GDPR

Request Id: 1191
Date/Time:
Request

1. Have you invested in technology specifically to comply with GDPR? o Yes o No 2. Which information security framework(s) have you implemented? 3. Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018? o Yes o No 4. Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation? o Yes o No 5. Do you use encryption to protect all PII repositories within your organisation? o Yes o No 6. As part of this audit, did you clarify if PII data is being stored on, and/or accessed by: a. Mobile devices b. Cloud services c. Third party contractors 7. Does the organisation employ controls that will prevent an unknown device accessing PII repositories? o Yes o No 8. Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc. o Yes o No 9. Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours? o Yes o No 10. Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems? o Yes o No 11. To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.

Answer

1. Have you invested in technology specifically to comply with GDPR?

No

 

2.Which information security framework(s) have you implemented?

 

Cheshire Fire and Rescue Service consider risk and implement appropriate controls based on ISO 27000

 

3. Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?

 

No

 

4. Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?

 

Yes

 

5. Do you use encryption to protect all PII repositories within your organisation?

 

No - Encryption is used in specific areas, but not all PII repositories are encrypted. There are standard security measures in place.

 

6. As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:

 

a. Mobile devices – Yes

b. Cloud services - No

c. Third party contractors - No

 

7. Does the organisation employ controls that will prevent an unknown device accessing PII repositories?

 

No

 

8. Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.

 

No

 

9. Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?

 

Yes

 

10. Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?

 

No

 

11. To which positions/level does your data protection officer report?

 

Senior Information Risk Owner.



Return to latest FOI requests