets

and drawers, as well as of following the “clean-desk” policy are lacking. Several documents containing

customers’personaldatawereleftoutintheopenondesktopsthatanyonewalkingbycouldsee,andanumber

ofdrawerswereleftopendespitealsocontainingconfidentialinformation(PS2).Vercoshouldensurethatit

enforcestheclean-deskpolicyandstressestheimportanceoflockingalldrawersandcabinets.

7%

44%

32%

17%

0%

Verco'sDataProtectionPoliciesand

Practices

Commendation

Merit

Observation

Minornon-compliance

Non-compliance


CONFIDENTIAL


Onthewhole,Vercohasgoodpracticeswhenitcomestoinformationsystemssecurity.However,whileapolicy

ontheuseofUSBs,harddrivesandotherexternaldevicesexists,theprohibitionontheuseofnon-Vercoissued

devicesisnotstrictlyenforced.Vercoshouldconsideramendingitssoftwareonalllaptopstoensurethatonly

company-approvedandadequatelyencryptedexternaldevicescanbeusedwithVerco’slaptops.Inaddition,it

wouldbehelpfultoremindemployeesofthedangersofusingunencryptedstoragedeviceswhentransferring

data (IS5). Inaddition,Verco shouldconsiderofferingdedicated training sessionson theappropriateuseof

employee-owneddevicesincludinghowtosetupstrongpasswords(IS6).

IntermsofdedicatedITpractices,Vercoshouldestablishaformaltimelineforthecarryingoutofindependent

IT assessments that cover the robustness and appropriateness of IT security controls – these should be

undertakeninannualintervals,andshouldinvolvenotjusttheITdepartmentbutalsothedataprotectionteam

(IS7).Trainingoninformationsystemssecurityisnotconsistentlyplannedanddoesnotformpartoftheofficial

training plan for 2016 (but did for 2015), meaning that those employees who have joined Verco after 21

November2015havenotreceivedspecifictrainingoninformationsystemssecurity.Suchtrainingideallywill

becomeamandatorypartofanewemployee’sinductionsession,andwillbeheldinregularintervalstoensure

ongoingawareness(IS8).

Legalenvironment

Ingeneral, the legalenvironment in respectofdataprotectionandprivacyatVerco isverygood.Thereare

adequate processes in place to monitor legal requirements and any relevant changes, and registrations

requirements,datatransfersandthehandlingofpersonaldatabythirdpartiesareadequatelyaddressed.An

areaforimprovementisthecommunicationofanychangestothedataprotectionlegislationtotherelevant

people.Whilechangesare,onthewhole,communicatedclearlyandspeedily,andallrelevantpeoplefeltthey

wereawareofanychanges,thenewsletteralonemaynotbesufficienttocommunicatechanges.Itwouldbe

helpfultotargetnewinformationmorespecificallytothosepeopleaffectedbyit,bydirectemailcontact(LE2).

Operationaldatapractices

Vercoisstrongonoperationaldatapractices,with13outof22applicablepracticesobtainingamerit,inaddition

to two commendations. However, several observations and four minor non-compliance grades were also

recorded.

Vercoshouldconsiderchangingitscontractsacrossitsoperationstoallowcustomerstoimmediatelyoptoutof

anyinformationsharingnotstrictlynecessarytotheprovisionofthecontractuallyagreedservices. Itshould

ensurethatitdoesnotrely,inanycase,onpre-tickedconsentboxesortreatsilenceorinactionassufficient

consent (OP1). In addition, Verco should reconsider its information gathering process. Instead of asking

additionalquestionsinthesamedocumentsasthemandatoryquestions(i.e.thosenecessaryfortheprovision

oftherequestedservices),Vercooughttoconsideraseparateprocesstoaskanymandatoryquestions,using

documents dedicated to the purpose. This would also allow it to clearly communicate the purpose of the

additionalinformationandensurethatthethirdpartyprovidingsuchinformationdoessoinafullyinformed

andconsentingmanner.Inanycase,Vercoshouldensurethatitisbeyonddoubtwhatinformationiscrucial,

andwhatinformationisnotstrictlynecessary(OP4).

Atthemoment,thecommunicationofVerco’sdataprotectionpoliciesandpracticesandofwhatthedatawill

beusedforandwhyatalldatacollectionpointshasroomforimprovement.Vercoshouldensurethatalldata

collectionpointsofferthedatasubjecttoinformhimorherselfinstantaneouslyaboutwhatthedataisusedfor

anyitisbeingusedinsuchway,withouthavingtoundertakeanyfurtherresearch.Staffacrossallstoresshould

beawareof theapplicabledataprotectionpoliciesandpracticesandable toexplain,at least inverybroad


CONFIDENTIAL


terms,tocustomershowtheirdata isbeingusedandwhy;this isnotthecaseeverywhereyet(OP5).Verco

shouldfurthermakesurethatinformationrelatedtohowlongdatawillbekeptandwhenitwillbedisposedof

isincludedinitsstandardcustomerdocuments(OP6).

ItiscommendablethatVercohasdevisedspecificpoliciesforvulnerablegroups;however,currentlyitisvery

complicatedtoobtainthoseandabout60%oftheintervieweeswerenotawarethatsuchalternativeformats

evenexisted.ThestaffinVerco’sstoresshouldbetrainedtobeabletosourceanddistributealternativeformats

instoreorbymail/online.Vercoshouldensurethatitsprivacynoticesareadaptedtotheneedsofchildren

andexplainthestepstakenifthedatasubjectisunder16(OP10).Inrespectofobtainingexplicitpermissionto

theuseofinformation,severalcustomersreportedthattheyweredissatisfiedwiththeuseoftheirinformation

tosendtwice-monthlynewsletterswithoutexplicitlyaskingforpermission(OP12).

Withregardstothemonitoringofemployees’useofinternet,emailandothercommunicationssystems,Verco

has clearprocessesand rules.However, theenforcement systemappearsnot tobeworkingandadditional

trainingshouldbeofferedtolinemanagersonhowtoaddressanyinappropriateuserbehaviour,aswellason

theimportanceoftheappropriateusepolicy(OP13).Forcustomeranddatasubjectrequests,additionaltraining

shouldbeofferedtoreceptionistsandothercustomer-facingstaff.Vercoshouldensurethereminderemails

about theprocesses relating todata subject requestsare sent regularly, and that the logbook is inspected

carefullybythedataprotectionteam,toguaranteethatoutstandingentriesaredealtwithinatimelymanner

(OP18).Finally,Vercomaywishtoreconsider itswidedistributionofauthoritytodisclosedata,andallocate

authoritytodiscloseonastricterbasis(OP20).

Managingemployeeswhohandledata

Foremployeeshandlingdata,specific,job-relateddataprotectiontrainingshouldbeundertaken,beyondthe

basic overall training offered to all (ME1). Employees would also benefit from a clear and consistent

communications plan, with updates on data protection issues sent not on an ad-hoc basis contingent on

urgency,but in regular intervals (ME3).Currently, there isnocleardisciplinaryprocessdescription,and it is

recommendedthatVercosetoutinmoredetailwhatitsdisciplinaryprocessentailsandwhatthedifferentsteps

arefromthefirstformalwarning lettertotheultimatesanctionofdismissal.Astrongerenforcementofthe

applicablepolicieswouldalsobebeneficial(ME6).

Managingroutineaccessbythirdparties

Asfarasmanagingroutineaccessbythirdpartiesisconcerned,Vercoshouldverifythatthedataprotection

policy and related standards are communicated by email in advance to each service provider or business

partner,andnotrelyonthethirdpartyitselftorequestthedocument(TP1).Vercoisawareoftheimportance

of service providers and business partners having adequate data protection practices if they are to collect,

handleordestroydataonVerco’sbehalf.Thisisdemonstratedbyitsinsistenceonthoseotherpartiestoprovide

contractuallyenforceablestatementstothateffect.However,Vercoshouldmakesurethatitverifiesatleast

someofitsserviceproviders’orbusinesspartners’dataprotectionpracticestoshowitsowncommitmentand

safeguardagainstinfringementsinitssupplychain(TP2).Inaddition,Vercoshouldconsiderenactingamore

formalprocessinrelationtotheactivemanagementofitsserviceproviders’orbusinesspartners’handlingof

dataandtheprotectionthereof.Itcouldconsideraskingforperiodicfeedbackandactivelyengagingwithits

businesspartnersorserviceprovidersinofferingdataprotectiontrainingandcheckingtheircommitmentto

data protection (TP4). It should also consider including spot checks, starting with key service providers or

businesspartnersthathandlelargevolumesofdataonbehalfofVerco(TP5).Averificationprocessandsuch

spotcheckswouldalsoenableVercotouseitscontractualrightstosanctionwherenecessary(TP6).


CONFIDENTIAL


Breaches

Verco’sITdepartmentregularlychecksforinternalserverbreaches,butVercomaywishtoconsiderchanging

thetimestoavoidtypicalorrepetitivebehaviour.Itshouldalsoensurethatreportsoneachcheckarediligently

filled in and properly filed. It may also wish to consider asking for and reading the reports on the checks

conductedbyCloudStoragetokeepaneyeonitsexternalITsystemsanddatastoragefacilities(BR1).

Inrespectofconfidentialmeansofreportingdataprotectionconcerns,Vercoshouldconsiderrevisingitsdata

protectionpolicytoincludeanexplicitreferencetothewhistleblowinghotlineasbeingameansofreporting

anydataprotectionconcernsconfidentially(BR3).

Monitoringandreview

WhileVercoappearsawareofthethreatsemanatingfromthedigitalworld,itshouldconsiderreachingoutto

externalserviceproviderstoarrangeforsimulationsofbreachesandattacks.Thisshouldincludealonger-lasting

arrangement (at least6months), inwhichVerco isbeing tested indifferentways (hackingattacks,phishing

emails, spoofing, botnets, pharming and other types of common cyber security threats), and an ongoing

agreementtocarryoutregularsimulationsandattackstoensurethatVercoiscontinuouslyuptospeedwithits

dataprotection (MR4).Vercomayalsowish to considerobliging thedataprotection team toprovidemore

detailedreportsonaregularbasis,perhapsonceeverysixmonths,onanyissuesandinformationinrelationto

dataprotectionanddatabreaches,andmaintaindataprotectionasaconstant itemon theagendaofeach

boardmeeting(MR5).


CONFIDENTIAL


ActionPlan


CONFIDENTIAL


No. Frameworkpoint Recommendation(s) Grade Verco’s

comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

1. MG3 Vercoshouldconsiderpublishingitscompletepolicyondataprotectiononits

publicwebsite,oralternativelyatleastmakeitveryclear,bothonthewebsiteand

inthesummarydocumentprovided,thatthecompletepolicycanberequestedby

emailorbyphone.

Observation

2. MG4 Vercoshouldreviewitsprivacynoticesandconsiderredraftingtheminasimpler

style.Itshouldconsidercreatingshortersummaryprivacynotices(ofonetotwo

pages)whichhighlightthemostimportantaspectsofwhatwillhappenwithadata

subject’sinformation.Finally,Vercoshouldensurethattheprivacynoticesare

readilyavailableonlineandideallyinhardcopyacrossitsstores.

Minornon-

compliance

3. MG5 Vercoshouldensurethatemployeesarepro-activelytoldaboutwhothedata

protectionofficeris,e.g.bywayofemailsremindingthem(thiscouldformpart,for

example,ofa“KeyContactsandNumbers”emailsentoutonceamonthandalso

regroupingotherkeycontactssuchasHR,whistleblowinghotlinesorother

importantcontacts),orbyhangingoutposterswiththedataprotectionteam’s

detailsaroundtheofficer,orhavinginfosessionsdedicatedtotheworkthedata

protectionteamdoes.

Observation

4. MG6 Verco’sboardshouldconsiderhavingdataprotectionasastandingorderagenda

itematitsmeetings,activelyinvitingthedataprotectionofficertoprovideashort

summaryorreachouttotheboardinadvanceoftheboardmeetings,toensure

continuousexchangeandreportingofdataprotectionissuestothehighestlevels.

Merit


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

5. MG7 Vercoshouldconsiderholdingdedicatedtrainingsessionsforitssenior

managementteamtocommunicatetheimportanceofdataprotectionand

ensuringthatdataprotectionisregardedasanissuethateachseniormanageris

alsoresponsiblefor.Theannualmeetingswiththedataprotectionteammaybe

moreusefuliftheywereheldsemi-annuallyatleast,toensureamoreup-to-date

awarenessamongallmanagers.

Observation

6. MG8 Amorestreamlinedprocesstoallowthedataprotectionteamtoresorttooutside

helpifnecessary,andtoparticipateinin-depthtrainingsessionsovertwoorthree

workingdayswouldreducetheanxietythedataprotectionteamfeelsaboutnot

beingabletoimplementthelateststandardsofdataprotection.Ideally,acertain

amountwouldbeearmarkedfordataprotectiontrainingandadviceexpenditureat

thebeginningofeachyear,whichthedataprotectionofficercouldrelativelyeasily

access.

Observation

7. PS2 Verco should make clear it is imperative that the clean desk policy is followed,

particularlyinopenplanspacesandroomswhichcannotbelocked.Oneapproach

inenforcingthisrulecouldbetospendsometimeeacheveningforaweekortwo

toverifywhodidnotabidebythecleandeskpolicyandsendtherelevantpeoplea

standardemailthenextmorningremindingthemofthepolicy.

