Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Themeasureofagoodcompany
GoodCorporationStandard
AssessmentReport(Data
Protection)
VERCOplc
August2016
CONFIDENTIAL–forauthoriseddistributiononly
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly
Organisation: Verco
Activity: TelecommunicationsandInternetServices
Principalcontact: JaneSmith
Sitesvisited: Headquartersand4branchesinLondon,Birmingham,
BristolandNewcastle.
Dateofassessment: 1-19August2016
Assessors: GarethThomasandTillLembke
Documentreference: Verco-DPReport-Template.doc
Documentstatus: Final
Thisreportisconfidentialandisnotforpublicdistribution.Copyright
ofthecontentsremainswithGoodCorporationLtdandallrightsare
reserved.Anyinternaldistributionofthisdocumentoritscontents
mustbeauthorisedbythenamedcontactabove.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly
Contents
Introduction..................................................................................................................................................1
TheGoodCorporationDataProtectionFramework..........................................................................................1
Assessmentprocessandgrading.......................................................................................................................2
Overalloutcome............................................................................................................................................3
ExecutiveSummary...........................................................................................................................................3
Managementandgovernance..........................................................................................................................4
Securityenvironment........................................................................................................................................4
Legalenvironment.............................................................................................................................................5
Operationaldatapractices................................................................................................................................5
Managingemployeeswhohandledata............................................................................................................6
Managingroutineaccessbythirdparties.........................................................................................................6
Breaches............................................................................................................................................................7
Monitoringandreview......................................................................................................................................7
ActionPlan....................................................................................................................................................8
Appendix1Detailedfindings1.Managementandgovernance...................................................................22
2.RiskAssessment......................................................................................................................................27
3.SecurityEnvironment..............................................................................................................................28
4.Legalenvironment...................................................................................................................................33
5.Operationaldatapractices.......................................................................................................................36
6.Managingemployeeswhohandledata....................................................................................................49
7.Managingroutineaccessbythirdparties.................................................................................................52
8.ManagingRequests.................................................................................................................................55
9.Breaches..................................................................................................................................................57
10.Monitoringandreview..........................................................................................................................60
Appendix2DocumentLog...........................................................................................................................63
[Intentionallyleftblank]..................................................................................................................................63
Appendix3MeetingLog..............................................................................................................................64
[Intentionallyleftblank]..................................................................................................................................64
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page1
Introduction
VercoisVERCOMMUNICATIONCompany’slargestdealerintheUKanditis100%ownedbythegroup.Verco
employsover800peopleintheUK,across40stores.Vercosellsnewhandsetsandothertelecommunication
devices, internetandmobiledataconnectionsaswellastelevisionandentertainmentconnectionpackages.
Productsandservicesaresoldtobusinesscustomersanddirectlytotheretailmarket.
Vercoalsorunsanaftercarebusiness,providingservicingtonewanduseddevicesandanetworkofengineers
whovisitcustomeronsitetohelpinstallanynewlinesorinfrastructureneededtoobtainonlineaccess.
In2015thebusinessmadeacommitmenttobeevaluatedaccordingtotheGoodCorporationDataProtection
Frameworkundertheleadershipofitsheadofmarketingande-commerceJaneSmith.Thebusinessundertook
aninitialreviewofitsoperationsagainsttheStandardin2015andthenundertookafullassessmentinAugust
2016,theresultsofwhicharesummarisedinthisreport.
TheGoodCorporationDataProtectionFrameworkconsistsofalistofgooddataprotectionpracticesandcanbe
usedtodesign,embedandevaluateanorganisations’dataprotectionsystemandculture.
TheGoodCorporationDataProtectionFramework
TheGoodCorporationDataProtectionFrameworkissetoutinAppendixIofthisreport.Itprovidesthecriteria
forthisassessmentreport.Basedonacoresetofprinciplesforresponsibledatamanagement,theframework
setsout76areasofmanagementpracticethatareassessedtodeterminehowwelltheorganisationperforms
againsteach.TheGoodCorporationDataProtectionFrameworkcoverstenkeyareasofmanagement:
• Managementandgovernance;
• Riskassessment;
• Securityenvironment;
• Legalenvironment;
• Operationaldatapractices;
• Managingemployeeswhohandledata;
• Managingroutineaccessbythirdparties;
• Managingrequests;
• Breaches;and
• Monitoringandreview.
This assessment was conducted against the GoodCorporation Data Protection Framework (August 2016
Revision).
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page2
Assessmentprocessandgrading
Theassessmenttookplace inVerco’sLondonheadquartersandfourbrancheseach inLondon,Birmingham,
Bristol and Newcastle, between 1st-19
th August 2016, and included a number of telephone interviews. The
assessor reviewed documents, interviewed functional managers, and interviewed samples of stakeholders
including employees, service providers and business partners to evaluate Verco’s overall adherence to the
GoodCorporationStandardfordataprotection.
All stakeholder interviews were conducted in confidence and this report does not attribute individual
comments.Whereproblemswere foundorsensitive feedbackwasgiventhishasnecessarilybeenstated in
generaltermsunlessspecificconsentwasgrantedtogivedetailsofindividualcases.
Eachevidencepointwasassessed,andgradedaccordingtoascaleasshownhere:
Please note: ‘best practice’ corresponds to ‘commendation’, ‘no action required’ corresponds to ‘merit’,
‘improvement recommended’ corresponds to ‘observation’, ‘action required’ corresponds to ‘minor non-
compliance’and‘significantactionrequired’correspondsto‘non-compliance’.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page3
Overalloutcome
ExecutiveSummary
Vercohasobtainedmeritsorcommendationsinjustoverhalfoftheassessedpractices.Infivepractices,Verco
hasdemonstratedexemplaryconduct.Itspoliciesondataprotectionareparticularlycommendable(MG1),as
isitsapproachtoriskassessmentstoconsiderdataprotectionrisks(RA1),whicharethoroughlyconductedon
aregularbasis.Inaddition,Vercoisverystrongincompilingguidelineswhichareclearandcomprehensive,and
includesectionson, interalia, identifyingvulnerablecustomers,practical tipsonhowtoengagewith them,
specificconsiderationsforfrontlinestaff,andguidanceonhowtheirpersonaldatashouldbeprotected(OP8).
Theprocessesemployedtodestroydataortorenderitirrecoverablearealsoofaveryhighstandard(OP21).
Finally,Vercohassucceededinconveyingclearlywhomtospeaktoincaseofasuspecteddatabreach,andall
employeesinterviewedbaronehaveaclearandaccurateideaofwhomtoaddressshouldtheysuspectanydata
breach(BR2).
Conversely,justunderafifthofVerco’spracticeswhichbenefitfromapolicyorasystemdonotalwayswork,
andrequirecorrectiveactionstoreducerisk.Thisincludesalackofclarityinrelationtoprivacynotices(MG4),
negligentlockingofcabinets(PS2),andarelaxedapproachtotheuseofnon-encryptedUSBdevices(IS5)and
training on information systems security (IS8). Four operational practices, touching on consent (OP1), data
collection (OP4), privacynotices for childrenandother vulnerable individuals (OP10) and themonitoringof
employees; useof internet, email andother communication systems (OP13),would especially benefit from
improvements.Inaddition,job-specifictrainingforrelevantemployeeswouldberecommended(ME1).Verco’s
engagementwithservicesproviders’orbusinesspartners’dataprotectionpracticesandverification thereof
(TP2andTP5)alsoprovidesroomforimprovement.Vercocanlikewiseimproveitsownsecuritybyreachingout
toexternalserviceproviderstoconductbreachsimulationsandsimulatedattackstotestitssystems(MR4).
OverallVercohasa verygoodcommitment toadopting responsiblebusinesspractices in the realmofdata
protectionandhasmettheneedsoftheGoodCorporationStandard,withno‘non-compliance’gradeinanyof
the76pointsinitsGoodCorporationassessment.
ThechartbelowshowsthebreakdownofthegradesawardedtoVerco,withjustoverhalfofpracticesworking
wellandgradedasmeritorcommendation.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page4
Managementandgovernance
Verco’sseniormanagementteamhasagoodunderstandingoftheimportanceofdataprotectionandhowto
engagewiththekeyprinciplesunderpinningeffectivedataprivacyprograms.Clearpoliciesondataprotection
exist(MG1),andadedicatedintranetwebsiteondataprotectionprovidesawealthofinformation,including
usefulguidancedocumentsand flowcharts, toemployees.AverygoodsummaryofVerco’sdataprotection
policyisavailableonline.Vercostatesthatthecomprehensivedataprotectionpolicyisalsoavailableonrequest,
butthisisnotclearfromthewebsiteandVercomaywishtomakeaccesstoitsfulldataprotectionpolicyeasier
(MG3).Inrespectofprivacynotices,Vercoshouldredraftthemtorenderthemlesslegaleseandmoreplain-
English.Itshouldalsoensurethatprivacynoticesarereadilyavailable,whichisnotalwaysthecase,especially
initsstores(MG4).
Whilethedataprotectionofficeriswellpreparedfortheroleandbenefitsfromtailoredtrainingtoundertake
the relevantwork, justoverhalfof the interviewedemployeeswerenotawareofwho thedataprotection
officeris.Vercomaywishtocommunicatetheroleandfunctionsofthedataprotectionofficermorepro-actively
(MG5).Thedataprotectionofficer’s line to theboard isgoodandworkswell,butdataprotectiondoesnot
featureasastandingorderagenda itemduring theboardofdirectormeetings– thisshouldchange (MG7).
Additionalhelpandresourcesforthedataprotectionfunctionsshouldbeconsidered(MG8).
Securityenvironment
EventhoughVerco’sbuildings’accesscontrolsareofgoodstandards,practicesinrespectoflockingcabinets
and drawers, as well as of following the “clean-desk” policy are lacking. Several documents containing
customers’personaldatawereleftoutintheopenondesktopsthatanyonewalkingbycouldsee,andanumber
ofdrawerswereleftopendespitealsocontainingconfidentialinformation(PS2).Vercoshouldensurethatit
enforcestheclean-deskpolicyandstressestheimportanceoflockingalldrawersandcabinets.
7%
44%
32%
17%
0%
Verco'sDataProtectionPoliciesand
Practices
Commendation
Merit
Observation
Minornon-compliance
Non-compliance
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page5
Onthewhole,Vercohasgoodpracticeswhenitcomestoinformationsystemssecurity.However,whileapolicy
ontheuseofUSBs,harddrivesandotherexternaldevicesexists,theprohibitionontheuseofnon-Vercoissued
devicesisnotstrictlyenforced.Vercoshouldconsideramendingitssoftwareonalllaptopstoensurethatonly
company-approvedandadequatelyencryptedexternaldevicescanbeusedwithVerco’slaptops.Inaddition,it
wouldbehelpfultoremindemployeesofthedangersofusingunencryptedstoragedeviceswhentransferring
data (IS5). Inaddition,Verco shouldconsiderofferingdedicated training sessionson theappropriateuseof
employee-owneddevicesincludinghowtosetupstrongpasswords(IS6).
IntermsofdedicatedITpractices,Vercoshouldestablishaformaltimelineforthecarryingoutofindependent
IT assessments that cover the robustness and appropriateness of IT security controls – these should be
undertakeninannualintervals,andshouldinvolvenotjusttheITdepartmentbutalsothedataprotectionteam
(IS7).Trainingoninformationsystemssecurityisnotconsistentlyplannedanddoesnotformpartoftheofficial
training plan for 2016 (but did for 2015), meaning that those employees who have joined Verco after 21
November2015havenotreceivedspecifictrainingoninformationsystemssecurity.Suchtrainingideallywill
becomeamandatorypartofanewemployee’sinductionsession,andwillbeheldinregularintervalstoensure
ongoingawareness(IS8).
Legalenvironment
Ingeneral, the legalenvironment in respectofdataprotectionandprivacyatVerco isverygood.Thereare
adequate processes in place to monitor legal requirements and any relevant changes, and registrations
requirements,datatransfersandthehandlingofpersonaldatabythirdpartiesareadequatelyaddressed.An
areaforimprovementisthecommunicationofanychangestothedataprotectionlegislationtotherelevant
people.Whilechangesare,onthewhole,communicatedclearlyandspeedily,andallrelevantpeoplefeltthey
wereawareofanychanges,thenewsletteralonemaynotbesufficienttocommunicatechanges.Itwouldbe
helpfultotargetnewinformationmorespecificallytothosepeopleaffectedbyit,bydirectemailcontact(LE2).
Operationaldatapractices
Vercoisstrongonoperationaldatapractices,with13outof22applicablepracticesobtainingamerit,inaddition
to two commendations. However, several observations and four minor non-compliance grades were also
recorded.
Vercoshouldconsiderchangingitscontractsacrossitsoperationstoallowcustomerstoimmediatelyoptoutof
anyinformationsharingnotstrictlynecessarytotheprovisionofthecontractuallyagreedservices. Itshould
ensurethatitdoesnotrely,inanycase,onpre-tickedconsentboxesortreatsilenceorinactionassufficient
consent (OP1). In addition, Verco should reconsider its information gathering process. Instead of asking
additionalquestionsinthesamedocumentsasthemandatoryquestions(i.e.thosenecessaryfortheprovision
oftherequestedservices),Vercooughttoconsideraseparateprocesstoaskanymandatoryquestions,using
documents dedicated to the purpose. This would also allow it to clearly communicate the purpose of the
additionalinformationandensurethatthethirdpartyprovidingsuchinformationdoessoinafullyinformed
andconsentingmanner.Inanycase,Vercoshouldensurethatitisbeyonddoubtwhatinformationiscrucial,
andwhatinformationisnotstrictlynecessary(OP4).
Atthemoment,thecommunicationofVerco’sdataprotectionpoliciesandpracticesandofwhatthedatawill
beusedforandwhyatalldatacollectionpointshasroomforimprovement.Vercoshouldensurethatalldata
collectionpointsofferthedatasubjecttoinformhimorherselfinstantaneouslyaboutwhatthedataisusedfor
anyitisbeingusedinsuchway,withouthavingtoundertakeanyfurtherresearch.Staffacrossallstoresshould
beawareof theapplicabledataprotectionpoliciesandpracticesandable toexplain,at least inverybroad
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page6
terms,tocustomershowtheirdata isbeingusedandwhy;this isnotthecaseeverywhereyet(OP5).Verco
shouldfurthermakesurethatinformationrelatedtohowlongdatawillbekeptandwhenitwillbedisposedof
isincludedinitsstandardcustomerdocuments(OP6).
