For organisations, meeting the compliance requirements under GDPR means implementing a fully-fledged data governance framework. They must ensure that all processes and processing operations involving personal data abide by the rules described above. Organisations must perform an exhaustive audit of all software and computing functions or non-IT processing operations that they use. To help them do this, Cegid has gone one step ahead by starting a programme designed to ensure that its SaaS solutions meet the requirements of the regulation in full, and that organisations which use them do not need to check compliance themselves. For Cegid, being GDPR ready means peace of mind for its customers.
Cyber risk, a challenge for my business?
Introduced in September 2016, Cegid’s compliance programme is a corporate project backed up by a multidisciplinary team, led by a project manager, who is supported by a Data Lawyer specialising in data-related issues, a Chief Information Security Officer (CISO), a Head of Business Tools and Solutions, and an IT expert. The team can also call on a network of sector coordinators and leaders covering all the company’s areas of expertise. They have been tasked with ensuring that the new regulation is adhered to in every aspect of our operations, including even the most minor parts.
A Security Audit and a Permanent Oversight Team
Cegid began a security audit of its applications and the functions provided by its partners. At the same time, the company set up a team dedicated to providing constant oversight of new security solutions and tweaked its development processes to take account of security in its solutions from the earliest design phases (Privacy by design).
of companies with over 1,000 employees think they are well prepared to deal with the risks of cyber-attacks*
An Agile and Secure Infrastructure
The security requirements which Cegid must meet on behalf of its customers are expressed via the introduction of an ISMS (Information Security Management System). The aim is to protect functions and information against any loss, theft or alteration and to warn information systems of any intrusion or incident. By its best practices and the resulting continuous improvement process, Cegid’s ISMS is ISO 27001 certified (certificate number IS 666376 issued by the company BSI) for the following scope: provision of a service enabling the hosting of applications containing data provided by customers in a cloud environment.
This scope therefore certifies the service provision process, from placement of an order through to live release, and its system of managing information security for the hosting of SaaS applications and customer data. Supervised 24/7, this infrastructure offers the necessary levels of resilience to meet the challenges faced by modern companies: permanent availability of data, personalisation of the customer relationship, integration of partners, etc. All communications from or to this infrastructure are secured to overcome the main risks highlighted by GDPR.
of companies say they were victims of a cyber-attack in 2016*
Security linked to human resources
The “human” component is also key to this compliance project. For this reason, roles and responsibilities were clearly separated between the project manager, experts (IT and business lines), lawyers and sales teams. All SaaS production staff have been made aware of and trained in security.
Employees working on SaaS solutions have signed a confidentiality clause. An induction process, including awareness-raising sessions focusing on security and GDPR, has been developed for staff. See our GDPR commitment policy.
of firms admit to having suffered financial or brand image damage due to an attack*
Cybersecurity: no firm is safe from attack
- While 73% of firms with 250 to 1,000 employees think they are well prepared against the risk of cyberattack, this is not true of small businesses: just 37% reckon they have taken the necessary steps.
- Sensitive data were breached in 33% of hacked firms (+8% compared with 2015)*.
- The main consequences companies fear include infection by malware resulting in data losses, the destruction or alteration of data, and industrial espionage.