Vercoshouldfurthermakeitcleartoemployeesintheheadofficeaswellasthe

branchesthatallfilingcabinetsandlockersmustbelockedbykeyatalltimes.

Minornon-

compliance


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

8. PS3 Vercoshouldensurethatitisfullyawareofthesecuritysafeguardswhichitsoff-site

serverprovidershaveandensurethatitscontractsspelloutindetailwhatstandards

areexpected.

Vercomayalsowishtoconsideranupdatedpowerback-upsystemwhichlast

longerthanonly8hours,giventhatoftentimespowercutsarenotaddressedin

thattimespanandforcingtheinternalserverstoshutdownmayseverelyhamper

Verco’soperations(althoughthishasnotbeenaprobleminthelasttenyears).

Observation

9. IS5 While no breach or specific incident has been reported, Verco should consider

amending its software on all laptops to ensure that only company-approved and

adequatelyencryptedexternaldevicescanbeusedwiththoselaptops.

Inadditional,Vercoshouldensurethatallitsstaffareawareofthepolicyonthe

useofexternaldevicesandrealisetheinherentdangersinusingpersonalexternal

devices,especiallynon-encryptedones,whenaccessing,transferringorstoring

data.

Minornon-

compliance


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

10. IS6 Verco’spolicyincludesexamplesofbestpracticesincludingofhowtocreatestrong

passwords,butthisisnotwidelyknownamongemployees.Vercoshouldconsider

offeringdedicatedtrainingsessionsontheappropriateuseofemployee-owned

devices.Forinstance,beforeanemployeeisgrantedaccesstoworkemailonhisor

herphone,theITteamcouldsendacrossadetailedsummaryofhowtousethe

deviceandhowtocreatepasswords,aswellastheneedtoregisterthedeviceand

recorditsserialnumber.

Observation

11. IS7 VercoshouldestablishaformaltimelineforthecarryingoutofindependentIT

assessmentsthatcovertherobustnessandappropriatenessofITsecuritycontrols

–theseshouldbeundertakenatleastannually.Inaddition,thisshouldnotjustbe

thepurveyoftheITdepartment,butactivelyinvolvethedataprotectionteamas

well.

Observation

12. IS8 Vercoshouldconsidermakingsuchtrainingmandatorypartofanewemployee’s

inductionsession,andholdsuchtraininginregularannualintervalstorefresh

employees’awareness.

Minornon-

compliance

13. LE2 Inadditiontotheweeklynewsletter,itishelpfultotargetnewinformationmore

specificallytothosepeoplewhowillberesponsibleforit.Forinstance,achangein

theITrequirementsshouldalwaysalsobespecificallymentionedandsenttotheIT

departmentseparately.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

14. OP1 Vercoshouldchangeitscontracts,bothonlineandinhardcopy,toallowcustomers

to immediately opt out of any information sharing not strictly necessary to the

provisionofservices.Ideally,customerswouldhavetoexplicitlyoptinbeforegiving

anysuchconsent.Vercoshouldmakesurethatallcustomersarefullyinformedof

theirrightsinrelationtoconsent,whethertheyenterintoacontractonlineorina

store.

ItisnotedthatthelawinrelationtoconsentisstrengthenedfromMay2018

onwards-consentundertheGDPRrequiresclearaffirmativeaction.Silence,pre-

tickedboxesorinactivitydoesnotconstituteclearaffirmativeaction.Vercomust

considerthisandreviseitsstandardapproachtoobtainingconsentintimeto

complywiththeGDPR.

Minornon-

compliance


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

15. OP4 Verco should reconsider its information-gathering process. Instead of asking

additionalquestionsinthesamedocumentsasthemandatoryquestions(i.e.those

necessaryfortheprovisionoftherequestedservices),Vercocouldhaveaseparate

processtoaskanymandatoryquestions,onadifferentsetofpaper.Thiswouldalso

allowittoclearlycommunicatethepurposeoftheadditionalinformationandensure

that the third party providing such information does so in a fully informed and

consentingmanner.Inanycase,Vercoshouldensurethatitisbeyonddoubtwhat

informationiscrucial,andwhatinformationisnotstrictlynecessary.

Inaddition,Vercoshouldensureithasaclearideaforwhatitintendstouseany

informationobtained,andwhyitisaskingcertainquestions.Thiswillallowitto

communicatethestatementofpurposebeforeaskingtherelevantquestions,and

doesnotfacilitatetheriskofaskingasmanyquestionsaspossibleandconsidering

whattodowiththeanswersafterwards.

Minornon-

compliance

16. OP5 Vercoshouldensurethatalldatacollectionpointsofferthedatasubjecttoinform

himorherselfinstantaneouslyaboutwhatthedataisusedforandwhyitisbeing

usedinsuchway,withouthavingtoclickonotherwebsitesandundertakeadditional

research.

Vercoshouldalsomakesurethatitsstaffareuniversallyawareoftheapplicable

dataprotectionpoliciesandpracticesandabletoexplain,atleastinverybroad

terms,tocustomershowtheirdataisbeingusedandwhy,whererelevant.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

17. OP6 Thirdpartiesaswellasstaffshouldbeabletohaveaquicksenseofwhathappens

totheirdataifitisbeingdisposedofandwhatthetimeframeforkeepingsuchdata

is.Vercoshouldconsiderincludingthatinformationinthestandarddocumentsand

contractsinthesectionondataprotectionandprivacy.

Observation

18. OP7 SeeOP1. Observation

19. OP10 The staff in Verco’s stores should be trained to be able to source and distribute

alternativeformatsoftheprivacynoticeswithoutanydelay.Ideally,theywouldbe

abletodirectlydistributesuchalternativeformatsinstoreorbymail/onlinewithout

havingtofirstcontactVerco’sheadoffice.

Vercoshouldensurethatitsprivacynoticesareadaptedtotheneedsofchildren

andexplainthestepstakenifthedatasubjectisunder16.

Minornon-

compliance

20. OP12 Vercoshouldensurethatthoseuseswhichwould,bymostcustomersatleast,be

deemedtogobeyondthestrictlynecessarytoenabletheprovisionofservicesare

highlightedandrequirespecificpermission.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

21. OP13 Vercoshouldconsiderofferingtrainingsessionstolinemanageronhowtoaddress

inappropriate user behaviour, and stress the importance of following the

appropriateusepolicy.

Inaddition,Vercomaywishtoconsiderablanketbanontheuseofpersonal

laptopsandhandhelddevices/otherinternet-connecteddevicesduringoffice

hours,andre-circulateitscommunicationaboutwhatmayandwhatmaynotbe

accessedorcirculatedbyemployeesduringofficehoursorusingofficeequipment.

Observation

22. OP14 A clear guideline how often and in what intervals the data subject should be

reminded to respond after the initial email should be implemented and shared

amongallrelevantemployees.

Merit

23. OP18 Training for receptionists and anyone who is customer-facing should include a

dedicatedsectiononhowtodealwithdatasubjectrequests.Itmayalsobehelpful

tosendoutregularreminderemails(onceamonth)tohighlighttherelevantpolicies

andwheretoaccessthem.

Thedataprotectionteamshouldensurethatthelogbookisinspectedcarefullyon

aregularbasis(atleastoncetotwiceaweek)andthatanyoutstandingentriesare

dealtwithassoonasreasonablypracticable.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

24. OP19 Vercoshouldnotusecategoriestoallowgeneralauthoritytoemployees,butshould

allocated authority on strict basis of necessity and consider the duties and job

descriptionofeachemployeebeforegivingtheemployeedatasharingauthority.

Observation

25. OP23 Verco should update its policies to clearly include genetic and biometric data as

sensitivedata.

Merit

26. ME1 Vercoshouldtailorspecifictrainingaccordingtoanemployee’sneeds.Basicoverall

trainingisagoodidea,butadditionaltrainingshouldbeconsideredforthosewho

arelikelytohavetodealwithrequests,processlargeamountsofpersonaldata(HR

staffmembers,customer-facingemployees)etc.

Observation

27. ME3 Vercoshouldconsiderspendingsometimesettingupaclearcommunicationsplan

with respect to data protection issues, responding not only to specific topics or

matters of urgency, but also ensuring that data protection reminders are sent in

regular intervals, with links and information for employees to refresh their

knowledgeandraiseoverallawareness.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

28. ME6 Vercoshouldsetoutinmoredetailwhatitsdisciplinaryprocessentailsandwhatthe

differentstepsarefromthefirstformalwarninglettertotheultimatesanctionof

dismissal.ThisshouldbecontainedinanupdatedCodeofConduct.

Vercoshouldfurtherensurethattheformaldisciplinaryprocessisactuallyusedin

respectofdataprotectioninfringementstosignalthatitisseriousabouttherespect

ofitsdataprotectionpolicies.Aformalfirstwarninglettertoemployeesinbreach

ofadataprotectionrule,settingoutwhatthe infringement is,howtoavoidsuch

infringementandofferingtodiscussand/orprovidefurtherclarification inperson

wouldbeagoodfirststep.

Inaddition,Vercomaywishtoconsiderincludingasample(fictitiousoranonymised)

casestudyinitsCodeofConductoritsdataprotectionpolicyonhowthedisciplinary

process would be used in respect of infringements of the organisation’s data

protectionrules.

Minornon-

compliance

29. TP1 Verco should ensure that the data protection policy and related standards are

communicatedbyemailinadvanceineachcase,andnotrelyonthethirdpartyto

obtainthedocumentsitselfinstead.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

30. TP2 Vercoisawareoftheimportanceofserviceprovidersandbusinesspartnershaving

adequatedataprotectionpracticesiftheyaretocollect,handleordestroydataon

Verco’s behalf. This is demonstrated by its insistence on those other parties to

providecontractuallyenforceableguaranteestothateffect.However,Vercoshould

makesurethatitverifiesatleastsomeofitsserviceproviders’orbusinesspartners’

data protection practices to show its own commitment and safeguard against

infringementsinitssupplychain.

Minornon-

compliance

31. TP4 Verco should consider enacting a more formal process in relation to the active

managementofitsserviceproviders’orbusinesspartners’handlingofdataandthe

protection thereof. It could consider asking for periodic feedback and actively

engagingwithitsbusinesspartnersorserviceprovidersinofferingdataprotection

trainingandcheckingtheircommitmenttodataprotection.

Observation

32. TP5 Verco should include spot checks, startingwith key service providers or business

partnersthathandlelargevolumesofdataonbehalfofVerco

Minornon-

compliance

33. TP6 Whilethereisnosuggestionthatserviceprovidersorbusinesspartnershaveinfact

failedtomeetVerco’srequiredstandardsfordataprotection,Vercoshouldstrongly

consider(assetoutinTP2andTP4)averificationprocessandspotcheckstoensure

compliance,andenableittouseitscontractualrightstosanctionwherenecessary.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

34. BR1 Vercomaywishtoconsiderchangingthetimeswhenitchecksfordatabreachesto

avoidanyrepetitiveortypicalbehaviour.

Itshouldfurtherensurethatthereportsoneachcheckarediligently filled inand

properlyfiled.

Finally, itmaywish to consider asking for and reading the reports on the checks

conducted by CloudStorage to keep an eye on its external IT systems and data

storagefacilities.

Observation

35. BR3 Verco should consider revising its data protection policy to include an explicit

reference to the whistleblowing hotline as being ameans of reporting any data

protectionconcernsconfidentially.Itwouldalsobehelpfultoaddthatinformation

totheinductiontrainingandmakeitaswellknownastheidentityofthosethestaff

shouldspeaktoiftheyhaveanyqueries.

Observation

36. MR2 Vercomaywishtoconsiderincludingtheeffectivenessofexistingdataprotection

measuresasastandingorderagendaitematboardmeetings.

Observation


CONFIDENTIAL



comments

(ifany)

Action

tobe

taken

by

Verco

Owner Timeframe

37. MR4 Verco should consider reaching out to external service providers to arrange for

simulations of breaches and attacks. This should include a longer-lasting

arrangement (at least6months), inwhichVerco isbeingtested indifferentways

(hackingattacks,phishingemails, spoofing,botnets,pharmingandother typesof

common cyber security threats), and an ongoing agreement to carry out regular

simulationsandattackstoensurethatVercoiscontinuouslyuptospeedwithitsdata

protection.

Minornon-

compliance

38. MR5 AsmentionedinMG6,dataprotectionshouldbecomeastandingorderagendaitem

ateachboardmeeting. Inaddition,Vercomaywish toconsiderobliging thedata

protectionteamtoprovideamoredetailedreport,perhapsonceeverysixmonths,

onanyissuesandinformationinrelationtodataprotectionanddatabreaches.

Observation


CONFIDENTIAL


Appendix1Detailedfindings

1.Managementandgovernance

MG1:Thereisawrittenandclearlyarticulatedpolicyondataprotection,

whichisreferredtointheorganisation’scodeofconduct.

Grade:Commendation

Vercohasawrittenandclearlyarticulatedpolicyondataprotection.ThisisreferredtoinVerco’sCodeof

Conduct,andisclearlysignpostedonthehomepageoftheorganisation’sintranet.Asummaryofthedata

protectionpolicyismadeavailableonVerco’spubliclyaccessiblehomepage.

Assessment:

Thepolicyondataprotectioncapturesavarietyofissuesandclearlysetsouttherightsandobligationsofall

staff and the policy on employee’-owned devices. It also contains a section on addressing the needs of

vulnerablemembersofstafforcustomers,includingchildren.