ItiscommendablethatVercohasdevisedspecificpoliciesforvulnerablegroups;however,currentlyitisvery
complicatedtoobtainthoseandabout60%oftheintervieweeswerenotawarethatsuchalternativeformats
evenexisted.ThestaffinVerco’sstoresshouldbetrainedtobeabletosourceanddistributealternativeformats
instoreorbymail/online.Vercoshouldensurethatitsprivacynoticesareadaptedtotheneedsofchildren
andexplainthestepstakenifthedatasubjectisunder16(OP10).Inrespectofobtainingexplicitpermissionto
theuseofinformation,severalcustomersreportedthattheyweredissatisfiedwiththeuseoftheirinformation
tosendtwice-monthlynewsletterswithoutexplicitlyaskingforpermission(OP12).
Withregardstothemonitoringofemployees’useofinternet,emailandothercommunicationssystems,Verco
has clearprocessesand rules.However, theenforcement systemappearsnot tobeworkingandadditional
trainingshouldbeofferedtolinemanagersonhowtoaddressanyinappropriateuserbehaviour,aswellason
theimportanceoftheappropriateusepolicy(OP13).Forcustomeranddatasubjectrequests,additionaltraining
shouldbeofferedtoreceptionistsandothercustomer-facingstaff.Vercoshouldensurethereminderemails
about theprocesses relating todata subject requestsare sent regularly, and that the logbook is inspected
carefullybythedataprotectionteam,toguaranteethatoutstandingentriesaredealtwithinatimelymanner
(OP18).Finally,Vercomaywishtoreconsider itswidedistributionofauthoritytodisclosedata,andallocate
authoritytodiscloseonastricterbasis(OP20).
Managingemployeeswhohandledata
Foremployeeshandlingdata,specific,job-relateddataprotectiontrainingshouldbeundertaken,beyondthe
basic overall training offered to all (ME1). Employees would also benefit from a clear and consistent
communications plan, with updates on data protection issues sent not on an ad-hoc basis contingent on
urgency,but in regular intervals (ME3).Currently, there isnocleardisciplinaryprocessdescription,and it is
recommendedthatVercosetoutinmoredetailwhatitsdisciplinaryprocessentailsandwhatthedifferentsteps
arefromthefirstformalwarning lettertotheultimatesanctionofdismissal.Astrongerenforcementofthe
applicablepolicieswouldalsobebeneficial(ME6).
Managingroutineaccessbythirdparties
Asfarasmanagingroutineaccessbythirdpartiesisconcerned,Vercoshouldverifythatthedataprotection
policy and related standards are communicated by email in advance to each service provider or business
partner,andnotrelyonthethirdpartyitselftorequestthedocument(TP1).Vercoisawareoftheimportance
of service providers and business partners having adequate data protection practices if they are to collect,
handleordestroydataonVerco’sbehalf.Thisisdemonstratedbyitsinsistenceonthoseotherpartiestoprovide
contractuallyenforceablestatementstothateffect.However,Vercoshouldmakesurethatitverifiesatleast
someofitsserviceproviders’orbusinesspartners’dataprotectionpracticestoshowitsowncommitmentand
safeguardagainstinfringementsinitssupplychain(TP2).Inaddition,Vercoshouldconsiderenactingamore
formalprocessinrelationtotheactivemanagementofitsserviceproviders’orbusinesspartners’handlingof
dataandtheprotectionthereof.Itcouldconsideraskingforperiodicfeedbackandactivelyengagingwithits
businesspartnersorserviceprovidersinofferingdataprotectiontrainingandcheckingtheircommitmentto
data protection (TP4). It should also consider including spot checks, starting with key service providers or
businesspartnersthathandlelargevolumesofdataonbehalfofVerco(TP5).Averificationprocessandsuch
spotcheckswouldalsoenableVercotouseitscontractualrightstosanctionwherenecessary(TP6).
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page7
Breaches
Verco’sITdepartmentregularlychecksforinternalserverbreaches,butVercomaywishtoconsiderchanging
thetimestoavoidtypicalorrepetitivebehaviour.Itshouldalsoensurethatreportsoneachcheckarediligently
filled in and properly filed. It may also wish to consider asking for and reading the reports on the checks
conductedbyCloudStoragetokeepaneyeonitsexternalITsystemsanddatastoragefacilities(BR1).
Inrespectofconfidentialmeansofreportingdataprotectionconcerns,Vercoshouldconsiderrevisingitsdata
protectionpolicytoincludeanexplicitreferencetothewhistleblowinghotlineasbeingameansofreporting
anydataprotectionconcernsconfidentially(BR3).
Monitoringandreview
WhileVercoappearsawareofthethreatsemanatingfromthedigitalworld,itshouldconsiderreachingoutto
externalserviceproviderstoarrangeforsimulationsofbreachesandattacks.Thisshouldincludealonger-lasting
arrangement (at least6months), inwhichVerco isbeing tested indifferentways (hackingattacks,phishing
emails, spoofing, botnets, pharming and other types of common cyber security threats), and an ongoing
agreementtocarryoutregularsimulationsandattackstoensurethatVercoiscontinuouslyuptospeedwithits
dataprotection (MR4).Vercomayalsowish to considerobliging thedataprotection team toprovidemore
detailedreportsonaregularbasis,perhapsonceeverysixmonths,onanyissuesandinformationinrelationto
dataprotectionanddatabreaches,andmaintaindataprotectionasaconstant itemon theagendaofeach
boardmeeting(MR5).
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page8
ActionPlan
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page9
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
1. MG3 Vercoshouldconsiderpublishingitscompletepolicyondataprotectiononits
publicwebsite,oralternativelyatleastmakeitveryclear,bothonthewebsiteand
inthesummarydocumentprovided,thatthecompletepolicycanberequestedby
emailorbyphone.
Observation
2. MG4 Vercoshouldreviewitsprivacynoticesandconsiderredraftingtheminasimpler
style.Itshouldconsidercreatingshortersummaryprivacynotices(ofonetotwo
pages)whichhighlightthemostimportantaspectsofwhatwillhappenwithadata
subject’sinformation.Finally,Vercoshouldensurethattheprivacynoticesare
readilyavailableonlineandideallyinhardcopyacrossitsstores.
Minornon-
compliance
3. MG5 Vercoshouldensurethatemployeesarepro-activelytoldaboutwhothedata
protectionofficeris,e.g.bywayofemailsremindingthem(thiscouldformpart,for
example,ofa“KeyContactsandNumbers”emailsentoutonceamonthandalso
regroupingotherkeycontactssuchasHR,whistleblowinghotlinesorother
importantcontacts),orbyhangingoutposterswiththedataprotectionteam’s
detailsaroundtheofficer,orhavinginfosessionsdedicatedtotheworkthedata
protectionteamdoes.
Observation
4. MG6 Verco’sboardshouldconsiderhavingdataprotectionasastandingorderagenda
itematitsmeetings,activelyinvitingthedataprotectionofficertoprovideashort
summaryorreachouttotheboardinadvanceoftheboardmeetings,toensure
continuousexchangeandreportingofdataprotectionissuestothehighestlevels.
Merit
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page10
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
5. MG7 Vercoshouldconsiderholdingdedicatedtrainingsessionsforitssenior
managementteamtocommunicatetheimportanceofdataprotectionand
ensuringthatdataprotectionisregardedasanissuethateachseniormanageris
alsoresponsiblefor.Theannualmeetingswiththedataprotectionteammaybe
moreusefuliftheywereheldsemi-annuallyatleast,toensureamoreup-to-date
awarenessamongallmanagers.
Observation
6. MG8 Amorestreamlinedprocesstoallowthedataprotectionteamtoresorttooutside
helpifnecessary,andtoparticipateinin-depthtrainingsessionsovertwoorthree
workingdayswouldreducetheanxietythedataprotectionteamfeelsaboutnot
beingabletoimplementthelateststandardsofdataprotection.Ideally,acertain
amountwouldbeearmarkedfordataprotectiontrainingandadviceexpenditureat
thebeginningofeachyear,whichthedataprotectionofficercouldrelativelyeasily
access.
Observation
7. PS2 Verco should make clear it is imperative that the clean desk policy is followed,
particularlyinopenplanspacesandroomswhichcannotbelocked.Oneapproach
inenforcingthisrulecouldbetospendsometimeeacheveningforaweekortwo
toverifywhodidnotabidebythecleandeskpolicyandsendtherelevantpeoplea
standardemailthenextmorningremindingthemofthepolicy.
Vercoshouldfurthermakeitcleartoemployeesintheheadofficeaswellasthe
branchesthatallfilingcabinetsandlockersmustbelockedbykeyatalltimes.
Minornon-
compliance
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page11
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
8. PS3 Vercoshouldensurethatitisfullyawareofthesecuritysafeguardswhichitsoff-site
serverprovidershaveandensurethatitscontractsspelloutindetailwhatstandards
areexpected.
Vercomayalsowishtoconsideranupdatedpowerback-upsystemwhichlast
longerthanonly8hours,giventhatoftentimespowercutsarenotaddressedin
thattimespanandforcingtheinternalserverstoshutdownmayseverelyhamper
Verco’soperations(althoughthishasnotbeenaprobleminthelasttenyears).
Observation
9. IS5 While no breach or specific incident has been reported, Verco should consider
amending its software on all laptops to ensure that only company-approved and
adequatelyencryptedexternaldevicescanbeusedwiththoselaptops.
Inadditional,Vercoshouldensurethatallitsstaffareawareofthepolicyonthe
useofexternaldevicesandrealisetheinherentdangersinusingpersonalexternal
devices,especiallynon-encryptedones,whenaccessing,transferringorstoring
data.
Minornon-
compliance
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page12
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
10. IS6 Verco’spolicyincludesexamplesofbestpracticesincludingofhowtocreatestrong
passwords,butthisisnotwidelyknownamongemployees.Vercoshouldconsider
offeringdedicatedtrainingsessionsontheappropriateuseofemployee-owned
devices.Forinstance,beforeanemployeeisgrantedaccesstoworkemailonhisor
herphone,theITteamcouldsendacrossadetailedsummaryofhowtousethe
deviceandhowtocreatepasswords,aswellastheneedtoregisterthedeviceand
recorditsserialnumber.
Observation
11. IS7 VercoshouldestablishaformaltimelineforthecarryingoutofindependentIT
assessmentsthatcovertherobustnessandappropriatenessofITsecuritycontrols
–theseshouldbeundertakenatleastannually.Inaddition,thisshouldnotjustbe
thepurveyoftheITdepartment,butactivelyinvolvethedataprotectionteamas
well.
Observation
12. IS8 Vercoshouldconsidermakingsuchtrainingmandatorypartofanewemployee’s
inductionsession,andholdsuchtraininginregularannualintervalstorefresh
employees’awareness.
Minornon-
compliance
13. LE2 Inadditiontotheweeklynewsletter,itishelpfultotargetnewinformationmore
specificallytothosepeoplewhowillberesponsibleforit.Forinstance,achangein
theITrequirementsshouldalwaysalsobespecificallymentionedandsenttotheIT
departmentseparately.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page13
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
14. OP1 Vercoshouldchangeitscontracts,bothonlineandinhardcopy,toallowcustomers
to immediately opt out of any information sharing not strictly necessary to the
provisionofservices.Ideally,customerswouldhavetoexplicitlyoptinbeforegiving
anysuchconsent.Vercoshouldmakesurethatallcustomersarefullyinformedof
theirrightsinrelationtoconsent,whethertheyenterintoacontractonlineorina
store.
ItisnotedthatthelawinrelationtoconsentisstrengthenedfromMay2018
onwards-consentundertheGDPRrequiresclearaffirmativeaction.Silence,pre-
tickedboxesorinactivitydoesnotconstituteclearaffirmativeaction.Vercomust
considerthisandreviseitsstandardapproachtoobtainingconsentintimeto
complywiththeGDPR.
Minornon-
compliance
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page14
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
15. OP4 Verco should reconsider its information-gathering process. Instead of asking
additionalquestionsinthesamedocumentsasthemandatoryquestions(i.e.those
necessaryfortheprovisionoftherequestedservices),Vercocouldhaveaseparate
processtoaskanymandatoryquestions,onadifferentsetofpaper.Thiswouldalso
allowittoclearlycommunicatethepurposeoftheadditionalinformationandensure
that the third party providing such information does so in a fully informed and
consentingmanner.Inanycase,Vercoshouldensurethatitisbeyonddoubtwhat
informationiscrucial,andwhatinformationisnotstrictlynecessary.
Inaddition,Vercoshouldensureithasaclearideaforwhatitintendstouseany
informationobtained,andwhyitisaskingcertainquestions.Thiswillallowitto
communicatethestatementofpurposebeforeaskingtherelevantquestions,and
doesnotfacilitatetheriskofaskingasmanyquestionsaspossibleandconsidering
whattodowiththeanswersafterwards.
Minornon-
compliance
16. OP5 Vercoshouldensurethatalldatacollectionpointsofferthedatasubjecttoinform
himorherselfinstantaneouslyaboutwhatthedataisusedforandwhyitisbeing
usedinsuchway,withouthavingtoclickonotherwebsitesandundertakeadditional
research.
Vercoshouldalsomakesurethatitsstaffareuniversallyawareoftheapplicable
dataprotectionpoliciesandpracticesandabletoexplain,atleastinverybroad
terms,tocustomershowtheirdataisbeingusedandwhy,whererelevant.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page15
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
17. OP6 Thirdpartiesaswellasstaffshouldbeabletohaveaquicksenseofwhathappens
totheirdataifitisbeingdisposedofandwhatthetimeframeforkeepingsuchdata
is.Vercoshouldconsiderincludingthatinformationinthestandarddocumentsand
contractsinthesectionondataprotectionandprivacy.
Observation
18. OP7 SeeOP1. Observation
19. OP10 The staff in Verco’s stores should be trained to be able to source and distribute
alternativeformatsoftheprivacynoticeswithoutanydelay.Ideally,theywouldbe
abletodirectlydistributesuchalternativeformatsinstoreorbymail/onlinewithout
havingtofirstcontactVerco’sheadoffice.
Vercoshouldensurethatitsprivacynoticesareadaptedtotheneedsofchildren
andexplainthestepstakenifthedatasubjectisunder16.
Minornon-
compliance
20. OP12 Vercoshouldensurethatthoseuseswhichwould,bymostcustomersatleast,be
deemedtogobeyondthestrictlynecessarytoenabletheprovisionofservicesare
highlightedandrequirespecificpermission.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page16
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
21. OP13 Vercoshouldconsiderofferingtrainingsessionstolinemanageronhowtoaddress
inappropriate user behaviour, and stress the importance of following the
appropriateusepolicy.
