Physical security is of paramount importance to us and is crucial to ensure the safety and security of our equipment as well as the information that our Personnel use or manipulate. Physical Security measures are illustrated in the Information Security Policy.
• Desks should be kept clear of all documents containing Personal Data at the end of each day.
• Personal Data should be kept in a locked filing cabinet, drawer, or safe. If it is computerised, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
• Dispose of waste paper securely.
Data Discovery, Cataloguing and Classifying
In addition to the above, we have implemented controls to ensure Personal Data is handled appropriately outside of our core systems. These include protecting and securing information such as:
• Copies of production databases containing personal data taken for testing, development, or analytics purposes;
• Spreadsheets and other data sources populated by exporting customer contact and profiling details for a mail merge (subject to the same standard of security as the core systems);
• Email archives which are likely to contain Personal Data that must be protected under European Data Protection Laws.
Controls that Personnel are expected to follow in this respect are documented in the Information Security Policy whereas detailed notes on how these resources are secured from a technical perspective are included in the Information Security Standard.
Data Loss Prevention
We control data loss through measures such as automatically blocking outgoing email, other messages and file movements that contain Personal Data that has not been protected by appropriate safeguards, e.g. data encryption.
In some situations encryption can be automatically applied to Personal Data when it is classified or identified in an email message or document attachment, while in other situations messages can be quarantined to enable an organizational response.
Data and Email Encryption
Encryption is one of the few specific technologies called out in the text of the GDPR, and its presence there essentially mandates its use by organizations. We have implemented measures to encrypt data while at rest and when be used or transmitted. This ensures that if a breach occurs on any system, the information remains confidential and does not trigger the GDPR penalties.
Data Breach Identification and Blocking
European Data Protection Laws require us to report Personal Data Breaches to the relevant data protection authority without undue delay (and where feasible within 72 hours) after becoming aware of the Personal Data Breach (unless this is unlikely to result in a risk to the rights and freedoms of the individual). We may also need to notify individuals in certain circumstances and we must document the Personal Data Breach in line with the Data Breach Policy.
We have therefore implemented measures to proactively sense that data has been breached, audit the extent of the breach, and create an appropriate organizational response.
In the event any individual becomes aware of a Personal Data Breach, they must notify Robert Rae immediately and provide as much information as they have (including the nature and the consequences of the Personal Data Breach and any measures taken or proposed to mitigate any adverse effects). Examples of Personal Data Breaches include Personal Data being sent to an incorrect recipient, Personal Data being accessed without authority and paperwork or computers containing Personal Data being lost or stolen.
Further to section 5.9 on Individuals’ Rights, data subjects have the right to request an export of their data in a usable format that can be given to another vendor or service provider to import into its service in certain circumstances. Whilst this specific requirement is of low likelihood and risk for the organisation, YUM! Pizza Hut Gibraltar/ Fontenay Limited uses widely available products (such as Office 365 and Microsoft Exchange for email) to facilitate this requirement.
Endpoint Security and Mobile Device Management (“MDM”)
The GDPR requires computing devices to be protected from loss or theft through mobile device management capabilities, such as remote wipe and kill. A lost device could be the weak link in the data protection chain, leading to a data breach based on information stored on the device or accessible through still active user credentials. YUM! Pizza Hut Gibraltar/ Fontenay Limited has rolled out MDM to all its staff, with specific measures taken detailed in the Information Security Standard.
Cloud Storage and Sharing Services
YUM! Pizza Hut Gibraltar/ Fontenay Limited conducts a periodic review of documents shared externally to minimise the extent of sharing with external parties. Use of default restrictions (such as time-limited links) is also encouraged to restrict sharing by default without the need for user intervention. Measures taken by YUM! Pizza Hut Gibraltar/ Fontenay Limited to review these permissions are outlined in the Data Governance Model whereas measures embedded within the design of the system are described in the Information Security Standard.
Any transfers of Personal Data must be done securely, whether externally or internally. When emailing or posting, double check that information is being sent to the right recipient.
Be aware that those seeking information sometimes use deception. Before sending out any Personal Data to any third party, be sure of their identity. This may involve carrying out checks to verify their identity particularly if you are releasing information over the phone. If in doubt, contact Robert Rae.
While a successful malware infiltration can render computers unusable, of more serious concern under GDPR is the potential for malware to harvest credentials for user and administrator accounts. Harvested credentials can then be used to access data sources across the organization (both on-premises and in cloud services), including those containing personal and sensitive personal data.
YUM! Pizza Hut Gibraltar/ Fontenay Limited works closely with its managed IT service provider to ensure the strongest practical level of security is applied in this respect (predominantly through the use of anti-virus and intrusion detection software).
Identity and Access Management
A cohesive identity and access management system that seamlessly unifies employee identity across applications is a foundational requirement for GDPR compliance. YUM! Pizza Hut Gibraltar/ Fontenay Limited uses the latest identity management protocols (Windows 10 Azure Active Directory) to manage this aspect of GDPR Compliance]. Furthermore, user identities are connected to third party software providers using Single-Sign-On where appropriate. This ensures access can be controlled centrally (and quickly) across a number of applications in a uniform way.