Thepolicyappearsinaneasy-to-useformat,andacrossinterviewsemployeeswereconfidentthatapolicy

existed,where to find it, andhowtouse it.Therewasclearownershipandversioncontrol,with the last

versionhavingbeenupdatedinJuly2016inpreparationforthelegislativechangescomingintoforcewiththe

startoftheEUGeneralDataProtectionRegulation(GDPR)in2018.

MG2:Thepolicyandthemeasuresinplacehavebeenformallyapproved

bytheboard.

Grade:Merit

TherevisedversionofthedataprotectionpolicyhasbeensignedoffformallyatVerco’slatestcompanyboard

meetingon29July2016.

Assessment:

WhilethelatestversionwasadedicatedminuteontheagendaofJuly’sboardmeeting,theprevioustwo

versionshadnotbeenformallyapprovedbytheboard.Thereasongivenwasthatthetwopreviousupdates

(in February 2015 and April 2014) concerned mostly typographical updates and did not touch on any

substantivecontent.

Recommendations:

Itisadvisabletoensurethateachupdateofthedataprotectionpolicy,aswellasanyprocessesinconnection

withthedataprotectionpolicy,isformallyapprovedbytheboard.Makingsurethatdataprotectionbecomes

astandardpointontheagendaofeachboardmeetingisarecommendedwaytoguaranteethatanythingin

relationtodataprotectionisregularlyandcontinuouslyconsideredbytheboard.


CONFIDENTIAL


MG3:Boththecompletepolicyandasummaryofthepolicyaremade

public.

Grade:Observation

A summaryof thedataprotectionpolicy ismade available onVerco’s publicly accessible homepage. The

completepolicyisnotavailablepublicly.

Assessment:

Thesummaryofthedataprotectionpolicy iswellpresentedandcapturesthekeypointsofthelong-form

policy.However,formembersofthepublicwithoutaccesstoVerco’sintranet,thereisnoeasywaytoobtain

thecomprehensivepolicy–thedataprotectionofficermadeitclearthatthecompletepolicycanbemade

availableon request, but this is notobvious fromvisitingVerco’swebsite andnot formallywrittendown

anywhereeasilyaccessible.

Recommendation:

Vercoshouldconsiderpublishingitscompletepolicyondataprotectiononitspublicwebsite,oralternatively

atleastmakeitveryclear,bothonthewebsiteandinthesummarydocumentprovided,thatthecomplete

policycanberequestedbyemailorbyphone.

MG4:Theorganisationhasreadilyaccessibleprivacynoticesinplacewhich

includethelegalbasisforprocessingdata,dataretentionperiodsanda

datasubject’srighttocomplainandtowhom.Theinformationprovidedin

theprivacynoticeisgiveninaclear,conciseandeasytounderstand

language.

Grade:Minornon-compliance

Thewebsitecontainsacomprehensiveprivacynotewhichsetsoutthewayinwhichtheinformationgathered

fromthewebsitevisitorand/oronlinecustomerisbeingusedandmeetsthelegalrequirements.Instores,

privacynoticesformpartofthecontractualdocumentsorarereferredto.

Assessment:

Theprivacynoticesarewritteninacomplicatedandlegalisticstyle.Abigmajorityofinterviewedcustomers

andsuppliers(morethan75%)foundtheprivacynoticestobeunclear,lengthyanddifficulttounderstand.

Instores,whileprivacynoticesorreferencestoprivacynoticesformpartofanypaperworkandcontractual

documentswhichcustomersmayenterinto,thesearenotreadilyaccessible.Staffoftendidnotknowhowto

locate the full privacynotice (despite references in thepaperwork to reachout to staff toobtain the full

privacynotices),andinhalfofthesurveyedstores,nohardcopiesoftheprivacynoticeswereavailable.

Recommendations:

Vercoshouldreview itsprivacynoticesandconsiderredraftingthem inasimplerstyle. It shouldconsider

creatingshortersummaryprivacynotices(ofonetotwopages)whichhighlightthemostimportantaspects


CONFIDENTIAL


ofwhatwillhappenwithadatasubject’sinformation.Finally,Vercoshouldensurethattheprivacynotices

arereadilyavailableonlineandideallyinhardcopyacrossitsstores.

MG5:Thereisanamedpersonresponsiblefordataprotectionwhois

madeknowntoemployeesandsignpostedasasourceofguidanceondata

protectionqueries.

Grade:Observation

Verco’sdataprotectionofficer isMiguelSamarrco,whoheadsadedicateddataprotection teamof three

people.HisnameandtheexistenceofthedataprotectionteamismentionedintheVerco’sandtheGroup’s

dataprotectionpolicy,andmadeitclearonVerco’sintranetwebsiteinthedataprotectionsection.

Assessment:

Whileitisclearwhoisresponsiblefordataprotection,justoverhalfoftheemployeesintervieweddidnot

knowwhothedataprotectionofficerwas,orhowtofindoutwhototalktoiftheyneededguidanceondata

protectionqueries.

Otherthanthecommunicationonthepoliciesandintranet,therewasnoefforttoinformemployeesofthe

data protection team. One email was sent out at Miguel Samarrco’s appointment to the role as data

protectionofficerinJanuary2014,butnotfurtherdirectcommunicationappearstohavebeenundertaken

sincethen.

Recommendations:

Vercoshouldensurethatemployeesarepro-activelytoldaboutwhothedataprotectionofficeris,e.g.byway

ofemailsremindingthem(thiscouldformpart,forexample,ofa“KeyContactsandNumbers”emailsentout

onceamonthandalsoregroupingotherkeycontactssuchasHR,whistleblowinghotlinesorotherimportant

contacts),orbyhangingoutposterswiththedataprotectionteam’sdetailsaroundtheofficer,orhavinginfo

sessionsdedicatedtotheworkthedataprotectionteamdoes.

MG6:Theresponsiblepersonhasareportinglinetotheboard. Grade:Merit

Thedataprotectionofficer(currentlyMiguelSamarrco)hasadirectreportinglinetotheboard.

Assessment:

Itispossibleforthedataprotectionofficertoreachoutdirectlytotheboardshouldhewishso.Heishowever

notaregularparticipantintheboardmeetingsandhascontactwiththeboardonlyonhisowninitiative.


CONFIDENTIAL


Recommendations:

Verco’sboardshouldconsiderhavingdataprotectionasastandingorderagendaitematitsmeetings,actively

invitingthedataprotectionofficertoprovideashortsummaryorreachouttotheboardinadvanceofthe

boardmeetings,toensurecontinuousexchangeandreportingofdataprotectionissuestothehighestlevels.

MG7:Seniormanagementchampionsandsetsthetoneondataprotection. Grade:Observation

Verco’s senior management usually know who the data protection officer is and annual meetings bring

togetheralloftheseniormanagementandthedataprotectionteamtodiscussdevelopmentoverthelast

yearandchallengesahead.

Assessment:

Whilemostseniormanagerswereawareofthedataprotectionteamandwouldcirculateinformationfrom

theteamamongsttheirowndepartments,therewasalackofpro-activeengagementwiththedataprotection

team.Amentalitythatdataprotectionisnotpartoftheirresponsibilityandshouldbelefttotheexpertsand

thelawyersappearstopervademostofseniormanagement.

Recommendations:

Vercoshouldconsiderholdingdedicatedtrainingsessionsforitsseniormanagementteamtocommunicate

theimportanceofdataprotectionandensuringthatdataprotectionisregardedasanissuethateachsenior

managerisalsoresponsiblefor.Theannualmeetingswiththedataprotectionteammaybemoreusefulif

theywereheldsemi-annuallyatleast,toensureamoreup-to-dateawarenessamongallmanagers.

MG8: Adequate resources are devoted to implementing and monitoring

dataprotection.

Grade:Observation

Verco’sdataprotectionteamconsistsofthreepeoplewhoareworkingfulltimeonkeepingup-to-datewith

legal developments and devise the policies and training programmes for Verco’s operations across the

country.ForeachofVerco’sbranches,anemployeeisnominatedresponsiblefordataprotectionissuesand

specificallytrainedbyVerco’sdataprotectionteam.

Assessment:

Overall, there is sufficient support and resources devoted to the data protection team and its work in

implementingandmonitoringdataprotection.However,itisverydifficult–andtakesuptotwomonths–to

obtainpermission toengageoutsideservices forspecificdataprotectionprojects, suchascomprehensive

trainingcoursesoradditionallegaladviceandguidancebyprivatelawfirms.Thisresultsinageneralconcern

that it isdifficultensuringthatalldataprotectionteamareawareof the latest legalupdates,andableto


CONFIDENTIAL


comprehensivelyconsiderallaspectsofdataprotection.Inaddition,therearecertain“crunchtimes”when

outsidehelpandadviceisconsideredindispensable.Toobtainpermissionforfundingtoengage,forexample,

anoutsidelawfirm,takesaconsiderableamountoftime(inthecontextoftheGDPRandspecificquestions

as tohow itwould impact the telecommunications sector, thedataprotection teamhad towait for two

monthsbeforeitgotpermissiontoengageadataprotectionlawyerforatotalof10billablehours).

Recommendations:

Amorestreamlinedprocesstoallowthedataprotectionteamtoresorttooutsidehelpifnecessary,andto

participateinin-depthtrainingsessionsovertwoorthreeworkingdayswouldreducetheanxietythedata

protectionteamfeelsaboutnotbeingabletoimplementthelateststandardsofdataprotection.Ideally,a

certainamountwouldbeearmarkedfordataprotectiontrainingandadviceexpenditureatthebeginningof

eachyear,whichthedataprotectionofficercouldrelativelyeasilyaccess.


CONFIDENTIAL


2.RiskAssessment

RA1:Regularriskassessmentsconsiderdataprotectionrisksandimpactson

privacy,andtheeffectivenessofmitigationmeasures,bothwithinthe

organisationandinassociationwiththirdparties.Assessmentsare

conductedatleastannually.

Grade:Commendation

Vercoconductsitsriskassessmentsinrelationtodataprotectionrisksandimpactsonprivacyonaveryregular

basis,withadedicatedmeetingeverythreemonths.Inaddition,eachdepartmentatVercomustconsiderdata

protectionrisksandimpactsonprivacyinanynewprojecttheyengagein,byfillinginapaperdocumentand

acknowledgingthatdataprotectionrisksareeitheracceptableormitigated.

Assessment:

Verco’sapproachtorisksassessmentsisexemplary,andformsanintegralpartofitsbusinessconduct.

RA2:Dataprotectionandprivacyareconsideredbydesignandbydefaultin

respectofanynewactivitiesandproducts,includingprivacyimpact

assessmentswherenecessary.

Grade:Merit

Eachdepartmentmustconductadataprotectionriskassessmentbeforeengaginginanynewproject.

Assessment:

The risk assessments form part of the day-to-day business conduct and data protection and privacy are

consideredbydesignandbydefault.Arevisedriskassessmentparagraphhasbeenissuedafterthepublication

ofthenewGDPR,andexplicitreferencesaremadetoconsiderationbydesignandbydefaultinVerco’scode

ofconductandriskassessmentguidelines.


CONFIDENTIAL


3.SecurityEnvironment

PhysicalSecurity

PS1:Buildingswheredataisstoredareproperlysecuredwithcontrolled

access.

Grade:Merit

ToaccessVerco’soffices,atouchkeyisrequiredwhichisissuedonlytoemployeesofVerco.TheITandarchive

roomshaveextralockswhichonlyahandfulofemployeeshavekeysto.Instores,accessisgenerallysecured

bylockabledoorsandametalgatewhichisclosedovernight.Theofficesandallstoresarealarmed,whichis

turnedonandoffbycode.Thiscode isonaveragechangedeverythreemonths.Allvisitorsmustregister

beforeaccessingVerco’sheadofficeandmustbeaccompaniedbyamemberofstaffatalltimes.

Assessment:

TheaccesscontrolsVercoemploysareofagoodstandard.

PS2:Hardcopyfilesandserversarekeptinlockedrooms,cabinetsor

storagefacilitieswithcontrolledaccess.


AllcabinetsandstoragefacilitiesinVerco’sofficesandinthebranchescanbelocked.Servers,totheextent

theseareon-site,areinseparateroomsandcanbeaccessedonlybyaspecificallyauthorisedITemployees

withspecialkeycards.Anelectronicsystemrecordsthetimeofanyaccessandwhosekeycardisused.CCTV

operatesintheserverrooms.

Assessment:

ItisVerco’spolicytokeepallhardcopyfilesunderlockandkey.Itisalsoofficialpolicyforeveryemployeeto

havea“cleandesk”attheendofeachworkingday,i.e.tolockawayanyfilesintheemployee’scabinetor

securelystorethemelsewhere.However,someofthelockersandcabinetswerenot,infact,lockedwhenthe

assessorstriedtoopenthem.Inalmostathirdofthestores,thestoremanagersandemployeesdidnotbother

lockingtheircabinets.AsignificantnumberoftheemployeesinVerco’sheadofficedidnotabidebytheclean

deskpolicy,andseveraldocumentscontainingcustomers’personaldatawereleftoutintheopenforanyone

walkingbytosee.

Recommendations:

Vercoshouldmakeclearitisimperativethatthecleandeskpolicyisfollowed,particularlyinopenplanspaces

androomswhichcannotbelocked.Oneapproachinenforcingthisrulecouldbetospendsometimeeach

eveningforaweekortwotoverifywhodidnotabidebythecleandeskpolicyandsendtherelevantpeople

astandardemailthenextmorningremindingthemofthepolicy.

Verco should furthermake it clear to employees in theheadoffice aswell as thebranches that all filing

cabinetsandlockersmustbelockedbykeyatalltimes.