Inaddition,Vercomaywishtoconsiderablanketbanontheuseofpersonal
laptopsandhandhelddevices/otherinternet-connecteddevicesduringoffice
hours,andre-circulateitscommunicationaboutwhatmayandwhatmaynotbe
accessedorcirculatedbyemployeesduringofficehoursorusingofficeequipment.
Observation
22. OP14 A clear guideline how often and in what intervals the data subject should be
reminded to respond after the initial email should be implemented and shared
amongallrelevantemployees.
Merit
23. OP18 Training for receptionists and anyone who is customer-facing should include a
dedicatedsectiononhowtodealwithdatasubjectrequests.Itmayalsobehelpful
tosendoutregularreminderemails(onceamonth)tohighlighttherelevantpolicies
andwheretoaccessthem.
Thedataprotectionteamshouldensurethatthelogbookisinspectedcarefullyon
aregularbasis(atleastoncetotwiceaweek)andthatanyoutstandingentriesare
dealtwithassoonasreasonablypracticable.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page17
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
24. OP19 Vercoshouldnotusecategoriestoallowgeneralauthoritytoemployees,butshould
allocated authority on strict basis of necessity and consider the duties and job
descriptionofeachemployeebeforegivingtheemployeedatasharingauthority.
Observation
25. OP23 Verco should update its policies to clearly include genetic and biometric data as
sensitivedata.
Merit
26. ME1 Vercoshouldtailorspecifictrainingaccordingtoanemployee’sneeds.Basicoverall
trainingisagoodidea,butadditionaltrainingshouldbeconsideredforthosewho
arelikelytohavetodealwithrequests,processlargeamountsofpersonaldata(HR
staffmembers,customer-facingemployees)etc.
Observation
27. ME3 Vercoshouldconsiderspendingsometimesettingupaclearcommunicationsplan
with respect to data protection issues, responding not only to specific topics or
matters of urgency, but also ensuring that data protection reminders are sent in
regular intervals, with links and information for employees to refresh their
knowledgeandraiseoverallawareness.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page18
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
28. ME6 Vercoshouldsetoutinmoredetailwhatitsdisciplinaryprocessentailsandwhatthe
differentstepsarefromthefirstformalwarninglettertotheultimatesanctionof
dismissal.ThisshouldbecontainedinanupdatedCodeofConduct.
Vercoshouldfurtherensurethattheformaldisciplinaryprocessisactuallyusedin
respectofdataprotectioninfringementstosignalthatitisseriousabouttherespect
ofitsdataprotectionpolicies.Aformalfirstwarninglettertoemployeesinbreach
ofadataprotectionrule,settingoutwhatthe infringement is,howtoavoidsuch
infringementandofferingtodiscussand/orprovidefurtherclarification inperson
wouldbeagoodfirststep.
Inaddition,Vercomaywishtoconsiderincludingasample(fictitiousoranonymised)
casestudyinitsCodeofConductoritsdataprotectionpolicyonhowthedisciplinary
process would be used in respect of infringements of the organisation’s data
protectionrules.
Minornon-
compliance
29. TP1 Verco should ensure that the data protection policy and related standards are
communicatedbyemailinadvanceineachcase,andnotrelyonthethirdpartyto
obtainthedocumentsitselfinstead.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page19
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
30. TP2 Vercoisawareoftheimportanceofserviceprovidersandbusinesspartnershaving
adequatedataprotectionpracticesiftheyaretocollect,handleordestroydataon
Verco’s behalf. This is demonstrated by its insistence on those other parties to
providecontractuallyenforceableguaranteestothateffect.However,Vercoshould
makesurethatitverifiesatleastsomeofitsserviceproviders’orbusinesspartners’
data protection practices to show its own commitment and safeguard against
infringementsinitssupplychain.
Minornon-
compliance
31. TP4 Verco should consider enacting a more formal process in relation to the active
managementofitsserviceproviders’orbusinesspartners’handlingofdataandthe
protection thereof. It could consider asking for periodic feedback and actively
engagingwithitsbusinesspartnersorserviceprovidersinofferingdataprotection
trainingandcheckingtheircommitmenttodataprotection.
Observation
32. TP5 Verco should include spot checks, startingwith key service providers or business
partnersthathandlelargevolumesofdataonbehalfofVerco
Minornon-
compliance
33. TP6 Whilethereisnosuggestionthatserviceprovidersorbusinesspartnershaveinfact
failedtomeetVerco’srequiredstandardsfordataprotection,Vercoshouldstrongly
consider(assetoutinTP2andTP4)averificationprocessandspotcheckstoensure
compliance,andenableittouseitscontractualrightstosanctionwherenecessary.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page20
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
34. BR1 Vercomaywishtoconsiderchangingthetimeswhenitchecksfordatabreachesto
avoidanyrepetitiveortypicalbehaviour.
Itshouldfurtherensurethatthereportsoneachcheckarediligently filled inand
properlyfiled.
Finally, itmaywish to consider asking for and reading the reports on the checks
conducted by CloudStorage to keep an eye on its external IT systems and data
storagefacilities.
Observation
35. BR3 Verco should consider revising its data protection policy to include an explicit
reference to the whistleblowing hotline as being ameans of reporting any data
protectionconcernsconfidentially.Itwouldalsobehelpfultoaddthatinformation
totheinductiontrainingandmakeitaswellknownastheidentityofthosethestaff
shouldspeaktoiftheyhaveanyqueries.
Observation
36. MR2 Vercomaywishtoconsiderincludingtheeffectivenessofexistingdataprotection
measuresasastandingorderagendaitematboardmeetings.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page21
No. Frameworkpoint Recommendation(s) Grade Verco’s
comments
(ifany)
Action
tobe
taken
by
Verco
Owner Timeframe
37. MR4 Verco should consider reaching out to external service providers to arrange for
simulations of breaches and attacks. This should include a longer-lasting
arrangement (at least6months), inwhichVerco isbeingtested indifferentways
(hackingattacks,phishingemails, spoofing,botnets,pharmingandother typesof
common cyber security threats), and an ongoing agreement to carry out regular
simulationsandattackstoensurethatVercoiscontinuouslyuptospeedwithitsdata
protection.
Minornon-
compliance
38. MR5 AsmentionedinMG6,dataprotectionshouldbecomeastandingorderagendaitem
ateachboardmeeting. Inaddition,Vercomaywish toconsiderobliging thedata
protectionteamtoprovideamoredetailedreport,perhapsonceeverysixmonths,
onanyissuesandinformationinrelationtodataprotectionanddatabreaches.
Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page22
Appendix1Detailedfindings
1.Managementandgovernance
MG1:Thereisawrittenandclearlyarticulatedpolicyondataprotection,
whichisreferredtointheorganisation’scodeofconduct.
Grade:Commendation
Vercohasawrittenandclearlyarticulatedpolicyondataprotection.ThisisreferredtoinVerco’sCodeof
Conduct,andisclearlysignpostedonthehomepageoftheorganisation’sintranet.Asummaryofthedata
protectionpolicyismadeavailableonVerco’spubliclyaccessiblehomepage.
Assessment:
Thepolicyondataprotectioncapturesavarietyofissuesandclearlysetsouttherightsandobligationsofall
staff and the policy on employee’-owned devices. It also contains a section on addressing the needs of
vulnerablemembersofstafforcustomers,includingchildren.
Thepolicyappearsinaneasy-to-useformat,andacrossinterviewsemployeeswereconfidentthatapolicy
existed,where to find it, andhowtouse it.Therewasclearownershipandversioncontrol,with the last
versionhavingbeenupdatedinJuly2016inpreparationforthelegislativechangescomingintoforcewiththe
startoftheEUGeneralDataProtectionRegulation(GDPR)in2018.
MG2:Thepolicyandthemeasuresinplacehavebeenformallyapproved
bytheboard.
Grade:Merit
TherevisedversionofthedataprotectionpolicyhasbeensignedoffformallyatVerco’slatestcompanyboard
meetingon29July2016.
Assessment:
WhilethelatestversionwasadedicatedminuteontheagendaofJuly’sboardmeeting,theprevioustwo
versionshadnotbeenformallyapprovedbytheboard.Thereasongivenwasthatthetwopreviousupdates
(in February 2015 and April 2014) concerned mostly typographical updates and did not touch on any
substantivecontent.
Recommendations:
Itisadvisabletoensurethateachupdateofthedataprotectionpolicy,aswellasanyprocessesinconnection
withthedataprotectionpolicy,isformallyapprovedbytheboard.Makingsurethatdataprotectionbecomes
astandardpointontheagendaofeachboardmeetingisarecommendedwaytoguaranteethatanythingin
relationtodataprotectionisregularlyandcontinuouslyconsideredbytheboard.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page23
MG3:Boththecompletepolicyandasummaryofthepolicyaremade
public.
Grade:Observation
A summaryof thedataprotectionpolicy ismade available onVerco’s publicly accessible homepage. The
completepolicyisnotavailablepublicly.
Assessment:
Thesummaryofthedataprotectionpolicy iswellpresentedandcapturesthekeypointsofthelong-form
policy.However,formembersofthepublicwithoutaccesstoVerco’sintranet,thereisnoeasywaytoobtain
thecomprehensivepolicy–thedataprotectionofficermadeitclearthatthecompletepolicycanbemade
availableon request, but this is notobvious fromvisitingVerco’swebsite andnot formallywrittendown
anywhereeasilyaccessible.
Recommendation:
Vercoshouldconsiderpublishingitscompletepolicyondataprotectiononitspublicwebsite,oralternatively
atleastmakeitveryclear,bothonthewebsiteandinthesummarydocumentprovided,thatthecomplete
policycanberequestedbyemailorbyphone.
MG4:Theorganisationhasreadilyaccessibleprivacynoticesinplacewhich
includethelegalbasisforprocessingdata,dataretentionperiodsanda
datasubject’srighttocomplainandtowhom.Theinformationprovidedin
theprivacynoticeisgiveninaclear,conciseandeasytounderstand
language.
Grade:Minornon-compliance
Thewebsitecontainsacomprehensiveprivacynotewhichsetsoutthewayinwhichtheinformationgathered
fromthewebsitevisitorand/oronlinecustomerisbeingusedandmeetsthelegalrequirements.Instores,
privacynoticesformpartofthecontractualdocumentsorarereferredto.
Assessment:
Theprivacynoticesarewritteninacomplicatedandlegalisticstyle.Abigmajorityofinterviewedcustomers
andsuppliers(morethan75%)foundtheprivacynoticestobeunclear,lengthyanddifficulttounderstand.
Instores,whileprivacynoticesorreferencestoprivacynoticesformpartofanypaperworkandcontractual
documentswhichcustomersmayenterinto,thesearenotreadilyaccessible.Staffoftendidnotknowhowto
locate the full privacynotice (despite references in thepaperwork to reachout to staff toobtain the full
privacynotices),andinhalfofthesurveyedstores,nohardcopiesoftheprivacynoticeswereavailable.
Recommendations:
Vercoshouldreview itsprivacynoticesandconsiderredraftingthem inasimplerstyle. It shouldconsider
creatingshortersummaryprivacynotices(ofonetotwopages)whichhighlightthemostimportantaspects
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page24
ofwhatwillhappenwithadatasubject’sinformation.Finally,Vercoshouldensurethattheprivacynotices
arereadilyavailableonlineandideallyinhardcopyacrossitsstores.
MG5:Thereisanamedpersonresponsiblefordataprotectionwhois
madeknowntoemployeesandsignpostedasasourceofguidanceondata
protectionqueries.
Grade:Observation
Verco’sdataprotectionofficer isMiguelSamarrco,whoheadsadedicateddataprotection teamof three
people.HisnameandtheexistenceofthedataprotectionteamismentionedintheVerco’sandtheGroup’s
dataprotectionpolicy,andmadeitclearonVerco’sintranetwebsiteinthedataprotectionsection.
Assessment:
Whileitisclearwhoisresponsiblefordataprotection,justoverhalfoftheemployeesintervieweddidnot
knowwhothedataprotectionofficerwas,orhowtofindoutwhototalktoiftheyneededguidanceondata
protectionqueries.
Otherthanthecommunicationonthepoliciesandintranet,therewasnoefforttoinformemployeesofthe
data protection team. One email was sent out at Miguel Samarrco’s appointment to the role as data
protectionofficerinJanuary2014,butnotfurtherdirectcommunicationappearstohavebeenundertaken
sincethen.
Recommendations:
Vercoshouldensurethatemployeesarepro-activelytoldaboutwhothedataprotectionofficeris,e.g.byway
ofemailsremindingthem(thiscouldformpart,forexample,ofa“KeyContactsandNumbers”emailsentout
onceamonthandalsoregroupingotherkeycontactssuchasHR,whistleblowinghotlinesorotherimportant
contacts),orbyhangingoutposterswiththedataprotectionteam’sdetailsaroundtheofficer,orhavinginfo
sessionsdedicatedtotheworkthedataprotectionteamdoes.
MG6:Theresponsiblepersonhasareportinglinetotheboard. Grade:Merit
Thedataprotectionofficer(currentlyMiguelSamarrco)hasadirectreportinglinetotheboard.
Assessment:
Itispossibleforthedataprotectionofficertoreachoutdirectlytotheboardshouldhewishso.Heishowever
notaregularparticipantintheboardmeetingsandhascontactwiththeboardonlyonhisowninitiative.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page25
Recommendations:
Verco’sboardshouldconsiderhavingdataprotectionasastandingorderagendaitematitsmeetings,actively
invitingthedataprotectionofficertoprovideashortsummaryorreachouttotheboardinadvanceofthe
boardmeetings,toensurecontinuousexchangeandreportingofdataprotectionissuestothehighestlevels.
MG7:Seniormanagementchampionsandsetsthetoneondataprotection. Grade:Observation
Verco’s senior management usually know who the data protection officer is and annual meetings bring
togetheralloftheseniormanagementandthedataprotectionteamtodiscussdevelopmentoverthelast
yearandchallengesahead.
Assessment:
Whilemostseniormanagerswereawareofthedataprotectionteamandwouldcirculateinformationfrom
theteamamongsttheirowndepartments,therewasalackofpro-activeengagementwiththedataprotection
team.Amentalitythatdataprotectionisnotpartoftheirresponsibilityandshouldbelefttotheexpertsand
thelawyersappearstopervademostofseniormanagement.
Recommendations:
Vercoshouldconsiderholdingdedicatedtrainingsessionsforitsseniormanagementteamtocommunicate
theimportanceofdataprotectionandensuringthatdataprotectionisregardedasanissuethateachsenior
managerisalsoresponsiblefor.Theannualmeetingswiththedataprotectionteammaybemoreusefulif
theywereheldsemi-annuallyatleast,toensureamoreup-to-dateawarenessamongallmanagers.
