(General Data Protection Regulation)

Are you ready?

Take action now before its to late.

With fines of £20 million or 4% of turnover
(which ever is larger!) you cannot afford to ignore it.

Sensible solutions available and free initial consultation. available

GDPR Questionnaire

Take our quick 5 minute questionnaire. Receive a free, no obligation response 🙂

GDPR Questionnaire

With fines so large how can you afford not to complete the quick 16 point questionnaire? The form should only take 5 minutes to complete. Free to do, no obligation feedback and solutions. This is a great place to start on your journey towards GDPR peace of mind.
Click Here

(General Data Protection Regulation)

How PCQ meets your needs

Firstly don’t panic! Whilst this is all difficult and overwhelming PCQ can help.

At PCQ we have worked hard to ensure all our business clients have been stepping towards compliance for years.  Legal business version software, good business grade hardware and server solutions to meet all the requirements backed with leading managed services.  If you already use PCQ for your business your IT is likely most the way there. If you haven’t used PCQ before, don’t worry we can still help, but you may require more depending on what you have.  We can help, advise and supply anything you need.

The first and most important step before arranging a meeting is information gathering! We always suggest making a “Data map”.  A data map is quite simply a list to record anywhere your company stores personal data.  Considerations from scraps of paper/books for taking notes about phone calls, any/all paper records, digital data stored on PC’s, servers, onsite backups, data held with any 3rd parties and even your website/email servers.

Data Map should include:

  • Where the Data is (Example – written sales folder – Sage accounts – Email from web form – Cloud-storage – etc)
  • What data/information is recorded (such as first/second name, phone number, Date of birth etc)
  • Who has access to the information (list out everyone whom could have access)
  • How you received the information and have you recorded consent
  • Consider and record your retention period for each area of data (Yes you have the data, but do you really need it? If you do, justify why and record how long you are required to keep it. If you can no longer justify the risk of retaining the data you may want to simply destroy it to mitigate your risks)
  • Do any 3rd parties have access to the data? Record this too.  (Your accountant, IT support, guests, web designers – etc)

 We suggest starting with the PCQ GDPR questionnaire here – You will receive a free no obligation suggested action list and or free site meeting to inspect and later receive a action list. COST = FREE!

GDPR full GAP Assessment conducted by a GDPR Specialist consultant – COST = £750 + Consultant £900 per day – This is the best and only true route for full demonstrated, recorded and audited by a 3rd party path to impressing the ICO (Information commission Office) you have fully appreciated the law and gain a full report.  This is like having an MOT on your car so you can then address the issues found and take action and then be compliant!  The costs for doing this is really aimed at 10+ staff and smaller businesses may have to risk self assessing and recording their own issues and actions taken.  If you cannot justify the cost for a full and proper GAP assessment we suggest looking at

Once you have completed the PCQ free questionnaire you will likely be offered a meeting at your office for up to 1 hour free of charge.  Obviously within a sensible catchment range of our offices but telephone meetings can be arranged as well.  This will enable us to discuss how you currently operate, suggest any simple changes and offer solutions to help shape your business towards compliance.  There is no obligation to take our services.

Much like a “company secretary” all companies will need to appoint a DPO (Data Protection Officer) to become responsible for making the company GDPR compliant.  The DPO must carry out regular and systematic checks to ensure your company is compliant and be prepared and ready to act on requests from the public or communicate with the ICO.  This can be a huge task and responsibility, PCQ has solutions to help with this. 

It is possible to pay for an external appointed DPO but this is costly and for most will still consume a lot of time bringing the business up to compliance.

All staff need to be made aware of changes and how they deal with personal information and what happens if certain events occur.  Any information received needs to be kept safe along with a record what consent was given, just a call back or ongoing correspondence?

PCQ has a range of products to help and identify issues.  We feel it is important to provide automated management tools that report to you. If you wish for special consultant to review or wish to subscribe to one of our training companies, regardless of your needs, we can assist.

You will need to review all paper work used, including website pages/forms. You will need to have good polices & procedures written.  Some policies are documents you must have on file, some you may need to make public.  You are also required to prepare procedure templates so your DPO is armed and ready to act in any event.

Procedural templates for possible events which include:

  • Data breaches – Both for the ICO and affected clients
  • Requests for data – What to say and do if anyone requests their data
  • Requests for data deletion – If you have a request for someones data to be deleted – How to respond and what is acceptable to do

Good practice for your terms and statements:

  • Make sure your terms and statements are in good plain English – Make it easy as possible
  • Make your main points clear – If you are collecting data or plan to use the data you must confirm that you are and why.
  • Hiding an “opt out” tick box is no longer acceptable.  Instead you will need an “opt in”, big and bold and not pre-ticked!

PCQ can assist with any aspects your require.  Should you wish to have a specialist GDPR consultant come to review and customise all your paper work and audit your business, we can arrange.  Unless you’re a large company this will be cost prohibitive.

We have GDPR policy packs which include templates for your procedures – available at just £600+vat (far cheaper than having your own drawn up!)

Cyber Essentials Policy documents – available at £250+vat (assuming you proceed with CyberSmart)

We advise all companies to consider and make a “minimum standard” for your IT equipment and software.  Here is our suggestion for small to medium size businesses.