CONFIDENTIAL


PS3:Thereisprotectionforequipmentcontainingdatafrom

environmentalhazardsincludingfire,floodandpowerfailure.

Grade:Observation

Verco’s main servers are off-site and operated by one of the UK’s biggest cloud and server company,

CloudStorageLtd.Verco’sofficesandeachbranchhasfireextinguishersforalltypesoffires,andthereisan

extremely low flooding risk inanyofVerco’s sites.Allemployeesuse laptops forwork.Aback-upbattery

systemlastingabout8hourssupportstheinternalserversatVerco’sheadofficeshouldtherebeapowercut,

butapartfromthatthereisnoseparatepowergenerationifpowerfails.

Assessment:

Whilenospecificdangershavebeenidentified,andnoincidentshaveeverbeenreported,therewasageneral

lackofawarenessofhowtheequipmentonVerco’ssitesisprotectedagainstfire,floodorpowerfailures.

Withregardstotheoff-siteservers,itwastrustedthatCloudStoragewouldhavesufficientsafeguardsagainst

environmentalhazards,buttherewasnoknowledgeofwhatsuchsafeguardsactuallyconsistedin.Thiswas

notspecificallyaddressedintheservicecontractbetweenCloudStorageandVerco,butdoesformpartofthe

overalltermsandconditionsthatCloudStorageappliestoallofitscontracts.

Recommendations:

Vercoshouldensurethatitisfullyawareofthesecuritysafeguardswhichitsoff-siteserverprovidershave

andensurethatitscontractsspelloutindetailwhatstandardsareexpected.

Vercomayalsowishtoconsideranupdatedpowerback-upsystemwhichlastlongerthanonly8hours,given

thatoftentimespowercutsarenotaddressedinthattimespanandforcingtheinternalserverstoshutdown

mayseverelyhamperVerco’soperations(althoughthishasnotbeenaprobleminthelasttenyears).

InformationSystemsSecurity

IS1: Access to electronic data is regulated by user identification and

authentication.

Grade:Merit

EachlaptopandeachaccesstoanyofVerco’sintranetsitesareuserauthenticatedandpasswordprotected.

Electronicinformationisaccessibleaccordingtoa“needtoknow”basis.

Assessment:

Vercoemploysagoodstandardofidentificationandauthentication,withelectronicdatabeingaccessibleonly

tothosepeoplewhoareauthorisedtoaccessit(e.g.onlycertainpeopleinHRhaveaccesstostaffrecords).

Passwordsmustbechangedevery60daysandrequireacombinationofletters,numbersandspecialsymbols.


CONFIDENTIAL


IS2:Dataaccesscontrols(includingread,write,amend,move,copyand

deleteprivileges)and,wherenecessary,securitylevelsareinplaceand

regularlyreviewed.

Grade:Merit

DataaccesscontrolsareinplaceacrossVerco’ssystems,withdifferentlevelofconfidentialityfordifferent

setsofdocuments.

Assessment:

Vercohasathoroughsystemofdataaccesscontrolsandensuresthatanyaccessprivilegescorrespondtothe

functionandroleoftherelevantemployee.Documentsofhigherconfidentialitywillnotbevisible,letalone

accessible,tothoseemployeesnotclearedtoaccesssuchconfidentialitylevels.

IS3:Changestothesystemsthatstoreandprocessdataareproperly

controlledandsubjecttosegregationofduties.

Grade:Merit

TheITdepartmentisresponsibleforthesystemsthatstoreandprocessdataandensuresthatallchangesare

madeappropriately.

Assessment:

Any changes to the systems can only bemade by the IT department, but must be signed off by senior

management.Onceachangeisenvisaged,theseniormanagerreceivesanemailinvitinghimtoelectronically

authorisethechange–onlyoncethishasbeenauthorised,canthechangebemade.

IS4:Laptops,smartphonesandotherportabledevicesareencryptedandif

appropriatehaveremotememorywipefacility.

Grade:Merit

Laptops and any portable devices issued by Verco to its employees are all encrypted, and have remote

memorywipefacility.

Assessment:

Vercoemploysasystemofelectronicregistrationofallitsdevicesandisabletoaccessthemtoremotewipe

theirmemoryifnecessary.Thedefaultsettingonmostdevicesisthatoncethepasswordisenteredincorrectly

morethanthreetimes,thedevicewilllockitselfandcanbeunlockedonlybyamemberofVerco’sITsecurity

team.


CONFIDENTIAL


IS5:ThereisapolicyontheuseofUSBs,harddrivesandotherexternal

devices.


VercodoeshaveapolicyontheuseofUSBs,harddriveandotherexternaldevices.Non-Vercoissuedexternal

devicesareprohibitedandonlyencryptedexternaldevicescanbeused.

Assessment:

While a policy exists, it is not strongly enforced. Verco is conscious of the dangers that the use of non-

encryptedexternaldevicespresent,butanumberofemployeeshavereportedthattheyfrequentlyusetheir

own USB devices to transfer data containing personal data. The Verco issued-laptops are usually still

compatiblewithexternaldevicesnotissuedbyVerco,andforreasonsoftimeandconvenienceemployees

aretemptedtoignorethepolicyontheuseofexternaldevices.Nobreachhaseverbeenreportedandall

employeesbaronereportedthattheywouldsecurelydeletethedatafromtheirexternaldeviceassoonas

thetransferwascompletedoritwasnolongernecessarytostoreit.

Recommendations:

Whilenobreachorspecificincidenthasbeenreported,Vercoshouldconsideramendingitssoftwareonall

laptopstoensurethatonlycompany-approvedandadequatelyencryptedexternaldevicescanbeusedwith

thoselaptops.

Inadditional,Vercoshouldensurethatallitsstaffareawareofthepolicyontheuseofexternaldevicesand

realise the inherent dangers in using personal external devices, especially non-encrypted ones, when

accessing,transferringorstoringdata.

IS6:Thereisapolicyontheuseofprivateand/oremployee-owneddevices. Grade:Observation

Theemploymenthandbookcontainsadedicatedsectionontheuseofemployee-owneddevicesandsetsout

examples of best practices as well as minimum safety requirements (namely the need to register and

passwordprotectthedevice).

Assessment:

Notallemployeesknewwhethertheirdevice(usuallymobilephones,butinsomecasesalsoiPadsandsimilar

electronic devices)was registered and the serial number recorded. All intervieweeswho used their own

devices(usuallyforworkemail)usedpasswords,butnotallwereconfidentiftheirpasswordswerestrong

passwordsanddidnotalwaysknowhowtodevisestrongpasswords.Beforeaccesstoworkemailisgranted,

theITdepartmentmustsendanauthenticationkeytotheemployee’sdevice.

Recommendations:

Verco’spolicyincludesexamplesofbestpracticesincludingofhowtocreatestrongpasswords,butthisisnot

widely known among employees. Verco should consider offering dedicated training sessions on the


CONFIDENTIAL


appropriateuseofemployee-owneddevices. For instance,beforeanemployee isgrantedaccess towork

emailonhisorherphone,theITteamcouldsendacrossadetailedsummaryofhowtousethedeviceand

howtocreatepasswords,aswellastheneedtoregisterthedeviceandrecorditsserialnumber.

IS7:Thereisindependenttestingoftherobustnessandappropriatenessof

theITsecuritycontrolsandthepersonresponsiblefordataprotectionis

informedoftheresults.

Grade:Observation

Vercoconductedan ITaudit for the last time in2013.Thisassessment included information systemsand

overallsecuritycontrol.

Assessment:

TheITdepartmentisconsideredresponsiblefororganisingthetestingoftherobustnessandappropriateness

oftheITsecuritycontrols.ThedataprotectionteamwasonlyvaguelyawareofthelastITassessmentanddid

notknowhowtoaccessitwithoutgoingthroughtheITdepartment.Thereisasyetnoformalprocessinplace

toestablishthefrequencyofindependentITassessments,butonehasbeenmentionedforearly2017.

Recommendations:

VercoshouldestablishaformaltimelineforthecarryingoutofindependentITassessmentsthatcoverthe

robustnessandappropriatenessof IT security controls– these shouldbeundertakenat leastannually. In

addition,thisshouldnotjustbethepurveyoftheITdepartment,butactivelyinvolvethedataprotectionteam

aswell.

IS8:Specifictrainingoninformationsystemssecurityisorganisedforall

employees.


Specifictrainingoninformationsystemssecurityformedpartofthetrainingplan2015butdoesnotformpart

ofthetrainingplanof2016.

Assessment:

Any employee in either the head office or the branchwho started after the 21November 2015 has not

receivedspecifictrainingoninformationsystemssecurity.

Recommendations:

Vercoshouldconsidermakingsuchtrainingmandatorypartofanewemployee’sinductionsession,andhold

suchtraininginregularannualintervalstorefreshemployees’awareness.


CONFIDENTIAL


4.Legalenvironment

LE1:Thereisaprocesstomonitorandcomplywiththeapplicablelegal

requirementsinallthejurisdictionsinwhichtheorganisationhandlesdata

orwhereliabilitymightarise.

Grade:Merit

Thedataprotectionteam,composedentirelyofqualifiedlawyers,followsthedevelopmentindataprotection

lawandmonitorsalllegalrequirements.

Assessment:

It is clear who is responsible for monitoring and ensuring that Verco complies with the applicable legal

requirements.Thedataprotectionteamcooperateswellwiththelegalteam.Regularmeetings,aboutonce

every two to three weeks, are held between the data protection team and the legal team to monitor

developmentsintheworldofdataprotectionandprivacy.

Recommendations:

WhilethelegalteamsatVercomonitoranydevelopments,Vercomaywishtoconsidertomakeiteasierfor

itslegalstafftoattendcomprehensivetrainingsessionsconductedoutsidethefirm(seeMG8).

LE2:Changestotheapplicabledataprotectionlegislationare

communicatedclearlyandspeedilytotherelevantpeoplewithinthe

organisation.Theimpactofanychangesontheorganisation’spoliciesand

processesisconstantlyevaluated.

Grade:Observation

Anychangestotheapplicabledataprotectionlegislationaresummarisedinaweeklynewsletterthatissent

aroundthecompany.Thelegalmeetings(seeLE1)covertheimpactofanychangesonVerco’spoliciesand

processes.

Assessment:

SeeLE2–changesaregenerallycommunicatedclearlyandspeedily,andallrelevantpeoplefelttheywere

aware of any changes in a timelymanner. However, Verco should ensure that information is specifically

targetedtothosepeoplewhowillbeconcernedbyit-thereisariskthatthenewsletterwillnotbereadby

employees (about 20% interviewees reported that they would delete or file the newsletter immediately

withoutreadingitinfull).

Recommendations:

Inadditiontotheweeklynewsletter,itishelpfultotargetnewinformationmorespecificallytothosepeople

whowillberesponsibleforit.Forinstance,achangeintheITrequirementsshouldalwaysalsobespecifically

mentionedandsenttotheITdepartmentseparately.


CONFIDENTIAL


LE3: Where legally required, the organisation has registered with the

appropriatedataprotectionauthoritiesinthedifferentjurisdictionsinwhich

itoperates.

Grade:Merit

VercoisregisteredwiththeInformationCommissioner’sOfficer(ICO).

Assessment:

TheregistrationwiththeICOwascompleteandup-to-date.

LE4:Thelegalimplicationsofanydatatransfers,includingcross-border

datatransfers,havebeenconsidered,andthereisasysteminplaceto

ensurethatdatatransfersdonotcompromisetheadequateprotectionof

personaldata.

Grade:Merit

As a telecommunications provider, Verco’s data flows inevitably across multiple boundaries. The data

protectionteamandthelegalteamconsidercross-bordertransferattheirregularmeetings.Verco’sflowchart

“InternationalTransfers”(availableonthefirm’sintranet)setsoutindetailthelocationofserversanddata

hubsandcoversthenecessarystepstotakeandverifyinrelationtointernationaldatatransfers.

Assessment:

The adequate protection of personal data is considered in-depth by Verco in relation to international

transfers.Thelegalteamanddataprotectionteamhaveincludedmodelclausesinalloftheirinternational

contracts.ItconductsregularriskassessmentonwhetherthedatatransfersoutsidetheUKareprovidedwith

anadequatelevelofprotectionfortherightsofthedatasubjects,andalistofpotentialstepsisavailableto

takeshouldthelevelnotbedeemedadequate.

LE5:Whereanythirdpartieshandledataontheorganisation’sbehalf,the

legalimplicationsofthishavebeenconsideredandtheobligationsforeach

relevantpartyareclearlysetoutinacontractualmanner.

Grade:Merit

Allcontractswiththirdpartyhaveadedicateddataprotectionandprivacysectionandclearlysetoutthe

obligationsandrightsofbothparties,aswellestablishingpreciselywhoassumestheroleofdatacontroller

anddataprocessor.

Assessment:

ThecontractualframeworkthatVercoentersintowithanythirdpartythathandlespersonaldataonitsbehalf

areclearandcomprehensive.Theyincludeprovisionstoterminateand/ordemandsubstantialdamagesfor

any breach of the data protection clauses, and any breach has serious contractual consequences. The


CONFIDENTIAL


preamble of each contractmentions the importance of adequate data protection and of abiding by the

provisionsrelatedtoit.


CONFIDENTIAL


5.Operationaldatapractices

OP1:Theorganisationobtainssubjects’free,specific,informedand

unambiguousconsentpriortogatheringdata.