MG8: Adequate resources are devoted to implementing and monitoring
dataprotection.
Grade:Observation
Verco’sdataprotectionteamconsistsofthreepeoplewhoareworkingfulltimeonkeepingup-to-datewith
legal developments and devise the policies and training programmes for Verco’s operations across the
country.ForeachofVerco’sbranches,anemployeeisnominatedresponsiblefordataprotectionissuesand
specificallytrainedbyVerco’sdataprotectionteam.
Assessment:
Overall, there is sufficient support and resources devoted to the data protection team and its work in
implementingandmonitoringdataprotection.However,itisverydifficult–andtakesuptotwomonths–to
obtainpermission toengageoutsideservices forspecificdataprotectionprojects, suchascomprehensive
trainingcoursesoradditionallegaladviceandguidancebyprivatelawfirms.Thisresultsinageneralconcern
that it isdifficultensuringthatalldataprotectionteamareawareof the latest legalupdates,andableto
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page26
comprehensivelyconsiderallaspectsofdataprotection.Inaddition,therearecertain“crunchtimes”when
outsidehelpandadviceisconsideredindispensable.Toobtainpermissionforfundingtoengage,forexample,
anoutsidelawfirm,takesaconsiderableamountoftime(inthecontextoftheGDPRandspecificquestions
as tohow itwould impact the telecommunications sector, thedataprotection teamhad towait for two
monthsbeforeitgotpermissiontoengageadataprotectionlawyerforatotalof10billablehours).
Recommendations:
Amorestreamlinedprocesstoallowthedataprotectionteamtoresorttooutsidehelpifnecessary,andto
participateinin-depthtrainingsessionsovertwoorthreeworkingdayswouldreducetheanxietythedata
protectionteamfeelsaboutnotbeingabletoimplementthelateststandardsofdataprotection.Ideally,a
certainamountwouldbeearmarkedfordataprotectiontrainingandadviceexpenditureatthebeginningof
eachyear,whichthedataprotectionofficercouldrelativelyeasilyaccess.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page27
2.RiskAssessment
RA1:Regularriskassessmentsconsiderdataprotectionrisksandimpactson
privacy,andtheeffectivenessofmitigationmeasures,bothwithinthe
organisationandinassociationwiththirdparties.Assessmentsare
conductedatleastannually.
Grade:Commendation
Vercoconductsitsriskassessmentsinrelationtodataprotectionrisksandimpactsonprivacyonaveryregular
basis,withadedicatedmeetingeverythreemonths.Inaddition,eachdepartmentatVercomustconsiderdata
protectionrisksandimpactsonprivacyinanynewprojecttheyengagein,byfillinginapaperdocumentand
acknowledgingthatdataprotectionrisksareeitheracceptableormitigated.
Assessment:
Verco’sapproachtorisksassessmentsisexemplary,andformsanintegralpartofitsbusinessconduct.
RA2:Dataprotectionandprivacyareconsideredbydesignandbydefaultin
respectofanynewactivitiesandproducts,includingprivacyimpact
assessmentswherenecessary.
Grade:Merit
Eachdepartmentmustconductadataprotectionriskassessmentbeforeengaginginanynewproject.
Assessment:
The risk assessments form part of the day-to-day business conduct and data protection and privacy are
consideredbydesignandbydefault.Arevisedriskassessmentparagraphhasbeenissuedafterthepublication
ofthenewGDPR,andexplicitreferencesaremadetoconsiderationbydesignandbydefaultinVerco’scode
ofconductandriskassessmentguidelines.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page28
3.SecurityEnvironment
PhysicalSecurity
PS1:Buildingswheredataisstoredareproperlysecuredwithcontrolled
access.
Grade:Merit
ToaccessVerco’soffices,atouchkeyisrequiredwhichisissuedonlytoemployeesofVerco.TheITandarchive
roomshaveextralockswhichonlyahandfulofemployeeshavekeysto.Instores,accessisgenerallysecured
bylockabledoorsandametalgatewhichisclosedovernight.Theofficesandallstoresarealarmed,whichis
turnedonandoffbycode.Thiscode isonaveragechangedeverythreemonths.Allvisitorsmustregister
beforeaccessingVerco’sheadofficeandmustbeaccompaniedbyamemberofstaffatalltimes.
Assessment:
TheaccesscontrolsVercoemploysareofagoodstandard.
PS2:Hardcopyfilesandserversarekeptinlockedrooms,cabinetsor
storagefacilitieswithcontrolledaccess.
Grade:Minornon-compliance
AllcabinetsandstoragefacilitiesinVerco’sofficesandinthebranchescanbelocked.Servers,totheextent
theseareon-site,areinseparateroomsandcanbeaccessedonlybyaspecificallyauthorisedITemployees
withspecialkeycards.Anelectronicsystemrecordsthetimeofanyaccessandwhosekeycardisused.CCTV
operatesintheserverrooms.
Assessment:
ItisVerco’spolicytokeepallhardcopyfilesunderlockandkey.Itisalsoofficialpolicyforeveryemployeeto
havea“cleandesk”attheendofeachworkingday,i.e.tolockawayanyfilesintheemployee’scabinetor
securelystorethemelsewhere.However,someofthelockersandcabinetswerenot,infact,lockedwhenthe
assessorstriedtoopenthem.Inalmostathirdofthestores,thestoremanagersandemployeesdidnotbother
lockingtheircabinets.AsignificantnumberoftheemployeesinVerco’sheadofficedidnotabidebytheclean
deskpolicy,andseveraldocumentscontainingcustomers’personaldatawereleftoutintheopenforanyone
walkingbytosee.
Recommendations:
Vercoshouldmakeclearitisimperativethatthecleandeskpolicyisfollowed,particularlyinopenplanspaces
androomswhichcannotbelocked.Oneapproachinenforcingthisrulecouldbetospendsometimeeach
eveningforaweekortwotoverifywhodidnotabidebythecleandeskpolicyandsendtherelevantpeople
astandardemailthenextmorningremindingthemofthepolicy.
Verco should furthermake it clear to employees in theheadoffice aswell as thebranches that all filing
cabinetsandlockersmustbelockedbykeyatalltimes.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page29
PS3:Thereisprotectionforequipmentcontainingdatafrom
environmentalhazardsincludingfire,floodandpowerfailure.
Grade:Observation
Verco’s main servers are off-site and operated by one of the UK’s biggest cloud and server company,
CloudStorageLtd.Verco’sofficesandeachbranchhasfireextinguishersforalltypesoffires,andthereisan
extremely low flooding risk inanyofVerco’s sites.Allemployeesuse laptops forwork.Aback-upbattery
systemlastingabout8hourssupportstheinternalserversatVerco’sheadofficeshouldtherebeapowercut,
butapartfromthatthereisnoseparatepowergenerationifpowerfails.
Assessment:
Whilenospecificdangershavebeenidentified,andnoincidentshaveeverbeenreported,therewasageneral
lackofawarenessofhowtheequipmentonVerco’ssitesisprotectedagainstfire,floodorpowerfailures.
Withregardstotheoff-siteservers,itwastrustedthatCloudStoragewouldhavesufficientsafeguardsagainst
environmentalhazards,buttherewasnoknowledgeofwhatsuchsafeguardsactuallyconsistedin.Thiswas
notspecificallyaddressedintheservicecontractbetweenCloudStorageandVerco,butdoesformpartofthe
overalltermsandconditionsthatCloudStorageappliestoallofitscontracts.
Recommendations:
Vercoshouldensurethatitisfullyawareofthesecuritysafeguardswhichitsoff-siteserverprovidershave
andensurethatitscontractsspelloutindetailwhatstandardsareexpected.
Vercomayalsowishtoconsideranupdatedpowerback-upsystemwhichlastlongerthanonly8hours,given
thatoftentimespowercutsarenotaddressedinthattimespanandforcingtheinternalserverstoshutdown
mayseverelyhamperVerco’soperations(althoughthishasnotbeenaprobleminthelasttenyears).
InformationSystemsSecurity
IS1: Access to electronic data is regulated by user identification and
authentication.
Grade:Merit
EachlaptopandeachaccesstoanyofVerco’sintranetsitesareuserauthenticatedandpasswordprotected.
Electronicinformationisaccessibleaccordingtoa“needtoknow”basis.
Assessment:
Vercoemploysagoodstandardofidentificationandauthentication,withelectronicdatabeingaccessibleonly
tothosepeoplewhoareauthorisedtoaccessit(e.g.onlycertainpeopleinHRhaveaccesstostaffrecords).
Passwordsmustbechangedevery60daysandrequireacombinationofletters,numbersandspecialsymbols.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page30
IS2:Dataaccesscontrols(includingread,write,amend,move,copyand
deleteprivileges)and,wherenecessary,securitylevelsareinplaceand
regularlyreviewed.
Grade:Merit
DataaccesscontrolsareinplaceacrossVerco’ssystems,withdifferentlevelofconfidentialityfordifferent
setsofdocuments.
Assessment:
Vercohasathoroughsystemofdataaccesscontrolsandensuresthatanyaccessprivilegescorrespondtothe
functionandroleoftherelevantemployee.Documentsofhigherconfidentialitywillnotbevisible,letalone
accessible,tothoseemployeesnotclearedtoaccesssuchconfidentialitylevels.
IS3:Changestothesystemsthatstoreandprocessdataareproperly
controlledandsubjecttosegregationofduties.
Grade:Merit
TheITdepartmentisresponsibleforthesystemsthatstoreandprocessdataandensuresthatallchangesare
madeappropriately.
Assessment:
Any changes to the systems can only bemade by the IT department, but must be signed off by senior
management.Onceachangeisenvisaged,theseniormanagerreceivesanemailinvitinghimtoelectronically
authorisethechange–onlyoncethishasbeenauthorised,canthechangebemade.
IS4:Laptops,smartphonesandotherportabledevicesareencryptedandif
appropriatehaveremotememorywipefacility.
Grade:Merit
Laptops and any portable devices issued by Verco to its employees are all encrypted, and have remote
memorywipefacility.
Assessment:
Vercoemploysasystemofelectronicregistrationofallitsdevicesandisabletoaccessthemtoremotewipe
theirmemoryifnecessary.Thedefaultsettingonmostdevicesisthatoncethepasswordisenteredincorrectly
morethanthreetimes,thedevicewilllockitselfandcanbeunlockedonlybyamemberofVerco’sITsecurity
team.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page31
IS5:ThereisapolicyontheuseofUSBs,harddrivesandotherexternal
devices.
Grade:Minornon-compliance
VercodoeshaveapolicyontheuseofUSBs,harddriveandotherexternaldevices.Non-Vercoissuedexternal
devicesareprohibitedandonlyencryptedexternaldevicescanbeused.
Assessment:
While a policy exists, it is not strongly enforced. Verco is conscious of the dangers that the use of non-
encryptedexternaldevicespresent,butanumberofemployeeshavereportedthattheyfrequentlyusetheir
own USB devices to transfer data containing personal data. The Verco issued-laptops are usually still
compatiblewithexternaldevicesnotissuedbyVerco,andforreasonsoftimeandconvenienceemployees
aretemptedtoignorethepolicyontheuseofexternaldevices.Nobreachhaseverbeenreportedandall
employeesbaronereportedthattheywouldsecurelydeletethedatafromtheirexternaldeviceassoonas
thetransferwascompletedoritwasnolongernecessarytostoreit.
Recommendations:
Whilenobreachorspecificincidenthasbeenreported,Vercoshouldconsideramendingitssoftwareonall
laptopstoensurethatonlycompany-approvedandadequatelyencryptedexternaldevicescanbeusedwith
thoselaptops.
Inadditional,Vercoshouldensurethatallitsstaffareawareofthepolicyontheuseofexternaldevicesand
realise the inherent dangers in using personal external devices, especially non-encrypted ones, when
accessing,transferringorstoringdata.
IS6:Thereisapolicyontheuseofprivateand/oremployee-owneddevices. Grade:Observation
Theemploymenthandbookcontainsadedicatedsectionontheuseofemployee-owneddevicesandsetsout
examples of best practices as well as minimum safety requirements (namely the need to register and
passwordprotectthedevice).
Assessment:
Notallemployeesknewwhethertheirdevice(usuallymobilephones,butinsomecasesalsoiPadsandsimilar
electronic devices)was registered and the serial number recorded. All intervieweeswho used their own
devices(usuallyforworkemail)usedpasswords,butnotallwereconfidentiftheirpasswordswerestrong
passwordsanddidnotalwaysknowhowtodevisestrongpasswords.Beforeaccesstoworkemailisgranted,
theITdepartmentmustsendanauthenticationkeytotheemployee’sdevice.
Recommendations:
Verco’spolicyincludesexamplesofbestpracticesincludingofhowtocreatestrongpasswords,butthisisnot
widely known among employees. Verco should consider offering dedicated training sessions on the
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page32
appropriateuseofemployee-owneddevices. For instance,beforeanemployee isgrantedaccess towork
emailonhisorherphone,theITteamcouldsendacrossadetailedsummaryofhowtousethedeviceand
howtocreatepasswords,aswellastheneedtoregisterthedeviceandrecorditsserialnumber.
IS7:Thereisindependenttestingoftherobustnessandappropriatenessof
theITsecuritycontrolsandthepersonresponsiblefordataprotectionis
informedoftheresults.
Grade:Observation
Vercoconductedan ITaudit for the last time in2013.Thisassessment included information systemsand
overallsecuritycontrol.
Assessment:
TheITdepartmentisconsideredresponsiblefororganisingthetestingoftherobustnessandappropriateness
oftheITsecuritycontrols.ThedataprotectionteamwasonlyvaguelyawareofthelastITassessmentanddid
notknowhowtoaccessitwithoutgoingthroughtheITdepartment.Thereisasyetnoformalprocessinplace
toestablishthefrequencyofindependentITassessments,butonehasbeenmentionedforearly2017.
Recommendations:
VercoshouldestablishaformaltimelineforthecarryingoutofindependentITassessmentsthatcoverthe
robustnessandappropriatenessof IT security controls– these shouldbeundertakenat leastannually. In
addition,thisshouldnotjustbethepurveyoftheITdepartment,butactivelyinvolvethedataprotectionteam
aswell.
IS8:Specifictrainingoninformationsystemssecurityisorganisedforall
employees.
Grade:Minornon-compliance
Specifictrainingoninformationsystemssecurityformedpartofthetrainingplan2015butdoesnotformpart
ofthetrainingplanof2016.
Assessment:
Any employee in either the head office or the branchwho started after the 21November 2015 has not
receivedspecifictrainingoninformationsystemssecurity.
