Principal risks, GDPR, cyber security and description of measures taken during the year


Trifast plc – Annual report – 31 March 2018

Industry: manufacturing, distribution

Risk table (extract)



Risk management (extract)

2018 is going to be remembered for the introduction of the new General Data Protection Regulation (GDPR), which is a major change to the old Data Protection Act (DPA) that has remained stagnant for the last 20 years. Trifast, with the help of its Group IT, Group Legal, Group HR and Group Marketing departments, identified the importance of aligning the business to this new Regulation and have fully embraced the changes that will be required by the business to comply with the new Regulations. With the employment of a Global Security Architect whose responsibility covers all things cyber and employment of Group Chief Privacy Officer (DPO), we have implemented a comprehensive framework of activities including due diligence, policy and procedure development and supplier reviews that covers the identification of the PII (Personally Identifiable Information) we hold, how we protect it, how we control it and how we will respond if we have a data breach.

Alongside GDPR, Group IT have introduced a clear annual Group security governance program that includes IT policies, penetration (PEN) tests and comprehensive health checks that not only cover the IT Infrastructure but also includes auditing all aspects of security, data, IT insurance and ISO27001.

We have also introduced an ‘Information Security Awareness’ program for all staff that highlights the importance of protecting not only the Company’s data but also the individual’s data and a GDPR training programme for all staff involved with data processing. It is crucial in any modern organisation that employees are educated in information security awareness as the employee is often the first and last line of defence against cyber security attacks.

Phishing attacks are becoming more and more frequent with thousands of phishing emails received into the business every day. Group IT have complex filtering software that manages to block 90% of these emails leaving the unsuspecting employee as the last line of defence. Empowering the employees with knowledge on how to identify and avoid activating these type of attacks is crucial to keeping the business safe, which is why we are introducing specific phishing attack software that not only identifies if a suspicious mail/link has been activated but also trains the employee on why they shouldn’t have clicked the link and how to identify in the future.

The recent moves by local governments to shut down Botnets (software that takes over computers and sends out malicious emails by the millions) has shown a steep reduction in the email traffic received by Trifast. Dropping from 37.5 million mails in FY2017 to 25.3 million mails in FY2018.

Introduction of the GDPR (especially Articles 25 and 35) has meant a fresh look has been taken at the data that is held by Trifast and the new approaches (privacy by design and privacy by default) needed when rolling out new systems and new locations to incorporate these approaches. Not only does the type of data, purpose it is held for, legal basis for the processing and location of the data need to be identified, but also the need to ensure that it is only held for the minimum required period. This means setting up processes to automatically delete data in a secure manner that has reached its ‘end-of-life’ and being able to respond to legitimate user requests for their data to be removed.

It is essential that the existing security protocols are continually monitored, maintained and reviewed in line with Article 32 of the GDPR to ensure that TR is not subject to a data breach which now brings with it potential severe penalties as well as the obvious loss of intellectual confidence.

Cyber security has become a most important factor when planning to roll out integrated computer systems both within the UK and across the world and the Global IT team have been, and will continue to be, heavily involved in the development of Project Atlas, our significant planned investment into the Group’s global IT infrastructure.