Eachofthecontractssurveyedthatrecordedanytypeofpersonaldatahasprovisionsgoverningtheissueof

consent.Verco’swebsitehasapop-upwindowexplainingthecookiesemployedandinfogathered.

Assessment:

Internally,Verco’scontractsareclearandaskforspecificconsentofitsemployeespriortogatheringanydata

onthem.Onitswebsite,itisimpossibletoaccessthemainpagewithoutfirstagreeingtothenotificationthat

appearsimmediatelyuponvisitingwww.vercotelecom.co.uk.

Vercoalsoentersintomanycontractsadaywithcustomersacrossthecountrybothonlineandinitsstores.

Thecontract itemployswhencustomersare, for instance, settingupanewmobilephonepaymentplan,

includesconsentlanguagewhichisfairlywideinitslanguage.Itisimpossibletooptoutofmarketingemails

andthesharingofdatawiththirdpartiesotherthanbywritingaseparatelettertoVerco’sheadoffice.Once

received,therelevantpersonwillbenotifiedandthenameremovedfromanymarketinglistanddatasharing

listwithin24hours.

TheconsentlanguageformspartoftheoverallsmallprintinVerco’sstandardcontracts,inthedataprotection

andinformationsharingsection.Thereisnoseparatesummarynoristheconsentlanguagehighlightedinany

particularway.Stafftraininginstoresincludesverballyremindingthecustomeroftheconsentlanguageand

thatheorshe,bysigning,agreesforhisorherdatatobeused;somestoresoffertoimmediatelyremovethe

names fromanymarketingor information sharing lists if the customers sowishes,without the customer

having togo throughsendinga letter.However, there isnouniformapproach,andnotall staffmembers

rememberedthattheyshouldremindcustomersoftheinformationsharingthecustomersagreetobysigning

thecontract.Severalcustomersinterviewedwereunawareoftheiropt-outrightsanduncertainwhetherthey

hadtoprovideconsentornot,orwhethertheycouldwithdrawconsentoncegiven.

Anychangestothetermsandconditionsinrelationtoprivacyarewellcommunicatedandclearlysetout.

Customersareemailedandsentalettersettingoutthechanges,andofferinganimmediateopt-out,orindeed

terminationofthecontractwithoutanycancellationfees,byclickingalink(intheemail)orbycallinganumber

(bothintheemailandintheletter).

Recommendations:

Vercoshouldchangeitscontracts,bothonlineandinhardcopy,toallowcustomerstoimmediatelyoptout

ofanyinformationsharingnotstrictlynecessarytotheprovisionofservices.Ideally,customerswouldhave

to explicitly opt in before giving any such consent. Verco should make sure that all customers are fully

informedoftheirrightsinrelationtoconsent,whethertheyenterintoacontractonlineorinastore.

ItisnotedthatthelawinrelationtoconsentisstrengthenedfromMay2018onwards-consentunderthe

GDPR requires clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute clear


CONFIDENTIAL


affirmativeaction.Vercomustconsiderthisandreviseitsstandardapproachtoobtainingconsentintimeto

complywiththeGDPR.

OP2:Theorganisationhassystemsinplacetoensuretherecordingofany

consentgivenandtheexistenceofaneffectiveaudittrail.

Grade:Merit

A complex filingmanagement systemhas the recordsofall customersandother thirdparties, andoffers

specificsearchfunctionsinrelationtowhetheranyindividualthirdpartyhasconsented,howtheyconsented,

andtowhattheyconsented.

Assessment:

Vercoappearstohavearobustfilingsystemandorganisesitsrecordsverywell,givingrisetotheexistenceof

aneffectiveaudittrail.

OP3:Iftheorganisationbuysdata,itensuresthatdatasubjectshave

consentedtotheusetowhichthedataisbeingput.

Grade:Notapplicable

Vercodoesnotbuyanydata.

OP4:Theorganisationcollectsonlysuchinformationthatitrequiresforits

statedpurpose,andstrivestominimiseanydatacollectiontothatwhichis

strictlynecessary.


TheinformationVercocollectscoverspeople’snames,addresses,bankdetails,birthdays,personalpassword

questionswhichinclude,amongstotheroptions,aperson’smother’smaidenname,thenamesofanychildren

orotherpersonalinformation.

Inaddition,Vercooffersnon-mandatoryquestionsrelatingtoaperson’shobbies, interestsandfrequently

visitedlocations,inorderto“optimiseanyinformationsharedwith”acustomer.

Assessment:

Vercomakestheprovisionofinformationmandatoryonlytotheextentthisisrequiredtoprovideitsservices

to a third party. However, it asks additional questions, which, although not mandatory, serve to obtain

additionalpersonalinformationandarenotstrictlynecessary.Notallcustomerswereawarethatsomeofthe

informationrequestedwasnot,infact,mandatorytogive.


CONFIDENTIAL


Recommendations:

Vercoshouldreconsideritsinformation-gatheringprocess.Insteadofaskingadditionalquestionsinthesame

documentsas themandatoryquestions (i.e. thosenecessary for theprovisionof the requested services),

Vercocouldhaveaseparateprocesstoaskanymandatoryquestions,onadifferentsetofpaper.Thiswould

alsoallowittoclearlycommunicatethepurposeoftheadditionalinformationandensurethatthethirdparty

providingsuch informationdoes so ina fully informedandconsentingmanner. Inanycase,Vercoshould

ensurethatitisbeyonddoubtwhatinformationiscrucial,andwhatinformationisnotstrictlynecessary.

Inaddition,Vercoshouldensureithasaclearideaforwhatitintendstouseanyinformationobtained,and

whyitisaskingcertainquestions.Thiswillallowittocommunicatethestatementofpurposebeforeasking

therelevantquestions,anddoesnotfacilitatetheriskofaskingasmanyquestionsaspossibleandconsidering

whattodowiththeanswersafterwards.

OP5: The organisation communicates its data protection policies and

practicesandwhat itwilluse thedata forandwhy,atalldata collection

points.

Grade:Observation

ManyofVerco’sdataprotectionpoliciesandpracticesareavailableonline,andcontractsgenerallystatewhat

itwillusethedataforandwhy.

Assessment:

Whilealldatacollectionpointsusuallyhaveadocumentoratleastastatementavailabletothedatasubject

explainingwhatVerco’sdataprotectionpoliciesandpracticesare,someofthemmerelyrefertowherethe

dataprotectionpoliciesandpracticescanbefound,andmakeitundulycomplicatedtofindoutwhatthedata

willbeusedforandwhy.

Customer-facingstaffgenerallyhadagoodsenseofwhatthedatawillbeusedforandwhy,andwereableto

communicate this tocustomers.However,someof thestaffwereuncertainandwouldnot feelconfident

explainingtothirdpartiestheuseofthedataandwhyitisbeingcollected.

Recommendations:

Verco should ensure that all data collection points offer the data subject to inform him or herself

instantaneouslyaboutwhatthedataisusedforandwhyitisbeingusedinsuchway,withouthavingtoclick

onotherwebsitesandundertakeadditionalresearch.

Vercoshouldalsomakesurethatitsstaffareuniversallyawareoftheapplicabledataprotectionpoliciesand

practicesandabletoexplain,atleastinverybroadterms,tocustomershowtheirdataisbeingusedandwhy,

whererelevant.


CONFIDENTIAL


OP6:Theorganisationcommunicatesitspolicyonhowlongitwillkeep

dataandhowitwilldisposeofit.

Grade:Observation

Howlongdataiskeptandhowitwillbedisposedofiscontainedinthesummariseddataprotectionpolicy.

Assessment:

ThesummaryofthedataprotectionpolicyisavailablepubliclyonVerco’swebsite,however,moststandard

documents and contracts do not specify how long Vercowill keep the collected data and how itwill be

disposedof.Asignificantmajority(74%)ofinterviewedstaffandthirdpartiesdidnothaveanyideaofhow

longtheirdataislikelytobekeptandhowitwillbedisposedof.

Recommendations:

Thirdpartiesaswellasstaffshouldbeabletohaveaquicksenseofwhathappenstotheirdataifitisbeing

disposedofandwhatthetimeframeforkeepingsuchdatais.Vercoshouldconsiderincludingthatinformation

inthestandarddocumentsandcontractsinthesectionondataprotectionandprivacy.

OP7:Theorganisationobtainssubjects’consentpriortodisclosingorselling

theirdatatothirdpartiesandexplainsthepurposeofthedisclosure.

Grade:Observation

Consent is obtained through contractual documents andother documentswhich require a data subject’s

signature.

Assessment:

WhileVercohasvalidconsentforthedatatobedisclosed(itdoesnotsellanydata)tothirdparties,itisnot

always clear that this consent was given explicitly and unambiguously. Some of the consent is obtained

implicitly by signing a contract ofwhatever naturewith Verco, and can be revoked only by reaching out

directlytoVerco(seeOP1).

Recommendations:

SeeOP1.

OP8: The organisationmakes reasonable efforts to explain to vulnerable

peopletheirrightsandtoguidethemonsensibleprecautionstheycantake

toprotecttheirdata.

Grade:Commendation


CONFIDENTIAL


Atleastonestaffmember ineachofVerco’sstoreshasundergoneadedicatedhalf-daytrainingcoursein

dealingandengagingwithvulnerablepeople,whichincludesasectiononprotectiontheirdataandtalkingto

thesubjectsaboutwhatprecautionscanbetaken.

Verco issues specific guidelines of engaging with vulnerable people, which include a section on data

protection.All staffobtaina copyof theguidelines, and frontline staffmustdoanannualonline training

sessionontheguidelines.

Assessment:

Verco’sguidelinesareclearandcomprehensive,and include sectionson, interalia, identifyingvulnerable

customers,practicaltipsonhowtoengagewiththem,specificconsiderationsforfrontlinestaff,andguidance

onhowtheirpersonaldatashouldbeprotected.

OP9:Theorganisationhassystemsinplacetoverifydatasubjects’ages

andtoobtainparentalorguardianconsentforanydataprocessingwhere

necessary.

Grade:Merit

Foranycontract,aproofofagemustbeprovidedinformofapassportordrivinglicences,togetherwitha

secondformofidentitysuchasabankcardorutilitystatement.

Assessment:

Vercohasspecificguidelinesinplaceofhowtodealwithanyonebelow18andbelow16,inaccordancewith

theapplicablelaws.Forunder-16s,generallyconsentisrequiredfromparentsorlegalguardians.

OP10:Privacynoticesareadaptedtotheneedsofchildrenorother

vulnerableindividualswheretheirdataisbeingprocessed.


Theprivacynoticescontainanotestatingthattherearealsoavailableinotherforms(includingbraille,large

type-setandaudioversion).Nospecificprivacynoticeexistsadaptedtotheneedsofchildren.

Assessment:

It isverypositivethatalternativeformatsoftheprivacynoticeareavailable.However,toobtainaprivacy

noticeinaformatotherthanthestandardonewhichisavailableonline,itisnecessarytowriteanemail/call

Vercospecifically,anditmaytakeuptoaweekbeforeitisprovided.About60%oftheintervieweeswerenot

awarethatalternativeformatsexisted,andwereunsurehowtoobtainthem.


CONFIDENTIAL


Recommendations:

Thestaff inVerco’sstoresshouldbetrainedtobeabletosourceanddistributealternativeformatsofthe

privacynoticeswithoutanydelay.Ideally,theywouldbeabletodirectlydistributesuchalternativeformats

instoreorbymail/onlinewithouthavingtofirstcontactVerco’sheadoffice.

Vercoshouldensurethatitsprivacynoticesareadaptedtotheneedsofchildrenandexplainthestepstaken

ifthedatasubjectisunder16.

OP11:ThereisapolicyontheuseofCCTVandaudiorecordingwhichis

madeavailabletoallthosewhocouldberecorded.

Grade:Merit

ThepolicyontheuseofCCTVandaudiorecordingiscontainedwithintheoveralldataprotectionpolicyand

isalsoreferredtointheprivacynotices.

Assessment:

CCTVandaudiorecordings,whileemployedverysparinglybyVerco,arementionedintherelevantpolicies

whichcanbeeasilyaccessedbythosewhocouldberecorded.

OP12:Informationcollectedisusedonlyinthewaysforwhichthe

organisationhasexplicitpermission.

Grade:Observation

Information on the use of the collected data can be accessed by the data subjects before their data is

collected, and the contractual documents contain provisionswhich by signing give permission to use the

collectedinformationasintended.

Assessment:

By entering into any sort of contract the data subjects give their permission for their data to be used in

accordancewithVerco’sstandardpoliciesandprocesses.However,notallcustomersconfirmedthattheyhad

givenexplicit permission for someuses, suchas sendinga twicemonthlynewsletter toVerco’s customer

informing themof specialdealsandpromotions.Even though legally,permissionwas clearlygiven,many

customersdidnotfeelthatexplicitpermissionwasgiventousetheirdatainwaysthatgobeyondthemerely

operationalandnecessarytosatisfyacustomer’sservicerequirements.

Recommendations:

Vercoshouldensurethatthoseuseswhichwould,bymostcustomersatleast,bedeemedtogobeyondthe

strictlynecessarytoenabletheprovisionofservicesarehighlightedandrequirespecificpermission.


CONFIDENTIAL


OP13:Thereareprocesseswhichgovernthemonitoringofemployees’use

ofinternet,emailandothercommunicationssystems.


Verco’s internalemploymenthandbooksetsouttherulesandregulationspertainingtoemployees;useof

internet,emailandothercommunicationssystems.Alluseisentitledtobemonitoredandarecordslogmay

bekeptofanyuse.