Recommendations:
Vercoshouldconsidermakingsuchtrainingmandatorypartofanewemployee’sinductionsession,andhold
suchtraininginregularannualintervalstorefreshemployees’awareness.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page33
4.Legalenvironment
LE1:Thereisaprocesstomonitorandcomplywiththeapplicablelegal
requirementsinallthejurisdictionsinwhichtheorganisationhandlesdata
orwhereliabilitymightarise.
Grade:Merit
Thedataprotectionteam,composedentirelyofqualifiedlawyers,followsthedevelopmentindataprotection
lawandmonitorsalllegalrequirements.
Assessment:
It is clear who is responsible for monitoring and ensuring that Verco complies with the applicable legal
requirements.Thedataprotectionteamcooperateswellwiththelegalteam.Regularmeetings,aboutonce
every two to three weeks, are held between the data protection team and the legal team to monitor
developmentsintheworldofdataprotectionandprivacy.
Recommendations:
WhilethelegalteamsatVercomonitoranydevelopments,Vercomaywishtoconsidertomakeiteasierfor
itslegalstafftoattendcomprehensivetrainingsessionsconductedoutsidethefirm(seeMG8).
LE2:Changestotheapplicabledataprotectionlegislationare
communicatedclearlyandspeedilytotherelevantpeoplewithinthe
organisation.Theimpactofanychangesontheorganisation’spoliciesand
processesisconstantlyevaluated.
Grade:Observation
Anychangestotheapplicabledataprotectionlegislationaresummarisedinaweeklynewsletterthatissent
aroundthecompany.Thelegalmeetings(seeLE1)covertheimpactofanychangesonVerco’spoliciesand
processes.
Assessment:
SeeLE2–changesaregenerallycommunicatedclearlyandspeedily,andallrelevantpeoplefelttheywere
aware of any changes in a timelymanner. However, Verco should ensure that information is specifically
targetedtothosepeoplewhowillbeconcernedbyit-thereisariskthatthenewsletterwillnotbereadby
employees (about 20% interviewees reported that they would delete or file the newsletter immediately
withoutreadingitinfull).
Recommendations:
Inadditiontotheweeklynewsletter,itishelpfultotargetnewinformationmorespecificallytothosepeople
whowillberesponsibleforit.Forinstance,achangeintheITrequirementsshouldalwaysalsobespecifically
mentionedandsenttotheITdepartmentseparately.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page34
LE3: Where legally required, the organisation has registered with the
appropriatedataprotectionauthoritiesinthedifferentjurisdictionsinwhich
itoperates.
Grade:Merit
VercoisregisteredwiththeInformationCommissioner’sOfficer(ICO).
Assessment:
TheregistrationwiththeICOwascompleteandup-to-date.
LE4:Thelegalimplicationsofanydatatransfers,includingcross-border
datatransfers,havebeenconsidered,andthereisasysteminplaceto
ensurethatdatatransfersdonotcompromisetheadequateprotectionof
personaldata.
Grade:Merit
As a telecommunications provider, Verco’s data flows inevitably across multiple boundaries. The data
protectionteamandthelegalteamconsidercross-bordertransferattheirregularmeetings.Verco’sflowchart
“InternationalTransfers”(availableonthefirm’sintranet)setsoutindetailthelocationofserversanddata
hubsandcoversthenecessarystepstotakeandverifyinrelationtointernationaldatatransfers.
Assessment:
The adequate protection of personal data is considered in-depth by Verco in relation to international
transfers.Thelegalteamanddataprotectionteamhaveincludedmodelclausesinalloftheirinternational
contracts.ItconductsregularriskassessmentonwhetherthedatatransfersoutsidetheUKareprovidedwith
anadequatelevelofprotectionfortherightsofthedatasubjects,andalistofpotentialstepsisavailableto
takeshouldthelevelnotbedeemedadequate.
LE5:Whereanythirdpartieshandledataontheorganisation’sbehalf,the
legalimplicationsofthishavebeenconsideredandtheobligationsforeach
relevantpartyareclearlysetoutinacontractualmanner.
Grade:Merit
Allcontractswiththirdpartyhaveadedicateddataprotectionandprivacysectionandclearlysetoutthe
obligationsandrightsofbothparties,aswellestablishingpreciselywhoassumestheroleofdatacontroller
anddataprocessor.
Assessment:
ThecontractualframeworkthatVercoentersintowithanythirdpartythathandlespersonaldataonitsbehalf
areclearandcomprehensive.Theyincludeprovisionstoterminateand/ordemandsubstantialdamagesfor
any breach of the data protection clauses, and any breach has serious contractual consequences. The
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page35
preamble of each contractmentions the importance of adequate data protection and of abiding by the
provisionsrelatedtoit.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page36
5.Operationaldatapractices
OP1:Theorganisationobtainssubjects’free,specific,informedand
unambiguousconsentpriortogatheringdata.
Grade:Minornon-compliance
Eachofthecontractssurveyedthatrecordedanytypeofpersonaldatahasprovisionsgoverningtheissueof
consent.Verco’swebsitehasapop-upwindowexplainingthecookiesemployedandinfogathered.
Assessment:
Internally,Verco’scontractsareclearandaskforspecificconsentofitsemployeespriortogatheringanydata
onthem.Onitswebsite,itisimpossibletoaccessthemainpagewithoutfirstagreeingtothenotificationthat
appearsimmediatelyuponvisitingwww.vercotelecom.co.uk.
Vercoalsoentersintomanycontractsadaywithcustomersacrossthecountrybothonlineandinitsstores.
Thecontract itemployswhencustomersare, for instance, settingupanewmobilephonepaymentplan,
includesconsentlanguagewhichisfairlywideinitslanguage.Itisimpossibletooptoutofmarketingemails
andthesharingofdatawiththirdpartiesotherthanbywritingaseparatelettertoVerco’sheadoffice.Once
received,therelevantpersonwillbenotifiedandthenameremovedfromanymarketinglistanddatasharing
listwithin24hours.
TheconsentlanguageformspartoftheoverallsmallprintinVerco’sstandardcontracts,inthedataprotection
andinformationsharingsection.Thereisnoseparatesummarynoristheconsentlanguagehighlightedinany
particularway.Stafftraininginstoresincludesverballyremindingthecustomeroftheconsentlanguageand
thatheorshe,bysigning,agreesforhisorherdatatobeused;somestoresoffertoimmediatelyremovethe
names fromanymarketingor information sharing lists if the customers sowishes,without the customer
having togo throughsendinga letter.However, there isnouniformapproach,andnotall staffmembers
rememberedthattheyshouldremindcustomersoftheinformationsharingthecustomersagreetobysigning
thecontract.Severalcustomersinterviewedwereunawareoftheiropt-outrightsanduncertainwhetherthey
hadtoprovideconsentornot,orwhethertheycouldwithdrawconsentoncegiven.
Anychangestothetermsandconditionsinrelationtoprivacyarewellcommunicatedandclearlysetout.
Customersareemailedandsentalettersettingoutthechanges,andofferinganimmediateopt-out,orindeed
terminationofthecontractwithoutanycancellationfees,byclickingalink(intheemail)orbycallinganumber
(bothintheemailandintheletter).
Recommendations:
Vercoshouldchangeitscontracts,bothonlineandinhardcopy,toallowcustomerstoimmediatelyoptout
ofanyinformationsharingnotstrictlynecessarytotheprovisionofservices.Ideally,customerswouldhave
to explicitly opt in before giving any such consent. Verco should make sure that all customers are fully
informedoftheirrightsinrelationtoconsent,whethertheyenterintoacontractonlineorinastore.
ItisnotedthatthelawinrelationtoconsentisstrengthenedfromMay2018onwards-consentunderthe
GDPR requires clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute clear
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page37
affirmativeaction.Vercomustconsiderthisandreviseitsstandardapproachtoobtainingconsentintimeto
complywiththeGDPR.
OP2:Theorganisationhassystemsinplacetoensuretherecordingofany
consentgivenandtheexistenceofaneffectiveaudittrail.
Grade:Merit
A complex filingmanagement systemhas the recordsofall customersandother thirdparties, andoffers
specificsearchfunctionsinrelationtowhetheranyindividualthirdpartyhasconsented,howtheyconsented,
andtowhattheyconsented.
Assessment:
Vercoappearstohavearobustfilingsystemandorganisesitsrecordsverywell,givingrisetotheexistenceof
aneffectiveaudittrail.
OP3:Iftheorganisationbuysdata,itensuresthatdatasubjectshave
consentedtotheusetowhichthedataisbeingput.
Grade:Notapplicable
Vercodoesnotbuyanydata.
OP4:Theorganisationcollectsonlysuchinformationthatitrequiresforits
statedpurpose,andstrivestominimiseanydatacollectiontothatwhichis
strictlynecessary.
Grade:Minornon-compliance
TheinformationVercocollectscoverspeople’snames,addresses,bankdetails,birthdays,personalpassword
questionswhichinclude,amongstotheroptions,aperson’smother’smaidenname,thenamesofanychildren
orotherpersonalinformation.
Inaddition,Vercooffersnon-mandatoryquestionsrelatingtoaperson’shobbies, interestsandfrequently
visitedlocations,inorderto“optimiseanyinformationsharedwith”acustomer.
Assessment:
Vercomakestheprovisionofinformationmandatoryonlytotheextentthisisrequiredtoprovideitsservices
to a third party. However, it asks additional questions, which, although not mandatory, serve to obtain
additionalpersonalinformationandarenotstrictlynecessary.Notallcustomerswereawarethatsomeofthe
informationrequestedwasnot,infact,mandatorytogive.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page38
Recommendations:
Vercoshouldreconsideritsinformation-gatheringprocess.Insteadofaskingadditionalquestionsinthesame
documentsas themandatoryquestions (i.e. thosenecessary for theprovisionof the requested services),
Vercocouldhaveaseparateprocesstoaskanymandatoryquestions,onadifferentsetofpaper.Thiswould
alsoallowittoclearlycommunicatethepurposeoftheadditionalinformationandensurethatthethirdparty
providingsuch informationdoes so ina fully informedandconsentingmanner. Inanycase,Vercoshould
ensurethatitisbeyonddoubtwhatinformationiscrucial,andwhatinformationisnotstrictlynecessary.
Inaddition,Vercoshouldensureithasaclearideaforwhatitintendstouseanyinformationobtained,and
whyitisaskingcertainquestions.Thiswillallowittocommunicatethestatementofpurposebeforeasking
therelevantquestions,anddoesnotfacilitatetheriskofaskingasmanyquestionsaspossibleandconsidering
whattodowiththeanswersafterwards.
OP5: The organisation communicates its data protection policies and
practicesandwhat itwilluse thedata forandwhy,atalldata collection
points.
Grade:Observation
ManyofVerco’sdataprotectionpoliciesandpracticesareavailableonline,andcontractsgenerallystatewhat
itwillusethedataforandwhy.
Assessment:
Whilealldatacollectionpointsusuallyhaveadocumentoratleastastatementavailabletothedatasubject
explainingwhatVerco’sdataprotectionpoliciesandpracticesare,someofthemmerelyrefertowherethe
dataprotectionpoliciesandpracticescanbefound,andmakeitundulycomplicatedtofindoutwhatthedata
willbeusedforandwhy.
Customer-facingstaffgenerallyhadagoodsenseofwhatthedatawillbeusedforandwhy,andwereableto
communicate this tocustomers.However,someof thestaffwereuncertainandwouldnot feelconfident
explainingtothirdpartiestheuseofthedataandwhyitisbeingcollected.
Recommendations:
Verco should ensure that all data collection points offer the data subject to inform him or herself
instantaneouslyaboutwhatthedataisusedforandwhyitisbeingusedinsuchway,withouthavingtoclick
onotherwebsitesandundertakeadditionalresearch.
Vercoshouldalsomakesurethatitsstaffareuniversallyawareoftheapplicabledataprotectionpoliciesand
practicesandabletoexplain,atleastinverybroadterms,tocustomershowtheirdataisbeingusedandwhy,
whererelevant.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page39
OP6:Theorganisationcommunicatesitspolicyonhowlongitwillkeep
dataandhowitwilldisposeofit.
Grade:Observation
Howlongdataiskeptandhowitwillbedisposedofiscontainedinthesummariseddataprotectionpolicy.
Assessment:
ThesummaryofthedataprotectionpolicyisavailablepubliclyonVerco’swebsite,however,moststandard
documents and contracts do not specify how long Vercowill keep the collected data and how itwill be
disposedof.Asignificantmajority(74%)ofinterviewedstaffandthirdpartiesdidnothaveanyideaofhow
longtheirdataislikelytobekeptandhowitwillbedisposedof.
Recommendations:
Thirdpartiesaswellasstaffshouldbeabletohaveaquicksenseofwhathappenstotheirdataifitisbeing
disposedofandwhatthetimeframeforkeepingsuchdatais.Vercoshouldconsiderincludingthatinformation
inthestandarddocumentsandcontractsinthesectionondataprotectionandprivacy.
OP7:Theorganisationobtainssubjects’consentpriortodisclosingorselling
theirdatatothirdpartiesandexplainsthepurposeofthedisclosure.
Grade:Observation
Consent is obtained through contractual documents andother documentswhich require a data subject’s
signature.
Assessment:
WhileVercohasvalidconsentforthedatatobedisclosed(itdoesnotsellanydata)tothirdparties,itisnot
always clear that this consent was given explicitly and unambiguously. Some of the consent is obtained
implicitly by signing a contract ofwhatever naturewith Verco, and can be revoked only by reaching out
directlytoVerco(seeOP1).
Recommendations:
SeeOP1.
OP8: The organisationmakes reasonable efforts to explain to vulnerable
peopletheirrightsandtoguidethemonsensibleprecautionstheycantake
toprotecttheirdata.
Grade:Commendation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page40
Atleastonestaffmember ineachofVerco’sstoreshasundergoneadedicatedhalf-daytrainingcoursein
dealingandengagingwithvulnerablepeople,whichincludesasectiononprotectiontheirdataandtalkingto
thesubjectsaboutwhatprecautionscanbetaken.
Verco issues specific guidelines of engaging with vulnerable people, which include a section on data
protection.All staffobtaina copyof theguidelines, and frontline staffmustdoanannualonline training
sessionontheguidelines.
Assessment:
Verco’sguidelinesareclearandcomprehensive,and include sectionson, interalia, identifyingvulnerable
customers,practicaltipsonhowtoengagewiththem,specificconsiderationsforfrontlinestaff,andguidance
onhowtheirpersonaldatashouldbeprotected.
OP9:Theorganisationhassystemsinplacetoverifydatasubjects’ages
andtoobtainparentalorguardianconsentforanydataprocessingwhere
necessary.
