GDPR Consultancy

Overview

The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and has created a requirement for all organisations that process personal data of individuals within the EU, wherever it is processed, to understand the risks that they are creating for individuals by storing and using their personal data, and to then mitigate those risks.

The GDPR is the new European Data Protection Framework.

For the first time ever, the GDPR provides all living individuals who live, work or travel within Europe (including those who have never visited Europe but whose personal data is processed within the EU) with the Worlds Strongest Data Protection Rules.

This is supported by relevant legislation in each jurisdiction.

The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behaviour (as far as that behaviour takes place in the EU).

The European Data protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR, the public consultation on these guidelines close on 18th January 2019.

Significant factors to note from the EDPB draft guidelines are:

  • Companies processing outside the EU of:
    • Personal data of individuals in the EU; and
    • Have an Establishment in the EU; can be
    • Considered ‘inextricably linked’
      • Therefore subject to the GDPR
  • Targeting or monitoring of individuals who are in the EU
    • Clarifying EU citizenship, residency or other type of legal status is irrelevant to determine the scope of application of GDPR.
  • Monitoring – potentially now includes Wi-Fi tracking and geo-localization activities.
  • Companies in scope of the GDPR by virtue of Article 3(2) must appoint an EU representative via a written mandate.

Only a small proportion of organisations have completed their GDPR journey to full compliance, many are still on that journey, many have not yet started and some are not even aware they are caught by the GDPR.

Supervisory Authorities are going to demonstrate very public displays of non-compliance with the new GDPR utilising the full extent of the new fining powers available to them.

In addition, there are many other regulatory bodies capable of imposing fines for breaches of practices relating to an ‘individual’s Rights’, as seen recently (7 December 2018) by Italy’s competition watchdog who fined Facebook a total of £8.9million for misleading users about how it used their personal data.

Clear and compelling reasons for compliance with GDPR is that it assigns responsibilities for compliance with partners and third-party suppliers so due diligence must be performed before entering into any kind of working contract for processing Personal Data. This means that any organisation that is not GDPR compliant may not be considered for awarding contracts, with ensuing loss of business or failure to gain new business.

Consequently, more and more organisations are exploring the benefits of implementing best practice information security management using BS 10012 ‘Data Protection – Specification for a Personal Information Management System’. This is the only current standard on:

  • Establishing
  • Operating
  • Maintaining
  • Continuously Improving,

a Personal Information Management System (PIMS) which can easily be integrated with other management systems (e.g. ISO 9001, 14001, 22301, 27001 etc.).

Service Offering

A-GRC are uniquely placed to assist you as they have done others to develop and implement Data Protection and information security solutions appropriate for your business.

A-GRC has developed its own methodology based on BS 10012 that contains a Personal Information Management Policy and all of the processes, procedures and plans that are required to develop a Personal Information Management System (PIMS) based on the Deming cycle of:

  • Plan
  • Do
  • Check
  • Act

The so called PDCA cycle. All major management systems standards have used PDCA, but this is no longer mandated in Annex SL but many organisations still prefer to use this process.

A-GRC ISO consultants are GDPR experts and have audited and implemented a number of PIMS and GDPR systems.

Approach

Using the A-GRC approach to implementing a PIMS covers:

  • performing gap analysis to determine the work to be carried out to implement a PIMS
  • defining the context of the organisation
  • understanding the business, its drivers, needs and expectations of the interested parties
  • determining the scope of the PIMS
  • establishing the PIMS
  • establishing management commitment throughout the organisation
  • developing and implementing an appropriate Personal Information Management Policy
  • embedding Data Privacy in the business
  • ensuring appropriate support processes and procedure are in place
  • undertaking risk assessments
  • determine the data inventory and data flows within the organisation
  • determine the legal grounds for processing Personal Data including special categories of Personal Data
  • undertaking Privacy Impact Assessment (PIAs), where appropriate;
  • develop the Data Privacy Risk Treatment Plan
  • ensuring that Piracy by Design and Default are embedded in the business
  • defining PIMS objectives and how to achieve them
  • documenting procedures
  • implementing awareness training
  • implementing supporting PIMS procedures
  • monitoring, measuring and reviewing the PIMS
  • auditing the PIMS
  • management reviews of the PIMS
  • continuous improvement of the PIMS
  • assistance in gaining a BS 10012 Certificate of Registration.

Benefits

The A-GRC approach gives you the ability to:

  • align business needs with PIMS deliverables
  • allow you to make contractual bids, where if you were not compliant with GDPR or hold a Certificate of Registration to BS 10012, you may be precluded
  • assure management and customers of Data Privacy levels in place
  • create an organisational structure to ensure that roles and responsibilities for Data Privacy management are established
  • demonstrate compliance verified by a third-party Conformance Assessment Body
  • enable interoperability between disparate management systems
  • ensure that a high-level corporate Personal Information Management Policy exists and is implemented
  • ensure that an information asset register and data flows are created and managed
  • ensure that the register of Processing Activities (RoPA) is implemented and maintained
  • implement and maintain Data Privacy awareness within your business
  • identify risk and evaluate risks to your business
  • increase customer confidence in your handling of their Personal Data and their client’s Personal Data
  • make a public statement that you have addressed Personal Data security needs of your, and your client’, data
  • manage and treat significant risks to reduce them to an acceptable level in line with risk appetite
  • validate the adequacy of organisational and technical security measures including communications and operational procedures, logical access controls, systems development and maintenance arrangements
  • validate the adequacy of physical and environmental security arrangements
  • validate the existence or adequacy of ensuing continuity of information security when invoking business continuity and/or disaster recovery arrangements.