Assessment:

Theemploymenthandbookclearly setsout theprocessesgoverning themonitoringofemployees’useof

internet, email and other communications systems. Certain use is entirely prohibited, such as accessing

pornographicmaterialoraccessingorcirculatinganymaterialthat isofaracist,misogynisticorotherwise

hateful nature. Verco explicitly states that it has the right tomonitor any use and logs on use are kept.

AttemptstoaccessanyprohibitedsitesareautomaticallyflaggedtotheITdepartment,whoafterthreetimes

passonthealerttotherelevantdepartment/linemanager.Itisthedepartment/linemanager’sobligation

toraisetheissuewiththerelevantemployeeandtoissueawarningifnecessary.

Therehavebeennowarningsissuedinthelasttwoyears,despitesomeemployeesreportingthatcolleagues

hadusedtheirownlaptopstoaccessinappropriatematerialduringofficehours.Linemanagersreportedthat

evenwhentheydidgetanalert,theydidnotalwaysfeelcomfortableraisingtheissuewithanemployee,and

feltthattherewasnosufficientguidancetoexplaintothemhowtobreachthetopicandissuewarnings.

Recommendations:

Verco should consider offering training sessions to line manager on how to address inappropriate user

behaviour,andstresstheimportanceoffollowingtheappropriateusepolicy.

Inaddition,Vercomaywishtoconsiderablanketbanontheuseofpersonallaptopsandotherhandheld

devices during office hours, and re-circulate its communication about what may and what may not be

accessedorcirculatedbyemployeesduringofficehoursorusingofficeequipment.

OP14:Theorganisationhasaclearprocesstoreviewanypersonaldata it

holds,whereithascomefromandwithwhomitisshared.

Grade:Merit

Aprocessisinplacewhichautomaticallyflagsuppersonaldatathathasbeenheldforaperiodof18months,

in18months’intervals,promptingthemarketingandsalesdepartmenttoverifyifthedataisstillcorrect,to

verifyitsoriginandwhetherithasbeensharedandwithwhom.Anemailissenttotherelevantdatasubject

toconfirmthepersonaldata,andtoinformhimorherofwhatdataisbeingheld.

Assessment:

Thereviewofpersonaldataisclearandregular.Itisunclearhowmuchtimeshouldpassbeforeareminderis

senttothedatasubjectsiftheydonotrespondtoemails,butaclearruleexiststhatifthereisnoreplyafter


CONFIDENTIAL


4months,anynon-essentialdata(i.e.necessarytotheperformanceofthecontractorcustomerrelationship)

iserased.

Recommendations:

Aclearguidelinehowoftenandinwhatintervalsthedatasubjectshouldberemindedtorespondafterthe

initialemailshouldbeimplementedandsharedamongallrelevantemployees.

OP15:Theorganisationhasasysteminplacetoconsiderthemost

appropriatewayofsharingdata,includingwhereappropriatebywayof

pseudonymisation.

Grade:Merit

Vercohasclearrulesandprocesses inplace inrelationtosharingdata, focussingmainlyonensuringthat

consentornecessityexists for the sharingofdata, and that appropriate safeguardsare inplacewith the

recipientsofdata.

Assessment:

Before any data is shared with outside recipients, the sender must confirm that he has considered the

appropriatenessofsharingdataandthatsafeguardsareinplacetoguaranteesecurehandlingofthedata–

thisincludesverifyingifthedatarequiressharing,ifthedataprotectionpoliciesandprocessesoftherecipient

areacceptable,andifitisnecessarytorevealpersonaldataorifsomedatacanbeanonymised.

OP16:Dataiskeptuptodateasnecessaryandasystemisinplacetoidentify

inaccuraciesand,whererelevant,tocorrectthem.

Grade:Merit

AsmentionedinOP14,dataheldautomaticallygetsflaggedevery18monthsforaverificationexercise.

Assessment:

In addition to the email sent to the data subject (seeOP14), Verco employees (usually in the Sales and

Marketingdepartment),areaskedtocheckifthereisanyinformationthatsuggeststhepersonaldatamust

beupdatedorchanged,e.g.iftheyhavereceivedlettersmarked“non-deliverable’,oriftheyhavereceived

anycorrespondencefromtherelevantdatasubject.


CONFIDENTIAL


OP17:Therearerulesgoverningthetemporaryorpermanentremovalof

data,whetherhard-copyorelectronic,fromtheorganisation’ssecuresites.

Grade:Merit

Aseparatehandbookexistsfortheremovalofanydata,whethertemporaryorpermanent,orhard-copyor

electronic.TheITdepartmentistheonlydepartmentwhichhasemployeesauthorisedandabletoremove

anyelectronicdatafromVerco’ssecuresites.

Assessment:

Any requests to removeanydata fromVerco’s secure sitesmust go through the ITdepartment,which is

specificallytrainedtoconsidertherulesrelatingtothetemporaryorpermanentremovalofdata.Whenin

doubt,itismandatorytoreachouttoVerco’slegaldepartmentand/orthedataprotectionteam.

Forhardcopies,theemploymenthandbook,thedataprotectionpolicy,andtheseparatehandbookforthe

removalofdata,allspecifythatandpermanentremovalmustbedonesecurely,andanydestructionmustbe

doneusingtheshreddingmachinesavailableineachstoreandintheheadoffice.Thesemachinesallcarry

warningsignstoconsiderwhethertheremovalisnecessaryandhasbeenconsideredfully,andprovidesthe

contactdetailsofthedataprotectionteamandthelegaldepartmentincaseofdoubtorquestions.

OP18:Theorganisationrecognisesdatasubjects’righttoerasureandhasa

systeminplacewhichaddressessuchrequests.

Grade:Observation

Thepubliclyavailableprivacynoticementionsadatasubject’srighttoerasure,andspecifiesthatasystem

existstoaddresssuchrequests.Theinternaldataprotectionpolicyreferstoadocumentsentitled“Dealing

withDataSubjects’Requests”whichisavailableonVerco’sintranetandhaslastbeenupdatedinJuly2016.

Assessment:

Thedocument“DealingwithDataSubjects’Requests”isacomprehensiveguidancedocumenttoaddressing

thevarious typesofpotentialdatasubject requests, fromaccess requests toerasure requests. It setsout

exactly how these requests should be dealt with and who is responsible for them, in a clear and easily

accessibleflowchart.Anyrequestissupposedtobeloggedandthedataprotectionteamisresponsiblefor

keepingthelogbookuptodateandfollowinguponanyoutstandingentries.

2oftheinterviewedcustomersreportedthattheyhadmaderequests(accessrequestsinbothinstances)but

hadnotheardbackanythingandwerethereforeunderstandablynotsatisfiedwiththewaytheirrequests

werehandled.Bothcomplaintswereinfactrecordedintherequestslogbook,buthadnotbeenfollowedup

on.

Someofthereceptionistsandfront-linestaffinterviewedwerenotconfidentabouthowtodealwithanydata

subject request, andwerenotaware thata specificdocumentonhow todealwithany requestsexisted,

thoughtheydidsuggesttheywouldbelikelytofinditoncetheystartedlookingforitontheintranetwebsite.

Indeed,thedocumentisprominentlydisplayedonthehomepageofthe“DataProtectionandInformation

Sharing”tabonVerco’sintranetsite.


CONFIDENTIAL


Recommendations:

Trainingforreceptionistsandanyonewhoiscustomer-facingshouldincludeadedicatedsectiononhowto

dealwithdatasubjectrequests.Itmayalsobehelpfultosendoutregularreminderemails(onceamonth)to

highlighttherelevantpoliciesandwheretoaccessthem.

Thedataprotectionteamshouldensurethatthelogbookisinspectedcarefullyonaregularbasis(atleast

oncetotwiceaweek)andthatanyoutstandingentriesaredealtwithassoonasreasonablypracticable.

OP19:Dataisdisclosedtothirdpartiesonlybythosewithauthoritytodo

so.

Grade:Observation

Alistofthosewithauthoritytodisclosedatatothirdpartiesiskeptbythedataprotectionteam.Foreach

employee,anassessmentismadewhetherauthorityisneeded,dependingonitsroleandjobcategory.Some

employees, such as store staff, automatically get authority by virtue of their role and interaction with

customers.

Assessment:

Onlythoseauthorisedtodosodisclosedatatothirdparties,butthelistofpeoplewithauthoritytodosois

largeandencompassesamajorityofstaff.Oftheinterviewedemployees,86%wereauthorisedtodisclose

dataaccordingtotheiremployeeprofile.Someofthestaff,suchasstorestaff,areautomaticallyallowedto

disclosedatawithoutanyassessmentofwhethertheyneedtobeabletodoso.Giventhesharingofdataof

storeswiththeheadofficeandotherpointsofcontact (banksandother finance institutions,creditcheck

providers, etc.) beingnecessary toprovide customer services, thismakes sense–however, staff includes

cleanersonsomesites:inNottinghamandBirminghamVercoemployshisowncleanerswhohavethesame

rights and disclosure status as other Verco employees on those sites; in London and Bristol cleaning is

contractedout(andnosuchprivilegesaregranted).Thisislikelyanoversight(andthecleanersinterviewed

didnothaveanyaccesstopersonaldata),butthereisnoreasonwhyallstaffinstoresshouldautomatically

getdisclosurerights.

Recommendations:

Vercoshouldnotusecategoriestoallowgeneralauthoritytoemployees,butshouldallocatedauthorityon

strict basis of necessity and consider the duties and job description of each employee before giving the

employeedatasharingauthority.


CONFIDENTIAL


OP20:Dataisheldforadefinedperiodoftimeoruntiltheneedforithas

passedandthenthedataissecurelysuppressedordeleted.

Grade:Merit

AsmentionedinOP14,dataisregularlyreviewedevery18months.Ifthereviewrevealsthatthedataisno

longer needed, or consent or necessity to use the data no longer exists, then the data will be securely

surpassedordeleted.

Assessment:

Eachcontractsetsoutclearlythetimeframeforwhichdataisheld,andthatthedatawillbedeletedifitisno

longerneededorifconsenttouseitisnolongerforthcoming(subjecttoanylegalrequirements).Beforeany

dataissuppressedordeleted,itispossibletoreachouttothedataprotectionteamandthelegalteamto

verifyifthedeletionisappropriate.

OP21:Processesexisttodestroydataortorenderitirrecoverable.

Confidentialwasteisproperlyhandled.

Grade:Commendation

Theprocessesinplacetodestroydataortorenderitirrecoverablearesetoutintheinternaldataprotection

policy. Any data which is stored off-site with CloudStorage (the vast majority of data) and needs to be

destroyed,isdestroyedbyCloudStorageitself,afteraconfirmationprocess.

Acontractorcomestothesitethreetimesaweektocollectanyshreddedmaterialandotherconfidential

waste.

Assessment:

Theprocessestodestroydataareveryclearandinvolvestepstakenbythedataprotectionteam,thelegal

team and CloudStorage. Any datawhich is to be destroyed permanentlymust have obtained (electronic

agreement)bythedataprotectionteamandthelegalteam(throughasimpleonlinetickingexercise).Before

CloudStorageproceedstodestroydata,itsendsacrossasummarydocumentofthedatatobedestroyedand

awaitsVerco’sfinalconfirmation.

Anoutside contractorof verygood reputation,ConfiShredder Ltd,picksup confidentialwaste fromall of

Verco’sofficesandstoresacrosstheUKonathrice-weeklybasis,andtransportsanywasteinlockedsteelbins

tothelocalincineratorplant.AstaffmemberofConfiShredderLtd.ensuresthatallmaterialisburntbefore

leavingthesite,andConfiShredderinvitesitscustomerstojointheprocessandinspectatanytime–which

Vercohasdoneontwooccasions,inJune2013andJuly2015.


CONFIDENTIAL


OP22:Dataissecurelyerasedfromequipmentpriortotheequipment’s

disposal.

Grade:Merit

Theinternaldataprotectionpolicycoversthesecuredeletionofdataonanyequipmentthatisabouttobe

disposedof.AllofVerco’selectronicequipmentcontainsaremote-erasuresoftware.

Assessment:

AllelectronicequipmentmustbereturnedtotheITdepartmentifitisfaultyorifitneedstobedisposedof.

TheITdepartmenthasclearinstructionsandfacilitiestobackuponanexternalserveranydatacontainedon

theequipment,andtosecurelyerasethedataontheequipmentitself.Themethodsusedarestate-of-the-

artandensurethatthereisnorecoveryprocessthatcanbeundertakentorecover,atalaterpoint,anyofthe

dataoncepresentontherelevantequipment.

Inaddition,itispossibletoremoteeraseanydataonanyequipment,incaseitgetslostorstolen.

OP23:Theorganisationhasadditionalsafeguardsinplaceforthe

processingofsensitivepersonaldata.

Grade:Merit

Both the publicly available privacy notice and the internal data protection policy stipulate the additional

safeguardsinplacefortheprocessingofsensitivepersonaldata.Beforesuchdataisprocessed,approvalmust

beobtainedfromamemberofthedataprotectionteam.Anycollectionofsuchdataonpaperorelectronically

isprefacedbyaseparatetextaskingthecollectorwhethertheinformationisactuallynecessary,andtolimit

suchcollectiontotheminimalpossible.