Grade:Merit
Foranycontract,aproofofagemustbeprovidedinformofapassportordrivinglicences,togetherwitha
secondformofidentitysuchasabankcardorutilitystatement.
Assessment:
Vercohasspecificguidelinesinplaceofhowtodealwithanyonebelow18andbelow16,inaccordancewith
theapplicablelaws.Forunder-16s,generallyconsentisrequiredfromparentsorlegalguardians.
OP10:Privacynoticesareadaptedtotheneedsofchildrenorother
vulnerableindividualswheretheirdataisbeingprocessed.
Grade:Minornon-compliance
Theprivacynoticescontainanotestatingthattherearealsoavailableinotherforms(includingbraille,large
type-setandaudioversion).Nospecificprivacynoticeexistsadaptedtotheneedsofchildren.
Assessment:
It isverypositivethatalternativeformatsoftheprivacynoticeareavailable.However,toobtainaprivacy
noticeinaformatotherthanthestandardonewhichisavailableonline,itisnecessarytowriteanemail/call
Vercospecifically,anditmaytakeuptoaweekbeforeitisprovided.About60%oftheintervieweeswerenot
awarethatalternativeformatsexisted,andwereunsurehowtoobtainthem.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page41
Recommendations:
Thestaff inVerco’sstoresshouldbetrainedtobeabletosourceanddistributealternativeformatsofthe
privacynoticeswithoutanydelay.Ideally,theywouldbeabletodirectlydistributesuchalternativeformats
instoreorbymail/onlinewithouthavingtofirstcontactVerco’sheadoffice.
Vercoshouldensurethatitsprivacynoticesareadaptedtotheneedsofchildrenandexplainthestepstaken
ifthedatasubjectisunder16.
OP11:ThereisapolicyontheuseofCCTVandaudiorecordingwhichis
madeavailabletoallthosewhocouldberecorded.
Grade:Merit
ThepolicyontheuseofCCTVandaudiorecordingiscontainedwithintheoveralldataprotectionpolicyand
isalsoreferredtointheprivacynotices.
Assessment:
CCTVandaudiorecordings,whileemployedverysparinglybyVerco,arementionedintherelevantpolicies
whichcanbeeasilyaccessedbythosewhocouldberecorded.
OP12:Informationcollectedisusedonlyinthewaysforwhichthe
organisationhasexplicitpermission.
Grade:Observation
Information on the use of the collected data can be accessed by the data subjects before their data is
collected, and the contractual documents contain provisionswhich by signing give permission to use the
collectedinformationasintended.
Assessment:
By entering into any sort of contract the data subjects give their permission for their data to be used in
accordancewithVerco’sstandardpoliciesandprocesses.However,notallcustomersconfirmedthattheyhad
givenexplicit permission for someuses, suchas sendinga twicemonthlynewsletter toVerco’s customer
informing themof specialdealsandpromotions.Even though legally,permissionwas clearlygiven,many
customersdidnotfeelthatexplicitpermissionwasgiventousetheirdatainwaysthatgobeyondthemerely
operationalandnecessarytosatisfyacustomer’sservicerequirements.
Recommendations:
Vercoshouldensurethatthoseuseswhichwould,bymostcustomersatleast,bedeemedtogobeyondthe
strictlynecessarytoenabletheprovisionofservicesarehighlightedandrequirespecificpermission.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page42
OP13:Thereareprocesseswhichgovernthemonitoringofemployees’use
ofinternet,emailandothercommunicationssystems.
Grade:Minornon-compliance
Verco’s internalemploymenthandbooksetsouttherulesandregulationspertainingtoemployees;useof
internet,emailandothercommunicationssystems.Alluseisentitledtobemonitoredandarecordslogmay
bekeptofanyuse.
Assessment:
Theemploymenthandbookclearly setsout theprocessesgoverning themonitoringofemployees’useof
internet, email and other communications systems. Certain use is entirely prohibited, such as accessing
pornographicmaterialoraccessingorcirculatinganymaterialthat isofaracist,misogynisticorotherwise
hateful nature. Verco explicitly states that it has the right tomonitor any use and logs on use are kept.
AttemptstoaccessanyprohibitedsitesareautomaticallyflaggedtotheITdepartment,whoafterthreetimes
passonthealerttotherelevantdepartment/linemanager.Itisthedepartment/linemanager’sobligation
toraisetheissuewiththerelevantemployeeandtoissueawarningifnecessary.
Therehavebeennowarningsissuedinthelasttwoyears,despitesomeemployeesreportingthatcolleagues
hadusedtheirownlaptopstoaccessinappropriatematerialduringofficehours.Linemanagersreportedthat
evenwhentheydidgetanalert,theydidnotalwaysfeelcomfortableraisingtheissuewithanemployee,and
feltthattherewasnosufficientguidancetoexplaintothemhowtobreachthetopicandissuewarnings.
Recommendations:
Verco should consider offering training sessions to line manager on how to address inappropriate user
behaviour,andstresstheimportanceoffollowingtheappropriateusepolicy.
Inaddition,Vercomaywishtoconsiderablanketbanontheuseofpersonallaptopsandotherhandheld
devices during office hours, and re-circulate its communication about what may and what may not be
accessedorcirculatedbyemployeesduringofficehoursorusingofficeequipment.
OP14:Theorganisationhasaclearprocesstoreviewanypersonaldata it
holds,whereithascomefromandwithwhomitisshared.
Grade:Merit
Aprocessisinplacewhichautomaticallyflagsuppersonaldatathathasbeenheldforaperiodof18months,
in18months’intervals,promptingthemarketingandsalesdepartmenttoverifyifthedataisstillcorrect,to
verifyitsoriginandwhetherithasbeensharedandwithwhom.Anemailissenttotherelevantdatasubject
toconfirmthepersonaldata,andtoinformhimorherofwhatdataisbeingheld.
Assessment:
Thereviewofpersonaldataisclearandregular.Itisunclearhowmuchtimeshouldpassbeforeareminderis
senttothedatasubjectsiftheydonotrespondtoemails,butaclearruleexiststhatifthereisnoreplyafter
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page43
4months,anynon-essentialdata(i.e.necessarytotheperformanceofthecontractorcustomerrelationship)
iserased.
Recommendations:
Aclearguidelinehowoftenandinwhatintervalsthedatasubjectshouldberemindedtorespondafterthe
initialemailshouldbeimplementedandsharedamongallrelevantemployees.
OP15:Theorganisationhasasysteminplacetoconsiderthemost
appropriatewayofsharingdata,includingwhereappropriatebywayof
pseudonymisation.
Grade:Merit
Vercohasclearrulesandprocesses inplace inrelationtosharingdata, focussingmainlyonensuringthat
consentornecessityexists for the sharingofdata, and that appropriate safeguardsare inplacewith the
recipientsofdata.
Assessment:
Before any data is shared with outside recipients, the sender must confirm that he has considered the
appropriatenessofsharingdataandthatsafeguardsareinplacetoguaranteesecurehandlingofthedata–
thisincludesverifyingifthedatarequiressharing,ifthedataprotectionpoliciesandprocessesoftherecipient
areacceptable,andifitisnecessarytorevealpersonaldataorifsomedatacanbeanonymised.
OP16:Dataiskeptuptodateasnecessaryandasystemisinplacetoidentify
inaccuraciesand,whererelevant,tocorrectthem.
Grade:Merit
AsmentionedinOP14,dataheldautomaticallygetsflaggedevery18monthsforaverificationexercise.
Assessment:
In addition to the email sent to the data subject (seeOP14), Verco employees (usually in the Sales and
Marketingdepartment),areaskedtocheckifthereisanyinformationthatsuggeststhepersonaldatamust
beupdatedorchanged,e.g.iftheyhavereceivedlettersmarked“non-deliverable’,oriftheyhavereceived
anycorrespondencefromtherelevantdatasubject.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page44
OP17:Therearerulesgoverningthetemporaryorpermanentremovalof
data,whetherhard-copyorelectronic,fromtheorganisation’ssecuresites.
Grade:Merit
Aseparatehandbookexistsfortheremovalofanydata,whethertemporaryorpermanent,orhard-copyor
electronic.TheITdepartmentistheonlydepartmentwhichhasemployeesauthorisedandabletoremove
anyelectronicdatafromVerco’ssecuresites.
Assessment:
Any requests to removeanydata fromVerco’s secure sitesmust go through the ITdepartment,which is
specificallytrainedtoconsidertherulesrelatingtothetemporaryorpermanentremovalofdata.Whenin
doubt,itismandatorytoreachouttoVerco’slegaldepartmentand/orthedataprotectionteam.
Forhardcopies,theemploymenthandbook,thedataprotectionpolicy,andtheseparatehandbookforthe
removalofdata,allspecifythatandpermanentremovalmustbedonesecurely,andanydestructionmustbe
doneusingtheshreddingmachinesavailableineachstoreandintheheadoffice.Thesemachinesallcarry
warningsignstoconsiderwhethertheremovalisnecessaryandhasbeenconsideredfully,andprovidesthe
contactdetailsofthedataprotectionteamandthelegaldepartmentincaseofdoubtorquestions.
OP18:Theorganisationrecognisesdatasubjects’righttoerasureandhasa
systeminplacewhichaddressessuchrequests.
Grade:Observation
Thepubliclyavailableprivacynoticementionsadatasubject’srighttoerasure,andspecifiesthatasystem
existstoaddresssuchrequests.Theinternaldataprotectionpolicyreferstoadocumentsentitled“Dealing
withDataSubjects’Requests”whichisavailableonVerco’sintranetandhaslastbeenupdatedinJuly2016.
Assessment:
Thedocument“DealingwithDataSubjects’Requests”isacomprehensiveguidancedocumenttoaddressing
thevarious typesofpotentialdatasubject requests, fromaccess requests toerasure requests. It setsout
exactly how these requests should be dealt with and who is responsible for them, in a clear and easily
accessibleflowchart.Anyrequestissupposedtobeloggedandthedataprotectionteamisresponsiblefor
keepingthelogbookuptodateandfollowinguponanyoutstandingentries.
2oftheinterviewedcustomersreportedthattheyhadmaderequests(accessrequestsinbothinstances)but
hadnotheardbackanythingandwerethereforeunderstandablynotsatisfiedwiththewaytheirrequests
werehandled.Bothcomplaintswereinfactrecordedintherequestslogbook,buthadnotbeenfollowedup
on.
Someofthereceptionistsandfront-linestaffinterviewedwerenotconfidentabouthowtodealwithanydata
subject request, andwerenotaware thata specificdocumentonhow todealwithany requestsexisted,
thoughtheydidsuggesttheywouldbelikelytofinditoncetheystartedlookingforitontheintranetwebsite.
Indeed,thedocumentisprominentlydisplayedonthehomepageofthe“DataProtectionandInformation
Sharing”tabonVerco’sintranetsite.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page45
Recommendations:
Trainingforreceptionistsandanyonewhoiscustomer-facingshouldincludeadedicatedsectiononhowto
dealwithdatasubjectrequests.Itmayalsobehelpfultosendoutregularreminderemails(onceamonth)to
highlighttherelevantpoliciesandwheretoaccessthem.
Thedataprotectionteamshouldensurethatthelogbookisinspectedcarefullyonaregularbasis(atleast
oncetotwiceaweek)andthatanyoutstandingentriesaredealtwithassoonasreasonablypracticable.
OP19:Dataisdisclosedtothirdpartiesonlybythosewithauthoritytodo
so.
Grade:Observation
Alistofthosewithauthoritytodisclosedatatothirdpartiesiskeptbythedataprotectionteam.Foreach
employee,anassessmentismadewhetherauthorityisneeded,dependingonitsroleandjobcategory.Some
employees, such as store staff, automatically get authority by virtue of their role and interaction with
customers.
Assessment:
Onlythoseauthorisedtodosodisclosedatatothirdparties,butthelistofpeoplewithauthoritytodosois
largeandencompassesamajorityofstaff.Oftheinterviewedemployees,86%wereauthorisedtodisclose
dataaccordingtotheiremployeeprofile.Someofthestaff,suchasstorestaff,areautomaticallyallowedto
disclosedatawithoutanyassessmentofwhethertheyneedtobeabletodoso.Giventhesharingofdataof
storeswiththeheadofficeandotherpointsofcontact (banksandother finance institutions,creditcheck
providers, etc.) beingnecessary toprovide customer services, thismakes sense–however, staff includes
cleanersonsomesites:inNottinghamandBirminghamVercoemployshisowncleanerswhohavethesame
rights and disclosure status as other Verco employees on those sites; in London and Bristol cleaning is
contractedout(andnosuchprivilegesaregranted).Thisislikelyanoversight(andthecleanersinterviewed
didnothaveanyaccesstopersonaldata),butthereisnoreasonwhyallstaffinstoresshouldautomatically
getdisclosurerights.
Recommendations:
Vercoshouldnotusecategoriestoallowgeneralauthoritytoemployees,butshouldallocatedauthorityon
strict basis of necessity and consider the duties and job description of each employee before giving the
employeedatasharingauthority.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page46
OP20:Dataisheldforadefinedperiodoftimeoruntiltheneedforithas
passedandthenthedataissecurelysuppressedordeleted.
Grade:Merit
AsmentionedinOP14,dataisregularlyreviewedevery18months.Ifthereviewrevealsthatthedataisno
longer needed, or consent or necessity to use the data no longer exists, then the data will be securely
surpassedordeleted.
Assessment:
Eachcontractsetsoutclearlythetimeframeforwhichdataisheld,andthatthedatawillbedeletedifitisno
longerneededorifconsenttouseitisnolongerforthcoming(subjecttoanylegalrequirements).Beforeany
dataissuppressedordeleted,itispossibletoreachouttothedataprotectionteamandthelegalteamto
verifyifthedeletionisappropriate.
OP21:Processesexisttodestroydataortorenderitirrecoverable.
Confidentialwasteisproperlyhandled.
Grade:Commendation
Theprocessesinplacetodestroydataortorenderitirrecoverablearesetoutintheinternaldataprotection
policy. Any data which is stored off-site with CloudStorage (the vast majority of data) and needs to be
destroyed,isdestroyedbyCloudStorageitself,afteraconfirmationprocess.
Acontractorcomestothesitethreetimesaweektocollectanyshreddedmaterialandotherconfidential
waste.
Assessment:
Theprocessestodestroydataareveryclearandinvolvestepstakenbythedataprotectionteam,thelegal
team and CloudStorage. Any datawhich is to be destroyed permanentlymust have obtained (electronic
agreement)bythedataprotectionteamandthelegalteam(throughasimpleonlinetickingexercise).Before
CloudStorageproceedstodestroydata,itsendsacrossasummarydocumentofthedatatobedestroyedand
awaitsVerco’sfinalconfirmation.
