ESG 23 Final Single pages - Flipbook - Page 68
DATA PROTECTION
the next level in the management chain. Security risks
are captured and managed through our security risk
management process which is the responsibility of our
CIO, and shared with the Board annually.
RWS employs ‘defence in depth’ in its security posture and
understands that regular testing of its security controls
is important. As such we routinely conduct vulnerability
scanning of our internal and external infrastructure
and, at the request of some of our clients, elements of
our public facing infrastructure are subject to periodic
penetration testing. This allows the identi昀椀cation of
weaknesses which are analysed to determine the most
appropriate mitigation to be applied.
The UK’s Cyber Security Breaches Survey identi昀椀ed that
83% of businesses reported phishing attacks in the last
12 months, making it the most prevalent type of attack.
Like other businesses RWS is regularly subjected to such
attacks and whilst our technical controls block most
spam and malicious messages, it is inevitable that some
phishing emails get through. Because we understand that
employees are likely to be our weakest link, we continually
aim to improve our annual security awareness training
to provide colleagues with the information necessary
to identify such threats thereby reducing the risks. In
addition to regular messaging and security awareness
delivered through our learning management system,
MyLX, RWS uses external providers to deliver security
training, knowledge assessments, and testing, allowing us
to identify where additional training may be needed, track
its delivery and participation and test its e昀昀ectiveness.
Our security roadmap takes a cost e昀昀ective and balanced
approach to provide appropriate protection that is
prioritised in response to market threats and in areas
that our clients tell us are important. Examples include
the implementation of MFA across the RWS Group and
M365 estate, deployment of VDI environments and roll
out of 24/7 monitoring and detection capability to enable
incidents to be addressed as soon as possible to minimise
any business impact.
The Group experienced a cyber incident in April 2023.
Following the detection of unauthorised external access to
a legacy project management work昀氀ow application which
supports a small part of the Regulated Industries division,
the Group immediately enacted contingency protocols,
temporarily shutting the application down and appointed
external cyber security experts to investigate the
circumstances and scope of the incident. It was con昀椀rmed
that evidence of unauthorised access was restricted to the
application concerned. The individuals and organisations
that could have been a昀昀ected were contacted, advised
of the steps they should take and, where appropriate,
o昀昀ered support. The Group also took steps to comply
with relevant regulatory obligations and as part of this
noti昀椀ed the UK's Information Commissioner's O昀케ce.
The application was securely restored.
68
RWS Holdings plc — ESG Report 2023 FRAMEWORKS
Headquartered in the UK, RWS has adopted the EU GDPR
and UK Data Protection Act 2018 as its benchmark for
data protection. We have a comprehensive set of policies
which re昀氀ect the applicable privacy legislation and identify
processes, procedures and practices focused on the
protection of personally identi昀椀able information (PII).
Compliance with data privacy is one crucial aspect of
responsible business practices. We understand that
personal, demographic, and 昀椀nancial details are just some
of the information that may be disclosed, and we take
appropriate measures to safeguard our clients' data. This
includes complying with relevant data protection laws,
regularly reviewing our data privacy policies and practices,
and investing in technologies and tools to protect our
clients' data. We believe that by upholding high standards
of data privacy, we can not only build trust with our clients
but also contribute to the wider goal of creating a safer
and more secure digital environment for everyone
RWS, being cognisant of the requirement for privacy by
design, provides functionality within RWS software to
enable clients to comply with their obligations under data
protection law.
RWS processes personal data on behalf of clients when
providing localisation services or when licensing our
software via SaaS. Our clients collect the data and
transfer it to RWS to process. Client data is translated,
transmitted and stored within the RWS environment
and on completion is deleted in accordance with internal
deletion policies or as speci昀椀ed by the client. Similarly,
when RWS licences web content management software,
the client determines the parameters of data collection
and retention. RWS processes client data in accordance
with instructions agreed with clients in non-disclosure
agreements, contracts and data processing agreements.
We only retain personal data for as long as necessary to
ful昀椀ll the purpose for which it was collected or to comply
with legal, regulatory or internal policy requirements.
RWS does not undertake detailed pro昀椀ling of consumers
on behalf of clients. Data provided by clients is never sold
or rented. As required to perform the services, RWS will
disclose data between a昀케liate companies and approved
third party subcontractors; appropriate data processing
agreements are in place to govern these transfers.