Assessment:

Vercohasadditionalsafeguardsinplacefortheprocessingofsensitivepersonaldata.Theinternalpolicyhas

adedicatedsectiononsensitivedatawhichsetsoutclearlywhatthegroundsaretoprocesssensitivepersonal

data,andthegroundofconsenthasbeenupdatedtoreflectthenewGDPRrequirements.

Thepolicyalsogivesalistofwhatisconsideredsensitivepersonaldata,namely:

• racialorethnicorigin;

• politicalopinions;

• religiousorphilosophicalbeliefs;

• tradeunionmembership;

• dataconcerninghealthorsexlifeandsexualorientation.

Thisdoesnot reflect theGDPR,whichalsoexplicitlyencompassesgeneticdataandbiometricdatawhere

processedtouniquelyidentifyaperson.Giventhatfingerprintsandbiometricdataareroutinelyusednowas

partofanytelecommunications,thisisdatathatshouldbespecificallymentioned.WhileVercodoesalready


CONFIDENTIAL


treatgeneticandbiometricdataassensitive,itmaybeadvisabletoincludeitspecificallyinthelistsetoutin

itspolicy.

Recommendations:

Vercoshouldupdateitspoliciestoclearlyincludegeneticandbiometricdataassensitivedata.


CONFIDENTIAL


6.Managingemployeeswhohandledata

ME1: Employees receive periodic training on data protection and,where

relevant,onhowtohandledataprotectionqueries.

Grade:Observation

Eachnewemployeeisrequired,uponjoiningVerco,toundertakethefirm-widee-learningondataprotection

whichtakesapproximately45minutes.Thistraininghastoberetakenannually.Atestattheendofthee-

learningchecksknowledge,andemployeeshavetoobtain90%beforetheyareconsideredtohavecompleted

thetraining.

Dedicatedtrainingisprovided,usuallybyexternalproviders,tothemembersofthedataprotectionteam.

Assessment:

Thetrainingonofferisslightlylackinginrespectofcustomer-facingstaff/receptionistsandcouldbemore

frequent,assetoutinOP18.Thereisnotailoredtrainingforstaffapartfromtheadditional,externaltraining

offeredtothemembersofthedataprotectionteam.Thismeansthatallemployeesreceivethesametraining

ondataprotection,nomatterhowrelevanttheissuesaretoanyparticularemployee.

Recommendations:

Vercoshouldtailorspecifictrainingaccordingtoanemployee’sneeds.Basicoveralltrainingisagoodidea,

butadditionaltrainingshouldbeconsideredforthosewhoarelikelytohavetodealwithrequests,process

largeamountsofpersonaldata(HRstaffmembers,customer-facingemployees)etc.

ME2:Thepersondesignatedasbeingresponsiblefordataprotection

withintheorganisationreceivesspecifictrainingandisawareofadata

protectionofficer’stasksandresponsibilities.

Grade:Merit

MiguelSamarrcoisVerco’sdataprotectionofficer.Hehasadedicatedtrainingplanwhichincludestraining

sessionsonmanagementskillsanddataprotectionrelatedtopics.

Assessment:

MiguelSamarrcoreceivesspecifictrainingand isawareofhistasksandresponsibilitiesasdataprotection

officer.ThedataprotectionofficeratVercomustundertakeatleast3trainingdaysandisentitledtoupto10

trainingdaysayearinordertofurtherhisjobknowledge,withapossibilitytoextendiftheadditionaltraining

isapprovedbyhissupervisorandjustifiedbyitscontentandSamarrco’sneed.

Additionaltrainingisalsoofferedtotherestofthedataprotectionteam.Otherstaffmembersareentitledto

join inbutmustdosooutoftheirowninitiativeandarenotguaranteedtobeabletouseaworkdayfor

attending–thismustbeconfirmedonacase-by-casebasisbytheirdirectsupervisor.


CONFIDENTIAL


ME3:Thereareregularcommunicationscampaignstoraiseemployees’

awarenessofdataprotection.

Grade:Observation

The last general communication campaignondataprotectionwasundertaken in January2015,byemail.

Beforethat,acampaigntoraiseawarenesswasundertakeninOctober2012,bydistributing“dataprotection

infokits”toallemployees.

Specific emails on a variety of topics (such as phishing or other email scams, clear-desk policy, choosing

adequatepasswordsandotherprivacyrelatedmatters)aresentonanad-hocbasis.

Assessment:

Whilecommunicationemailsaresentoutfairlyregularly,thereisnoformalsystemandnoclearideaofwhat

topicswillbecovered.Thecommunicationscampaignslackstructureandareorganisedonanad-hocbasisas

thedataprotectionteamandcolleaguesfromlegalorseniormanagementseefit.

Recommendations:

Verco should consider spending some time setting up a clear communications planwith respect to data

protectionissues,respondingnotonlytospecifictopicsormattersofurgency,butalsoensuringthatdata

protectionremindersaresentinregularintervals,withlinksandinformationforemployeestorefreshtheir

knowledgeandraiseoverallawareness.

ME4: Data protection policies and procedures are readily accessible for

employees’reference.

Grade:Merit

Anypoliciesandprocedures,includingthoserelatingtodataprotection,areonVerco’sintranet.

Assessment:

Thedataprotectionpoliciesandproceduresarereadilyaccessiblefortheemployees’reference,acrossallof

Verco’s operations. Each employee has a personalised log-in for Verco’s staff intranet, which contains a

dedicatedsectionondataprotectionpoliciesandprocedures.

ME5:Employeesaresubjecttowrittencontractualconfidentiality

obligations.

Grade:Merit

Theemploymentcontract,aswellasanyagentorfreelancercontracts,containconfidentialityobligations.


CONFIDENTIAL


Assessment:

ThewrittencontractualconfidentialityclausesarebindingoneachemployeeandthirdpartyhiredbyVerco,

aswellasonVercoitself.Theyarecomprehensiveandcoveralltherelevantareas.

ME6: Disciplinary processes are used to support observance of data

protectionpolicies.


AccordingtotheCodeofConduct,disciplinaryprocessesaremandatoryshouldthedataprotectionpolicynot

beobserved.Norecordsexistofaformaldisciplinaryprocesshavingstartedbecauseofaninfringementof

thedataprotectionpolicy.

Assessment:

AllinfringementofVerco’skeypolicies,ofwhichthedataprotectionpolicyisone,aresubjecttodisciplinary

processes. It is clearly stated in the Code of Conduct that disciplinary processes are used to support

observanceofthosepolicies.Astrongmajorityofemployeeswerecertainthatifsomeonedidinfringethe

dataprotectionpolicy,aformaldisciplinaryprocesswouldbesetinmotion.However,thereisnorecordofa

formaldisciplinaryprocesseverhavebeentriggeredbyanon-observanceofthedataprotectionpolicy.Given

that several data protection policy infringements have been noted in the past, were reported by the

intervieweesandhavebeennotedbytheassessorsduringtheassessment(suchasstoragespacesnotbeing

lockedbykey,desksnotbeingkeptclear,inappropriateuseofprivatedevices),thereseemstobeadisconnect

betweentheactionsofemployeesandtheenforcementofdataprotectionrules.

Thereisalsonoclearpictureofwhatthatdisciplinaryprocesswouldinfactencompass–theCodeofConduct

containsonlyageneralstatementtotheeffectthat“disciplinaryprocesseswillbesetinmotioninrelationto

any infringement of any policies, including the sending of warning letters and, as a last resort, ultimate

dismissalfromtheemployee’spost.”

Recommendations:

Vercoshouldsetoutinmoredetailwhatitsdisciplinaryprocessentailsandwhatthedifferentstepsarefrom

thefirstformalwarninglettertotheultimatesanctionofdismissal.Thisshouldbecontainedinanupdated

CodeofConduct.

Vercoshouldfurtherensurethattheformaldisciplinaryprocessisactuallyusedinrespectofdataprotection

infringementstosignalthatitisseriousabouttherespectofitsdataprotectionpolicies.Aformalfirstwarning

lettertoemployeesinbreachofadataprotectionrule,settingoutwhattheinfringementis,howtoavoid

suchinfringementandofferingtodiscussand/orprovidefurtherclarificationinpersonwouldbeagoodfirst

step.

Inaddition,Vercomaywishtoconsiderincludingasample(fictitiousoranonymised)casestudyinitsCodeof

Conduct or its data protection policy on how the disciplinary process would be used in respect of

infringementsoftheorganisation’sdataprotectionrules.


CONFIDENTIAL


7.Managingroutineaccessbythirdparties

TP1:Theorganisationcommunicatesitsdataprotectionpoliciesand

standardsclearlytoserviceprovidersandbusinesspartners.

Grade:Observation

Vercousuallysendsitsdataprotectionpolicyandstandardstoserviceprovidersandbusinesspartnersaspart

ofthecontractingprocess(andbeforeanyfinalcontractisenteredinto).Allcontractualdocumentsincludea

partforathirdpartytoacknowledgereceiptandunderstandingofthedataprotectionstandards.

Assessment:

Beforeanycontractualrelationshipwithserviceprovidersandbusinesspartnersissetup,Vercoasksthatthe

third party has acknowledged and understood Verco’s policies and standards. In some cases, the data

protection policy and standards are specifically emailed to the third party togetherwith any contractual

documentationand theCodeofConduct. Inother cases, the thirdparty is asked to verify thepolicy and

standarditselfbyaccessingthemonline.About60%ofthethirdpartiesinterviewedwhichdidnotreceivea

specificemailwiththepoliciesacknowledgedthattheyhadnot,infact,verifiedthedataprotectionpolicyin

advance,eventhoughtheywereaskedbyVercowhethertheyhadandwererequiredtomakeastatement

tothateffect.

Recommendations:

Vercoshouldensure that thedataprotectionpolicyand relatedstandardsarecommunicatedbyemail in

advanceineachcase,andnotrelyonthethirdpartytoobtainthedocumentsitselfinstead.

TP2:Theorganisationensuresthatserviceproviders’orbusinesspartners’

dataprotectionpracticesareadequatepriortoinstructingthemtocollect,

handleordestroydataonitsbehalf.


Vercoobtainsacontractualstatementthatitsserviceprovidersorbusinesspartnerswhichcollect,handleor

destroydataonitsbehalfmeetVerco’sdataprotectionpoliciesandstandards,andasksthemtofamiliarise

themselveswiththosestandards,acknowledgingthattheyhavereadandunderstoodthem(seeTP1)aswell

ashavingadequatepracticesthemselves.

Assessment:

Otherthanthecontractualstatement,andoccasionallyverifyingwhethertheserviceproviderorbusiness

partnerhasadataprotectionpolicyatall,Vercodoesnotchecktheactualcontentofanysuchpolicy.Nothing

appearstobedonebeyondensuringthatastatementconfirmingadequatepracticesisobtained;thereisno

actualverificationorsubsequentdiligenceontheotherparty.

Recommendations:


CONFIDENTIAL


Vercoisawareoftheimportanceofserviceprovidersandbusinesspartnershavingadequatedataprotection

practicesiftheyaretocollect,handleordestroydataonVerco’sbehalf.Thisisdemonstratedbyitsinsistence

onthoseotherpartiestoprovidecontractuallyenforceableguaranteestothateffect.However,Vercoshould

makesurethatitverifiesatleastsomeofitsserviceproviders’orbusinesspartners’dataprotectionpractices

toshowitsowncommitmentandsafeguardagainstinfringementsinitssupplychain.

TP3:Theorganisationimposesadequatecontractualobligationsonservice

providersorbusinesspartnersrelatingtodataprotection.

Grade:Merit

Contractswiththirdpartiesallincludeobligationsrelatingtodataprotection.

Assessment:

Verco ensures that across its contracts with its service providers or business partners, data protection

obligationsareincludedandclearlysetout.TheyformpartofVerco’sboilerplatesinitssuiteofcontracts,

andwerepresentineverycontractthatwasreviewedfortheassessment,aswellaseverytemplatecontract.

TP4:Theorganisationactivelymanagesitsserviceprovidersorbusiness

partnerstoensuredataisproperlyprotected.

Grade:Observation

Service providers or business partnersmust sign up to data protection obligations when entering into a

contractwithVerco.WhendataistransferredbetweentheserviceproviderorbusinesspartnerandVerco,

Vercosendsitsdataprotectionpolicyandareminderofthecontractualobligationsasamatterofroutine.

Assessment:

Verco is strong inmaking sure that the contractual obligations in relation to protecting data are clearly

stipulatedandreminds its serviceprovidersorbusinesspartnersof itspoliciesandof theobligations ina

regularfashion.

However,theremindersarethefullextentofVerco’sactivemanagement,andthereisnofurtherfollow-up,

feedbackorverificationofhowdataishandledbythethirdparties.

Recommendations:

Vercoshouldconsiderenactingamoreformalprocess inrelationtotheactivemanagementof itsservice

providers’ or business partners’ handling of data and the protection thereof. It could consider asking for

periodic feedback and actively engaging with its business partners or service providers in offering data

protectiontrainingandcheckingtheircommitmenttodataprotection.


CONFIDENTIAL


TP5:Theorganisationconductsspotchecksonserviceprovidersor

businesspartnerstoensurecompliancewithitsstandards.


The contracts in place with service providers or business partners contain a right for Verco to audit its

contractualpartnerstoensurecompliancewithitsstandards,includingthecarryingoutofspotchecks.

Assessment:

Whilethecontractualframeworkisinplace,Vercodoesnotconductspotcheckstoensurecomplianceand

thesysteminplacedoesnotappeartobeused(seeTP2).

Recommendations:

Vercoshouldincludespotchecks,startingwithkeyserviceprovidersorbusinesspartnersthathandlelarge

volumesofdataonbehalfofVerco.