Anoutside contractorof verygood reputation,ConfiShredder Ltd,picksup confidentialwaste fromall of
Verco’sofficesandstoresacrosstheUKonathrice-weeklybasis,andtransportsanywasteinlockedsteelbins
tothelocalincineratorplant.AstaffmemberofConfiShredderLtd.ensuresthatallmaterialisburntbefore
leavingthesite,andConfiShredderinvitesitscustomerstojointheprocessandinspectatanytime–which
Vercohasdoneontwooccasions,inJune2013andJuly2015.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page47
OP22:Dataissecurelyerasedfromequipmentpriortotheequipment’s
disposal.
Grade:Merit
Theinternaldataprotectionpolicycoversthesecuredeletionofdataonanyequipmentthatisabouttobe
disposedof.AllofVerco’selectronicequipmentcontainsaremote-erasuresoftware.
Assessment:
AllelectronicequipmentmustbereturnedtotheITdepartmentifitisfaultyorifitneedstobedisposedof.
TheITdepartmenthasclearinstructionsandfacilitiestobackuponanexternalserveranydatacontainedon
theequipment,andtosecurelyerasethedataontheequipmentitself.Themethodsusedarestate-of-the-
artandensurethatthereisnorecoveryprocessthatcanbeundertakentorecover,atalaterpoint,anyofthe
dataoncepresentontherelevantequipment.
Inaddition,itispossibletoremoteeraseanydataonanyequipment,incaseitgetslostorstolen.
OP23:Theorganisationhasadditionalsafeguardsinplaceforthe
processingofsensitivepersonaldata.
Grade:Merit
Both the publicly available privacy notice and the internal data protection policy stipulate the additional
safeguardsinplacefortheprocessingofsensitivepersonaldata.Beforesuchdataisprocessed,approvalmust
beobtainedfromamemberofthedataprotectionteam.Anycollectionofsuchdataonpaperorelectronically
isprefacedbyaseparatetextaskingthecollectorwhethertheinformationisactuallynecessary,andtolimit
suchcollectiontotheminimalpossible.
Assessment:
Vercohasadditionalsafeguardsinplacefortheprocessingofsensitivepersonaldata.Theinternalpolicyhas
adedicatedsectiononsensitivedatawhichsetsoutclearlywhatthegroundsaretoprocesssensitivepersonal
data,andthegroundofconsenthasbeenupdatedtoreflectthenewGDPRrequirements.
Thepolicyalsogivesalistofwhatisconsideredsensitivepersonaldata,namely:
• racialorethnicorigin;
• politicalopinions;
• religiousorphilosophicalbeliefs;
• tradeunionmembership;
• dataconcerninghealthorsexlifeandsexualorientation.
Thisdoesnot reflect theGDPR,whichalsoexplicitlyencompassesgeneticdataandbiometricdatawhere
processedtouniquelyidentifyaperson.Giventhatfingerprintsandbiometricdataareroutinelyusednowas
partofanytelecommunications,thisisdatathatshouldbespecificallymentioned.WhileVercodoesalready
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page48
treatgeneticandbiometricdataassensitive,itmaybeadvisabletoincludeitspecificallyinthelistsetoutin
itspolicy.
Recommendations:
Vercoshouldupdateitspoliciestoclearlyincludegeneticandbiometricdataassensitivedata.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page49
6.Managingemployeeswhohandledata
ME1: Employees receive periodic training on data protection and,where
relevant,onhowtohandledataprotectionqueries.
Grade:Observation
Eachnewemployeeisrequired,uponjoiningVerco,toundertakethefirm-widee-learningondataprotection
whichtakesapproximately45minutes.Thistraininghastoberetakenannually.Atestattheendofthee-
learningchecksknowledge,andemployeeshavetoobtain90%beforetheyareconsideredtohavecompleted
thetraining.
Dedicatedtrainingisprovided,usuallybyexternalproviders,tothemembersofthedataprotectionteam.
Assessment:
Thetrainingonofferisslightlylackinginrespectofcustomer-facingstaff/receptionistsandcouldbemore
frequent,assetoutinOP18.Thereisnotailoredtrainingforstaffapartfromtheadditional,externaltraining
offeredtothemembersofthedataprotectionteam.Thismeansthatallemployeesreceivethesametraining
ondataprotection,nomatterhowrelevanttheissuesaretoanyparticularemployee.
Recommendations:
Vercoshouldtailorspecifictrainingaccordingtoanemployee’sneeds.Basicoveralltrainingisagoodidea,
butadditionaltrainingshouldbeconsideredforthosewhoarelikelytohavetodealwithrequests,process
largeamountsofpersonaldata(HRstaffmembers,customer-facingemployees)etc.
ME2:Thepersondesignatedasbeingresponsiblefordataprotection
withintheorganisationreceivesspecifictrainingandisawareofadata
protectionofficer’stasksandresponsibilities.
Grade:Merit
MiguelSamarrcoisVerco’sdataprotectionofficer.Hehasadedicatedtrainingplanwhichincludestraining
sessionsonmanagementskillsanddataprotectionrelatedtopics.
Assessment:
MiguelSamarrcoreceivesspecifictrainingand isawareofhistasksandresponsibilitiesasdataprotection
officer.ThedataprotectionofficeratVercomustundertakeatleast3trainingdaysandisentitledtoupto10
trainingdaysayearinordertofurtherhisjobknowledge,withapossibilitytoextendiftheadditionaltraining
isapprovedbyhissupervisorandjustifiedbyitscontentandSamarrco’sneed.
Additionaltrainingisalsoofferedtotherestofthedataprotectionteam.Otherstaffmembersareentitledto
join inbutmustdosooutoftheirowninitiativeandarenotguaranteedtobeabletouseaworkdayfor
attending–thismustbeconfirmedonacase-by-casebasisbytheirdirectsupervisor.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page50
ME3:Thereareregularcommunicationscampaignstoraiseemployees’
awarenessofdataprotection.
Grade:Observation
The last general communication campaignondataprotectionwasundertaken in January2015,byemail.
Beforethat,acampaigntoraiseawarenesswasundertakeninOctober2012,bydistributing“dataprotection
infokits”toallemployees.
Specific emails on a variety of topics (such as phishing or other email scams, clear-desk policy, choosing
adequatepasswordsandotherprivacyrelatedmatters)aresentonanad-hocbasis.
Assessment:
Whilecommunicationemailsaresentoutfairlyregularly,thereisnoformalsystemandnoclearideaofwhat
topicswillbecovered.Thecommunicationscampaignslackstructureandareorganisedonanad-hocbasisas
thedataprotectionteamandcolleaguesfromlegalorseniormanagementseefit.
Recommendations:
Verco should consider spending some time setting up a clear communications planwith respect to data
protectionissues,respondingnotonlytospecifictopicsormattersofurgency,butalsoensuringthatdata
protectionremindersaresentinregularintervals,withlinksandinformationforemployeestorefreshtheir
knowledgeandraiseoverallawareness.
ME4: Data protection policies and procedures are readily accessible for
employees’reference.
Grade:Merit
Anypoliciesandprocedures,includingthoserelatingtodataprotection,areonVerco’sintranet.
Assessment:
Thedataprotectionpoliciesandproceduresarereadilyaccessiblefortheemployees’reference,acrossallof
Verco’s operations. Each employee has a personalised log-in for Verco’s staff intranet, which contains a
dedicatedsectionondataprotectionpoliciesandprocedures.
ME5:Employeesaresubjecttowrittencontractualconfidentiality
obligations.
Grade:Merit
Theemploymentcontract,aswellasanyagentorfreelancercontracts,containconfidentialityobligations.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page51
Assessment:
ThewrittencontractualconfidentialityclausesarebindingoneachemployeeandthirdpartyhiredbyVerco,
aswellasonVercoitself.Theyarecomprehensiveandcoveralltherelevantareas.
ME6: Disciplinary processes are used to support observance of data
protectionpolicies.
Grade:Minornon-compliance
AccordingtotheCodeofConduct,disciplinaryprocessesaremandatoryshouldthedataprotectionpolicynot
beobserved.Norecordsexistofaformaldisciplinaryprocesshavingstartedbecauseofaninfringementof
thedataprotectionpolicy.
Assessment:
AllinfringementofVerco’skeypolicies,ofwhichthedataprotectionpolicyisone,aresubjecttodisciplinary
processes. It is clearly stated in the Code of Conduct that disciplinary processes are used to support
observanceofthosepolicies.Astrongmajorityofemployeeswerecertainthatifsomeonedidinfringethe
dataprotectionpolicy,aformaldisciplinaryprocesswouldbesetinmotion.However,thereisnorecordofa
formaldisciplinaryprocesseverhavebeentriggeredbyanon-observanceofthedataprotectionpolicy.Given
that several data protection policy infringements have been noted in the past, were reported by the
intervieweesandhavebeennotedbytheassessorsduringtheassessment(suchasstoragespacesnotbeing
lockedbykey,desksnotbeingkeptclear,inappropriateuseofprivatedevices),thereseemstobeadisconnect
betweentheactionsofemployeesandtheenforcementofdataprotectionrules.
Thereisalsonoclearpictureofwhatthatdisciplinaryprocesswouldinfactencompass–theCodeofConduct
containsonlyageneralstatementtotheeffectthat“disciplinaryprocesseswillbesetinmotioninrelationto
any infringement of any policies, including the sending of warning letters and, as a last resort, ultimate
dismissalfromtheemployee’spost.”
Recommendations:
Vercoshouldsetoutinmoredetailwhatitsdisciplinaryprocessentailsandwhatthedifferentstepsarefrom
thefirstformalwarninglettertotheultimatesanctionofdismissal.Thisshouldbecontainedinanupdated
CodeofConduct.
Vercoshouldfurtherensurethattheformaldisciplinaryprocessisactuallyusedinrespectofdataprotection
infringementstosignalthatitisseriousabouttherespectofitsdataprotectionpolicies.Aformalfirstwarning
lettertoemployeesinbreachofadataprotectionrule,settingoutwhattheinfringementis,howtoavoid
suchinfringementandofferingtodiscussand/orprovidefurtherclarificationinpersonwouldbeagoodfirst
step.
Inaddition,Vercomaywishtoconsiderincludingasample(fictitiousoranonymised)casestudyinitsCodeof
Conduct or its data protection policy on how the disciplinary process would be used in respect of
infringementsoftheorganisation’sdataprotectionrules.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page52
7.Managingroutineaccessbythirdparties
TP1:Theorganisationcommunicatesitsdataprotectionpoliciesand
standardsclearlytoserviceprovidersandbusinesspartners.
Grade:Observation
Vercousuallysendsitsdataprotectionpolicyandstandardstoserviceprovidersandbusinesspartnersaspart
ofthecontractingprocess(andbeforeanyfinalcontractisenteredinto).Allcontractualdocumentsincludea
partforathirdpartytoacknowledgereceiptandunderstandingofthedataprotectionstandards.
Assessment:
Beforeanycontractualrelationshipwithserviceprovidersandbusinesspartnersissetup,Vercoasksthatthe
third party has acknowledged and understood Verco’s policies and standards. In some cases, the data
protection policy and standards are specifically emailed to the third party togetherwith any contractual
documentationand theCodeofConduct. Inother cases, the thirdparty is asked to verify thepolicy and
standarditselfbyaccessingthemonline.About60%ofthethirdpartiesinterviewedwhichdidnotreceivea
specificemailwiththepoliciesacknowledgedthattheyhadnot,infact,verifiedthedataprotectionpolicyin
advance,eventhoughtheywereaskedbyVercowhethertheyhadandwererequiredtomakeastatement
tothateffect.
Recommendations:
Vercoshouldensure that thedataprotectionpolicyand relatedstandardsarecommunicatedbyemail in
advanceineachcase,andnotrelyonthethirdpartytoobtainthedocumentsitselfinstead.
TP2:Theorganisationensuresthatserviceproviders’orbusinesspartners’
dataprotectionpracticesareadequatepriortoinstructingthemtocollect,
handleordestroydataonitsbehalf.
Grade:Minornon-compliance
Vercoobtainsacontractualstatementthatitsserviceprovidersorbusinesspartnerswhichcollect,handleor
destroydataonitsbehalfmeetVerco’sdataprotectionpoliciesandstandards,andasksthemtofamiliarise
themselveswiththosestandards,acknowledgingthattheyhavereadandunderstoodthem(seeTP1)aswell
ashavingadequatepracticesthemselves.
Assessment:
Otherthanthecontractualstatement,andoccasionallyverifyingwhethertheserviceproviderorbusiness
partnerhasadataprotectionpolicyatall,Vercodoesnotchecktheactualcontentofanysuchpolicy.Nothing
appearstobedonebeyondensuringthatastatementconfirmingadequatepracticesisobtained;thereisno
actualverificationorsubsequentdiligenceontheotherparty.
Recommendations:
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page53
Vercoisawareoftheimportanceofserviceprovidersandbusinesspartnershavingadequatedataprotection
practicesiftheyaretocollect,handleordestroydataonVerco’sbehalf.Thisisdemonstratedbyitsinsistence
onthoseotherpartiestoprovidecontractuallyenforceableguaranteestothateffect.However,Vercoshould
makesurethatitverifiesatleastsomeofitsserviceproviders’orbusinesspartners’dataprotectionpractices
toshowitsowncommitmentandsafeguardagainstinfringementsinitssupplychain.
TP3:Theorganisationimposesadequatecontractualobligationsonservice
providersorbusinesspartnersrelatingtodataprotection.
Grade:Merit
Contractswiththirdpartiesallincludeobligationsrelatingtodataprotection.
Assessment:
Verco ensures that across its contracts with its service providers or business partners, data protection
obligationsareincludedandclearlysetout.TheyformpartofVerco’sboilerplatesinitssuiteofcontracts,
andwerepresentineverycontractthatwasreviewedfortheassessment,aswellaseverytemplatecontract.
TP4:Theorganisationactivelymanagesitsserviceprovidersorbusiness
partnerstoensuredataisproperlyprotected.
Grade:Observation
Service providers or business partnersmust sign up to data protection obligations when entering into a
contractwithVerco.WhendataistransferredbetweentheserviceproviderorbusinesspartnerandVerco,
Vercosendsitsdataprotectionpolicyandareminderofthecontractualobligationsasamatterofroutine.
Assessment:
Verco is strong inmaking sure that the contractual obligations in relation to protecting data are clearly
stipulatedandreminds its serviceprovidersorbusinesspartnersof itspoliciesandof theobligations ina
regularfashion.