Business user machine:

  • Windows “Professional” licence (not home edition!) 7/8/8.1/10 (note: Windows 7 will soon be removed from our list when support ends) (Or Apple OSX on latest release)
  • Protection that must include management/alert reporting for Antivirus/Malware/Firewall protection to your DPO – We advise Bitdefender Gravityzone (Please ask for pricing)
  • Software patching and reporting for your DPO – We advise Heimdal Security (Please ask for pricing)
  • Network edge protection and reporting for your DPO – We advise Heimdal Security (Please ask for pricing)
  • Ensure all software is legal/licenced/current (if in doubt, check your licences with PCQ or Microsoft direct)
  • Disk encryption on any devices containing personal data – We advise using Bitlocker with a TPM module – This should be a strict requirement for mobile devices, ideally all equipment in case of theft!
  • Onsite backups & disaster recovery plan – Ensure all backups are encrypted to 256bit or above – Ensure you have a good disaster recovery plan and systems in place. (Please ask for pricing)
  • Cloud backup (Suggest UK based with full accreditation, please ask for pricing)

Onsite servers:

  • Windows Server editions 2012 or above
  • Password policy – Make sure to enable both compliant password, strength and rotation policies.
  • Domain park all user devices – Good for disaster recovery
  • Health reporting/updates – Make sure your DPO is informed.
  • Protection that must include management/alert reporting for Antivirus/Malware/Firewall protection to your DPO – We advise Bitdefender Gravityzone (Please ask for pricing)
  • Software patching and reporting for your DPO – We advise Heimdal Security (Please ask for pricing)
  • Network edge protection and reporting for your DPO – We advise Heimdal Security (Please ask for pricing)
  • Ensure all software is legal/licenced/current (if in doubt, check your licences with PCQ or Microsoft direct)
  • Disk encryption – Should your sever not be inside a ISO27001 data center it would be considered at risk from theft. To reduce your risks we would advise installation of a TPM module and enabling 256bit encryption to all drives using technologies such as Bitlocker.
  • Onsite backups & disaster recovery plan – Ensure all backups are encrypted to 256bit or above – Ensure you have a good disaster recovery plan and systems in place. (Please ask for pricing)
  • IT Support – Make sure your IT company can demonstrate cyber security and that all logs of access to your servers can be made available on request.

Once you have made a specification it is important to review each machine and take action to roll out.  Not only do you need to achieve a basic cyber security level you will need to be able to demonstrate compliance and record how you monitor breaches/problems – Without a full time IT department this would normally be difficult to achieve. 

PCQ as standard will automatically meet or exceed the above minimum requirement set out above if requesting “business computers” and have done for quite some time.  If you wish PCQ to visit and assess your business equipment at no cost please let us know and we can report/advise suggested actions to bring your IT up to the requirement.

Once you have done the hard work of getting your business ready, the next stage is making sure you remain compliant.  Make sure all equipment changes keep in line with your minimum standard set.  Make sure to put in systems that provide ongoing reporting for your DPO.  This will assist the DPO in being kept informed of any threats or breaches so that they may act and keep you compliant and your customer’s data safe.

We suggest as much automation and alerting as is possible for your DPO to take the strain out of ongoing compliance. This is why we feel its necessary for management/reporting for basic items such as Antivirus/Malware/network/server/backups.  Also make sure your IT team are logging all activity of access and works conducted so you have clear audit trails of access to your systems.

Make a schedule to test your recovery plan – So should the worst occur you’re ready to restore with minimal downtime and then start reporting the event.  No backup solution or service provider will provide a guarantee for your data so always best to perform routine checks.

Consider other accreditations and certificates to help you demonstrate to the ICO and your clients that you are serious about personal data and you can be trusted. This makes good business sense to maintain and bring on new clients😊.

Ongoing compliance, show you’re serious about cyber security!

Demonstrate you are serious about your Cyber Security by becoming “Cyber Essentials” accredited.  Cyber Essentials is a Government produced certification designed for smaller businesses to show they meet the standard.  If you wish to trade/tender for Government work, this certification is a requirement.  If you don’t deal with government, this is an optional feature, but an excellent way to demonstrate your ongoing IT infrastructure compliance.  

Our unique CyberSmart partner provides you with an automated reporting tool to install on all your computers, so you are kept informed about anything falling outside of compliance for Cyber Essentials.  Annual renewal is simple and aids your GDPR compliance too.

Benefits of CyberSmart:

  • Guaranteed certificate – You will not fail your application for Cyber Essentials assuming you follow PCQ/CyberSmarts guidance
  • £20 Million cyber insurance (Ask for details of the terms)
  • Satisfies the requirement to deal with Government
  • Cyber Essentials logo for your website to demonstrate to your clients you are serious about safety of their data; drive new business and confidence.
  • Cloud portal and emailed reports to assist you maintaining compliance.
  • Excellent means to demonstrate your GDPR cyber security requirement.

CyberSmart Pricing – Please let us know how many computers you have and we can provide costings for the service

Need to get in touch? Ask more questions? Book a meeting? Please use form below.

Data policy: 

Your submitted message will be received and assessed by PCQ only.  PCQ will store your data on its systems securely.  PCQ will only reply to you by email (or phone if you have chosen to provide) with the details you provided to us on the above form.  PCQ will only reply once with your enquiry and will not use any of the data that you provide for any other purpose.