TP6:Theorganisationimposessanctionswhereserviceprovidersor

businesspartnersfailtomeetitsrequiredstandardsfordataprotection.

Grade:Observation

Acrossitscontracts,Vercohasspecificterminationclausesaswellasdamagesandmitigationclauseswhich

applytoserviceprovidersorbusinesspartnerswheretheyfailtomeetVerco’srequiredstandardsfordata

protection.

Assessment:

WhileVercohastherighttoimposesanctionswhereitsrequiredstandardsfordataprotectionarenotmet,

it has never had to impose any. Contractually, Verco has robust sanction rights, and there are clear

consequencesfordataprotectionfailures.However,thelackofpost-contractualverificationonVerco’sside

renders the sanctions process theoretical, and it is difficult to assess if any sanctions should have been

employedbutweren’t.

Recommendations:

WhilethereisnosuggestionthatserviceprovidersorbusinesspartnershaveinfactfailedtomeetVerco’s

required standards for data protection, Verco should strongly consider (as set out in TP2 and TP4) a

verification process and spot checks to ensure compliance, and enable it to use its contractual rights to

sanctionwherenecessary.


CONFIDENTIAL


8.ManagingRequests

RQ1:Protocolsareinplacegoverningthedisclosureofdata(credentials,

criteria,legaladvice,requirementsplacedonrecipientetc.).

Grade:Merit

FlowchartsandguidancedocumentsareavailableonVerco’sintranetinrespectoftheapplicableprotocols

fordisclosingdata.

Assessment:

The available guidance sets out the protocols in place, explaining what steps to take and what the

prerequisitesarebeforeanydatamaybedisclosed.Eachguidancecontains,atthebottomofseveralpages,

promptstoreachouttothedataprotectionteam(withanemailandanumbertocall)shouldtherebeany

questionsoruncertainties.

RQ2:Theorganisationrespondstopublicauthorities’requestsfordata

constructivelyandresponsibly.

Grade:Notapplicable

Therehasneverbeenarequestbyanypublicauthorityfordata.

Assessment:

Notapplicable.

RQ3: There are clear processes in place to respond to data subjects’

requests,including:

• foraccess;

• tohaveinaccuraciescorrected;

• topreventdirectmarketing;

• topreventautomateddecision-makingandprofiling;and

• fordataportability.

Grade:Merit

The intranetcontainsguidanceand flowcharts toaddressdatasubjects’ requests, including the five listed

above.


CONFIDENTIAL


Assessment:

AssetoutinRQ1,eachofthedatasubjects’requestsisaddressedininternalguidanceandflowchart,easily

accessibleonVerco’sintranet;ifaneedforfurtherclarificationexists,thencontactpointsareunequivocally

identifiedandpeopleareencouragedtoreachouttotherelevantdataprotectionrepresentatives.

RQ4:Systemsareinplacewhichclearlyestablishthedecision-making

processinresponsetoanytypeofrequest,andsuchsystemsare

understoodwithintheorganisation.

Grade:Merit

Aspartoftheguidance,whichincludestheflowcharts(seeRQ1andRQ3),thedecision-makingprocessisset

out.

Assessment:

The flowcharts make the decision-making process easy to understand and to follow. Each level of

managementcanrefertoitspositionintheflowchartandfindoutwhotospeakto,whotoescalateanissue

to,andwhotodistributeorinformofanyparticularissues.


CONFIDENTIAL


9.Breaches

BR1:ITsystemsanddatastoragefacilitiesareregularlycheckedforany

databreach.

Grade:Observation

TheITdepartmentchecksforanyinternalserverbreacheseverylastFridayofthemonth.Accordingtothe

generalT&CsofCloudStorage,thereisongoingmonitoringofallofitsstoreddata,andadedicatedverification

ofanybreachesonceaweek.

Assessment:

Both internal storage facilities and external facilities undergo regular checks for data breaches.However,

Vercomay consider to change its times to avoid repetitive behaviour, and have themonthly checks on

differentdaysofthemonth.Inaddition,atthemomentnodetailedrecordsarekeptofeachcheck–according

toVerco’sinternalpolicy,thereshouldbeareportaftereachcheck,butVerco’sITdepartmentwasunableto

produceacompletedreportfortwoofthelastsixmonths.

NoreportshaveeverbeenrequestedfromCloudStorageontheirdatabreachchecks,eventhoughthisforms

partofVerco’srights.CloudStoragehascomprehensivereportsdatingback7yearsforeachofitschecks,and

is willing to send executive summaries and/or complete reports to its clients (subject to the applicable

confidentialityprovisions)inpdfform.

Recommendations:

Vercomaywishtoconsiderchangingthetimeswhenitchecksfordatabreachestoavoidanyrepetitiveor

typicalbehaviour.

Itshouldfurtherensurethatthereportsoneachcheckarediligentlyfilledinandproperlyfiled.

Finally,itmaywishtoconsideraskingforandreadingthereportsonthechecksconductedbyCloudStorage

tokeepaneyeonitsexternalITsystemsanddatastoragefacilities.

BR2:Staffareawareofwhomtheyshouldspeaktoiftheysuspectadata

breach.

Grade:Commendation

Ifadatabreachissuspected,theCodeofConductandthedataprotectionpolicysetoutthatstaffshould

speaktotheirsupervisorandinformVerco’sdataprotectionteam.

Assessment:

Whomtospeaktoincaseofasuspecteddatabreachisclearlysetout,andallemployeesinterviewedbarone

haveaclearandaccurateideaofwhomtoaddressshouldtheysuspectanydatabreach.Thisinformationis

alsocontainedintheonlineinductiontrainingallstaffhavetoundergouponjoining.Moreover,itformspart


CONFIDENTIAL


ofthe“Whotospeakto”flowchartavailableontheintranetwhichsetsoutinaneasytocomprehendmanner

whoshouldbeaddressedinavarietyofsituations.

BR3:Thereisaconfidentialmeansofreportingdataprotectionconcerns. Grade:Observation

Thewhistleblowingpolicymentionsthatitcanalsobeusedtoreportanydataprotectionconcerns.

Assessment:

Noneoftheintervieweeswereawareoftheconfidentialmeansofreportingdataprotectionconcerns,but

almost uniformly indicated they would know who to speak to and would not be concerned about

confidentiality.Whenaskediftheywouldconsiderusingthewhistleblowinghotlinetoreportdataprotection

concerns,theintervieweesinalmosttheirentiretyhadnotconsideredthis,andwereundertheimpression

thatsuchhotlinesareonlyforissuessuchasbullyingandharassment.

Recommendations:

Vercoshouldconsiderrevisingitsdataprotectionpolicytoincludeanexplicitreferencetothewhistleblowing

hotlineasbeingameansofreportinganydataprotectionconcernsconfidentially.Itwouldalsobehelpfulto

addthatinformationtotheinductiontrainingandmakeitaswellknownastheidentityofthosethestaff

shouldspeaktoiftheyhaveanyqueries.

BR4:Theorganisationhasaprotocolgoverningdatabreaches,thatincludes

information on how to respond and how to inform the affected data

subjectsaswellasnotify the relevantauthorityof thebreach ina timely

fashionandwithoutunduedelay.

Grade:Merit

Adedicated“DataBreaches”documentprovidesguidanceastowhattodoincaseofdatabreaches.

Assessment:

Theavailableguidance(atthetopofthe“DataProtection”websiteontheintranet)setsoutclearly,inform

ofachecklist,whattheprotocolgoverningdatabreaches is. Itprovidesahelpful flowcharttounderstand

eachrequiredstep,andsetsoutwhoshouldbenotifiedinternallyand,ifnecessary,externally,andwhatthe

timelineis.Averygood24hoursfromthediscoveryofabreacharesetastheusualtargettimelinetomake

allofthenecessaryinternalandexternalnotifications.


CONFIDENTIAL


BR5:Theorganisation investigates thecausesofdatabreachesand takes

remedialaction.

Grade:Notapplicable

Nodatabreachhaseverbeenidentified.

BR6: The organisation works proactively with authorities investigating

potentialbreaches.

Grade:Notapplicable

Nobreachhasbeenreportedordetected.Asofmid-August2016,therehadneverbeenanoccasiontowork

withauthoritiesinvestigatingpotentialbreaches.


CONFIDENTIAL


10.Monitoringandreview

MR1:Thedocumentationrequirementsforthevarioussetsofdataare

regularlyreviewed,andaclearprocessisinplacetoidentifythe

organisation’srecordkeepingobligations.

Grade:Merit

Eachsetofdataheldisrecordedinalog,whichalsoincludesinformationonthetypeofdataandtherecord-

keepingobligationsinrelationtothattype.Thelogisupdatedbythedifferentdepartments,andaguidance

documentavailableontheintranetenablesemployeestoidentifywhatthedocumentationrequirementsand

Verco’srecord-keepingobligationsare.

Assessment:

Thelogcontainingthedifferentdatasetsisclearandupdatedregularly.Itisinelectronicformatandhasan

easy tousesearch function.Foreachnewentry, itprompts thepersonentering thedata toconsider the

documentationrequirementsandwillnotallowanentrytobesavedunlesstherequirementsandrecord-

keepingobligationsareacknowledgedbytheemployee.

Thereisaclearprocessinplacewhichallocatesthereviewofthedocumentationrequirementsforthevarious

sets of data to the data protection team,which is also taskedwith ensuring that Verco’s record-keeping

obligationsarekept.

MR2:Thereisaregularreviewbyseniormanagementoftheeffectiveness

ofexistingdataprotectionmeasures.

Grade:Observation

Thedataprotectionteammeetsatleastonceamonth,asdoesthelegalteam.

Assessment:

The data protection team as well as Verco’s legal department regularly reviews existing data protection

measuresandhasregularmeetingstodiscussanyissuesandchangestothelegalobligations.

There is no regular consideration by senior management as such of the effectiveness of existing data

protectionmeasures;instead,changesandissuesareraisedonanad-hocbasisbythedataprotectionteam

and/orthelegalteam.

Recommendations:

Vercomaywishtoconsider includingtheeffectivenessofexistingdataprotectionmeasuresasastanding

orderagendaitematboardmeetings.

MR3:Thereareperiodicauditsofthemanagementofdataprotection. Grade:Merit


CONFIDENTIAL


Vercooperatesasystemofinternalauditingonan18-monthbasisforitsdifferentdepartments,meaningthat

each18months,eachdepartmentissubjecttoaninternalauditprocess.

Assessment:

Theinternalauditsystemspecificallyincludesdataprotectionmanagementanddetailedrecordsarekeptof

eachaudit,includingalistofshortcomingsandweaknessesandaproposedactionplan,withprogressreviews

scheduledinfor3monthsand8monthsaftertheconclusionofeachaudit.

MR4: The organisation conducts periodic unannounced simulations of

breachesandattackswhichcouldpotentiallycompromisedataprotection

andprivacy.


Assimulatedattack,bywayofphishingemailssenttoemployeesbyVerco’sITdepartment,wasconducted

inJune2015,withtheresultsandrecommendationbeingdistributedtoallemployeesattheendofJuly2015.

Thedataprotectionteamenvisagesatleastonesuchtypeofsimulationeachyeargoingforward(thenext

oneisscheduledforOctober2016).

Assessment:

Vercoisawareofthethreatemanatingfromcyberspace,andhasrealisedthatsimulationsandfakeattacks

are very useful in identifying weaknesses and technological as well as operational shortcomings. Its

commitmenttoconductunannouncedsimulationsyearlyisproofofthat.Lastyear’ssimulationwasfollowed

upbyaclearsummaryandpracticablerecommendationsgiventoallemployees.However,theattacksare,

atthemoment,stillad-hocanddonotspanawideenoughrangeofthreats–itisinsufficienttofocusjuston

one threataspartofeach simulation.Nordo thecurrent fakeattacks involveany thirdpartiesorexpert

“friendly”attackers,therebypotentiallymissingoutonprofessional,state-of-the-artsimulations.

Recommendations:

Vercoshouldconsiderreachingouttoexternalserviceproviderstoarrangeforsimulationsofbreachesand

attacks.Thisshouldincludealonger-lastingarrangement(atleast6months),inwhichVercoisbeingtested

indifferentways(hackingattacks,phishingemails,spoofing,botnets,pharmingandothertypesofcommon

cybersecuritythreats),andanongoingagreementtocarryoutregularsimulationsandattackstoensurethat

Vercoiscontinuouslyuptospeedwithitsdataprotection.

MR5:Thereisaperiodicreporttotheboardondataprotection,alongwith

informationandindicatorsondatabreaches.

Grade:Observation


CONFIDENTIAL


AsexplainedinMG6,MiguelSamarrco,thecurrentdataprotectionofficer,hasadirectreportinglinetothe

board.However,heisnotaregularparticipant inanyboardmeetings. Informationandindicatorsondata

breacheswouldbetransmittedonanadhocbasis.

Assessment:

PleaserefertotheassessmentboxinMG6above.

Recommendations:

AsmentionedinMG6,dataprotectionshouldbecomeastandingorderagendaitemateachboardmeeting.

Inaddition,Vercomaywishtoconsiderobligingthedataprotectionteamtoprovideamoredetailedreport,

perhaps once every six months, on any issues and information in relation to data protection and data

breaches.


CONFIDENTIAL


Appendix2DocumentLog

[Intentionallyleftblank]


CONFIDENTIAL


Appendix3MeetingLog

[Intentionallyleftblank]