However,theremindersarethefullextentofVerco’sactivemanagement,andthereisnofurtherfollow-up,
feedbackorverificationofhowdataishandledbythethirdparties.
Recommendations:
Vercoshouldconsiderenactingamoreformalprocess inrelationtotheactivemanagementof itsservice
providers’ or business partners’ handling of data and the protection thereof. It could consider asking for
periodic feedback and actively engaging with its business partners or service providers in offering data
protectiontrainingandcheckingtheircommitmenttodataprotection.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page54
TP5:Theorganisationconductsspotchecksonserviceprovidersor
businesspartnerstoensurecompliancewithitsstandards.
Grade:Minornon-compliance
The contracts in place with service providers or business partners contain a right for Verco to audit its
contractualpartnerstoensurecompliancewithitsstandards,includingthecarryingoutofspotchecks.
Assessment:
Whilethecontractualframeworkisinplace,Vercodoesnotconductspotcheckstoensurecomplianceand
thesysteminplacedoesnotappeartobeused(seeTP2).
Recommendations:
Vercoshouldincludespotchecks,startingwithkeyserviceprovidersorbusinesspartnersthathandlelarge
volumesofdataonbehalfofVerco.
TP6:Theorganisationimposessanctionswhereserviceprovidersor
businesspartnersfailtomeetitsrequiredstandardsfordataprotection.
Grade:Observation
Acrossitscontracts,Vercohasspecificterminationclausesaswellasdamagesandmitigationclauseswhich
applytoserviceprovidersorbusinesspartnerswheretheyfailtomeetVerco’srequiredstandardsfordata
protection.
Assessment:
WhileVercohastherighttoimposesanctionswhereitsrequiredstandardsfordataprotectionarenotmet,
it has never had to impose any. Contractually, Verco has robust sanction rights, and there are clear
consequencesfordataprotectionfailures.However,thelackofpost-contractualverificationonVerco’sside
renders the sanctions process theoretical, and it is difficult to assess if any sanctions should have been
employedbutweren’t.
Recommendations:
WhilethereisnosuggestionthatserviceprovidersorbusinesspartnershaveinfactfailedtomeetVerco’s
required standards for data protection, Verco should strongly consider (as set out in TP2 and TP4) a
verification process and spot checks to ensure compliance, and enable it to use its contractual rights to
sanctionwherenecessary.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page55
8.ManagingRequests
RQ1:Protocolsareinplacegoverningthedisclosureofdata(credentials,
criteria,legaladvice,requirementsplacedonrecipientetc.).
Grade:Merit
FlowchartsandguidancedocumentsareavailableonVerco’sintranetinrespectoftheapplicableprotocols
fordisclosingdata.
Assessment:
The available guidance sets out the protocols in place, explaining what steps to take and what the
prerequisitesarebeforeanydatamaybedisclosed.Eachguidancecontains,atthebottomofseveralpages,
promptstoreachouttothedataprotectionteam(withanemailandanumbertocall)shouldtherebeany
questionsoruncertainties.
RQ2:Theorganisationrespondstopublicauthorities’requestsfordata
constructivelyandresponsibly.
Grade:Notapplicable
Therehasneverbeenarequestbyanypublicauthorityfordata.
Assessment:
Notapplicable.
RQ3: There are clear processes in place to respond to data subjects’
requests,including:
• foraccess;
• tohaveinaccuraciescorrected;
• topreventdirectmarketing;
• topreventautomateddecision-makingandprofiling;and
• fordataportability.
Grade:Merit
The intranetcontainsguidanceand flowcharts toaddressdatasubjects’ requests, including the five listed
above.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page56
Assessment:
AssetoutinRQ1,eachofthedatasubjects’requestsisaddressedininternalguidanceandflowchart,easily
accessibleonVerco’sintranet;ifaneedforfurtherclarificationexists,thencontactpointsareunequivocally
identifiedandpeopleareencouragedtoreachouttotherelevantdataprotectionrepresentatives.
RQ4:Systemsareinplacewhichclearlyestablishthedecision-making
processinresponsetoanytypeofrequest,andsuchsystemsare
understoodwithintheorganisation.
Grade:Merit
Aspartoftheguidance,whichincludestheflowcharts(seeRQ1andRQ3),thedecision-makingprocessisset
out.
Assessment:
The flowcharts make the decision-making process easy to understand and to follow. Each level of
managementcanrefertoitspositionintheflowchartandfindoutwhotospeakto,whotoescalateanissue
to,andwhotodistributeorinformofanyparticularissues.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page57
9.Breaches
BR1:ITsystemsanddatastoragefacilitiesareregularlycheckedforany
databreach.
Grade:Observation
TheITdepartmentchecksforanyinternalserverbreacheseverylastFridayofthemonth.Accordingtothe
generalT&CsofCloudStorage,thereisongoingmonitoringofallofitsstoreddata,andadedicatedverification
ofanybreachesonceaweek.
Assessment:
Both internal storage facilities and external facilities undergo regular checks for data breaches.However,
Vercomay consider to change its times to avoid repetitive behaviour, and have themonthly checks on
differentdaysofthemonth.Inaddition,atthemomentnodetailedrecordsarekeptofeachcheck–according
toVerco’sinternalpolicy,thereshouldbeareportaftereachcheck,butVerco’sITdepartmentwasunableto
produceacompletedreportfortwoofthelastsixmonths.
NoreportshaveeverbeenrequestedfromCloudStorageontheirdatabreachchecks,eventhoughthisforms
partofVerco’srights.CloudStoragehascomprehensivereportsdatingback7yearsforeachofitschecks,and
is willing to send executive summaries and/or complete reports to its clients (subject to the applicable
confidentialityprovisions)inpdfform.
Recommendations:
Vercomaywishtoconsiderchangingthetimeswhenitchecksfordatabreachestoavoidanyrepetitiveor
typicalbehaviour.
Itshouldfurtherensurethatthereportsoneachcheckarediligentlyfilledinandproperlyfiled.
Finally,itmaywishtoconsideraskingforandreadingthereportsonthechecksconductedbyCloudStorage
tokeepaneyeonitsexternalITsystemsanddatastoragefacilities.
BR2:Staffareawareofwhomtheyshouldspeaktoiftheysuspectadata
breach.
Grade:Commendation
Ifadatabreachissuspected,theCodeofConductandthedataprotectionpolicysetoutthatstaffshould
speaktotheirsupervisorandinformVerco’sdataprotectionteam.
Assessment:
Whomtospeaktoincaseofasuspecteddatabreachisclearlysetout,andallemployeesinterviewedbarone
haveaclearandaccurateideaofwhomtoaddressshouldtheysuspectanydatabreach.Thisinformationis
alsocontainedintheonlineinductiontrainingallstaffhavetoundergouponjoining.Moreover,itformspart
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page58
ofthe“Whotospeakto”flowchartavailableontheintranetwhichsetsoutinaneasytocomprehendmanner
whoshouldbeaddressedinavarietyofsituations.
BR3:Thereisaconfidentialmeansofreportingdataprotectionconcerns. Grade:Observation
Thewhistleblowingpolicymentionsthatitcanalsobeusedtoreportanydataprotectionconcerns.
Assessment:
Noneoftheintervieweeswereawareoftheconfidentialmeansofreportingdataprotectionconcerns,but
almost uniformly indicated they would know who to speak to and would not be concerned about
confidentiality.Whenaskediftheywouldconsiderusingthewhistleblowinghotlinetoreportdataprotection
concerns,theintervieweesinalmosttheirentiretyhadnotconsideredthis,andwereundertheimpression
thatsuchhotlinesareonlyforissuessuchasbullyingandharassment.
Recommendations:
Vercoshouldconsiderrevisingitsdataprotectionpolicytoincludeanexplicitreferencetothewhistleblowing
hotlineasbeingameansofreportinganydataprotectionconcernsconfidentially.Itwouldalsobehelpfulto
addthatinformationtotheinductiontrainingandmakeitaswellknownastheidentityofthosethestaff
shouldspeaktoiftheyhaveanyqueries.
BR4:Theorganisationhasaprotocolgoverningdatabreaches,thatincludes
information on how to respond and how to inform the affected data
subjectsaswellasnotify the relevantauthorityof thebreach ina timely
fashionandwithoutunduedelay.
Grade:Merit
Adedicated“DataBreaches”documentprovidesguidanceastowhattodoincaseofdatabreaches.
Assessment:
Theavailableguidance(atthetopofthe“DataProtection”websiteontheintranet)setsoutclearly,inform
ofachecklist,whattheprotocolgoverningdatabreaches is. Itprovidesahelpful flowcharttounderstand
eachrequiredstep,andsetsoutwhoshouldbenotifiedinternallyand,ifnecessary,externally,andwhatthe
timelineis.Averygood24hoursfromthediscoveryofabreacharesetastheusualtargettimelinetomake
allofthenecessaryinternalandexternalnotifications.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page59
BR5:Theorganisation investigates thecausesofdatabreachesand takes
remedialaction.
Grade:Notapplicable
Nodatabreachhaseverbeenidentified.
BR6: The organisation works proactively with authorities investigating
potentialbreaches.
Grade:Notapplicable
Nobreachhasbeenreportedordetected.Asofmid-August2016,therehadneverbeenanoccasiontowork
withauthoritiesinvestigatingpotentialbreaches.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page60
10.Monitoringandreview
MR1:Thedocumentationrequirementsforthevarioussetsofdataare
regularlyreviewed,andaclearprocessisinplacetoidentifythe
organisation’srecordkeepingobligations.
Grade:Merit
Eachsetofdataheldisrecordedinalog,whichalsoincludesinformationonthetypeofdataandtherecord-
keepingobligationsinrelationtothattype.Thelogisupdatedbythedifferentdepartments,andaguidance
documentavailableontheintranetenablesemployeestoidentifywhatthedocumentationrequirementsand
Verco’srecord-keepingobligationsare.
Assessment:
Thelogcontainingthedifferentdatasetsisclearandupdatedregularly.Itisinelectronicformatandhasan
easy tousesearch function.Foreachnewentry, itprompts thepersonentering thedata toconsider the
documentationrequirementsandwillnotallowanentrytobesavedunlesstherequirementsandrecord-
keepingobligationsareacknowledgedbytheemployee.
Thereisaclearprocessinplacewhichallocatesthereviewofthedocumentationrequirementsforthevarious
sets of data to the data protection team,which is also taskedwith ensuring that Verco’s record-keeping
obligationsarekept.
MR2:Thereisaregularreviewbyseniormanagementoftheeffectiveness
ofexistingdataprotectionmeasures.
Grade:Observation
Thedataprotectionteammeetsatleastonceamonth,asdoesthelegalteam.
Assessment:
The data protection team as well as Verco’s legal department regularly reviews existing data protection
measuresandhasregularmeetingstodiscussanyissuesandchangestothelegalobligations.
There is no regular consideration by senior management as such of the effectiveness of existing data
protectionmeasures;instead,changesandissuesareraisedonanad-hocbasisbythedataprotectionteam
and/orthelegalteam.
Recommendations:
Vercomaywishtoconsider includingtheeffectivenessofexistingdataprotectionmeasuresasastanding
orderagendaitematboardmeetings.
MR3:Thereareperiodicauditsofthemanagementofdataprotection. Grade:Merit
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page61
Vercooperatesasystemofinternalauditingonan18-monthbasisforitsdifferentdepartments,meaningthat
each18months,eachdepartmentissubjecttoaninternalauditprocess.
Assessment:
Theinternalauditsystemspecificallyincludesdataprotectionmanagementanddetailedrecordsarekeptof
eachaudit,includingalistofshortcomingsandweaknessesandaproposedactionplan,withprogressreviews
scheduledinfor3monthsand8monthsaftertheconclusionofeachaudit.
MR4: The organisation conducts periodic unannounced simulations of
breachesandattackswhichcouldpotentiallycompromisedataprotection
andprivacy.
Grade:Minornon-compliance
Assimulatedattack,bywayofphishingemailssenttoemployeesbyVerco’sITdepartment,wasconducted
inJune2015,withtheresultsandrecommendationbeingdistributedtoallemployeesattheendofJuly2015.
Thedataprotectionteamenvisagesatleastonesuchtypeofsimulationeachyeargoingforward(thenext
oneisscheduledforOctober2016).
Assessment:
Vercoisawareofthethreatemanatingfromcyberspace,andhasrealisedthatsimulationsandfakeattacks
are very useful in identifying weaknesses and technological as well as operational shortcomings. Its
commitmenttoconductunannouncedsimulationsyearlyisproofofthat.Lastyear’ssimulationwasfollowed
upbyaclearsummaryandpracticablerecommendationsgiventoallemployees.However,theattacksare,
atthemoment,stillad-hocanddonotspanawideenoughrangeofthreats–itisinsufficienttofocusjuston
one threataspartofeach simulation.Nordo thecurrent fakeattacks involveany thirdpartiesorexpert
“friendly”attackers,therebypotentiallymissingoutonprofessional,state-of-the-artsimulations.
Recommendations:
Vercoshouldconsiderreachingouttoexternalserviceproviderstoarrangeforsimulationsofbreachesand
attacks.Thisshouldincludealonger-lastingarrangement(atleast6months),inwhichVercoisbeingtested
indifferentways(hackingattacks,phishingemails,spoofing,botnets,pharmingandothertypesofcommon
cybersecuritythreats),andanongoingagreementtocarryoutregularsimulationsandattackstoensurethat
Vercoiscontinuouslyuptospeedwithitsdataprotection.
MR5:Thereisaperiodicreporttotheboardondataprotection,alongwith
informationandindicatorsondatabreaches.
Grade:Observation
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page62
AsexplainedinMG6,MiguelSamarrco,thecurrentdataprotectionofficer,hasadirectreportinglinetothe
board.However,heisnotaregularparticipant inanyboardmeetings. Informationandindicatorsondata
breacheswouldbetransmittedonanadhocbasis.
Assessment:
PleaserefertotheassessmentboxinMG6above.
Recommendations:
AsmentionedinMG6,dataprotectionshouldbecomeastandingorderagendaitemateachboardmeeting.
Inaddition,Vercomaywishtoconsiderobligingthedataprotectionteamtoprovideamoredetailedreport,
perhaps once every six months, on any issues and information in relation to data protection and data
breaches.
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page63
Appendix2DocumentLog
[Intentionallyleftblank]
VercoAssessmentReport(DataProtection)2016DRAFT
CONFIDENTIAL
VercoReport(DP)August2016 ©GoodCorporationLtd.Forauthoriseddistributiononly Page64
Appendix3MeetingLog
[Intentionallyleftblank]