The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and has created a requirement for all organisations that process personal data of individuals within the EU, wherever it is processed, to understand the risks that they are creating for individuals by storing and using their personal data, and to then mitigate those risks.
The GDPR is the new European Data Protection Framework.
For the first time ever, the GDPR provides all living individuals who live, work or travel within Europe (including those who have never visited Europe but whose personal data is processed within the EU) with the Worlds Strongest Data Protection Rules.
This is supported by relevant legislation in each jurisdiction.
The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behaviour (as far as that behaviour takes place in the EU).
The European Data protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR, the public consultation on these guidelines close on 18th January 2019.
Significant factors to note from the EDPB draft guidelines are:
- Companies processing outside the EU of:
- Personal data of individuals in the EU; and
- Have an Establishment in the EU; can be
- Considered ‘inextricably linked’
- Therefore subject to the GDPR
- Targeting or monitoring of individuals who are in the EU
- Clarifying EU citizenship, residency or other type of legal status is irrelevant to determine the scope of application of GDPR.
- Monitoring – potentially now includes Wi-Fi tracking and geo-localization activities.
- Companies in scope of the GDPR by virtue of Article 3(2) must appoint an EU representative via a written mandate.
Only a small proportion of organisations have completed their GDPR journey to full compliance, many are still on that journey, many have not yet started and some are not even aware they are caught by the GDPR.
Supervisory Authorities are going to demonstrate very public displays of non-compliance with the new GDPR utilising the full extent of the new fining powers available to them.
In addition, there are many other regulatory bodies capable of imposing fines for breaches of practices relating to an ‘individual’s Rights’, as seen recently (7 December 2018) by Italy’s competition watchdog who fined Facebook a total of £8.9million for misleading users about how it used their personal data.
Clear and compelling reasons for compliance with GDPR is that it assigns responsibilities for compliance with partners and third-party suppliers so due diligence must be performed before entering into any kind of working contract for processing Personal Data. This means that any organisation that is not GDPR compliant may not be considered for awarding contracts, with ensuing loss of business or failure to gain new business.
Consequently, more and more organisations are exploring the benefits of implementing best practice information security management using BS 10012 ‘Data Protection – Specification for a Personal Information Management System’. This is the only current standard on:
- Continuously Improving,
a Personal Information Management System (PIMS) which can easily be integrated with other management systems (e.g. ISO 9001, 14001, 22301, 27001 etc.).
A-GRC are uniquely placed to assist you as they have done others to develop and implement Data Protection and information security solutions appropriate for your business.
A-GRC has developed its own methodology based on BS 10012 that contains a Personal Information Management Policy and all of the processes, procedures and plans that are required to develop a Personal Information Management System (PIMS) based on the Deming cycle of:
The so called PDCA cycle. All major management systems standards have used PDCA, but this is no longer mandated in Annex SL but many organisations still prefer to use this process.
A-GRC ISO consultants are GDPR experts and have audited and implemented a number of PIMS and GDPR systems.
Using the A-GRC approach to implementing a PIMS covers:
- performing gap analysis to determine the work to be carried out to implement a PIMS
- defining the context of the organisation
- understanding the business, its drivers, needs and expectations of the interested parties
- determining the scope of the PIMS
- establishing the PIMS
- establishing management commitment throughout the organisation
- developing and implementing an appropriate Personal Information Management Policy
- embedding Data Privacy in the business
- ensuring appropriate support processes and procedure are in place
- undertaking risk assessments
- determine the data inventory and data flows within the organisation
- determine the legal grounds for processing Personal Data including special categories of Personal Data
- undertaking Privacy Impact Assessment (PIAs), where appropriate;
- develop the Data Privacy Risk Treatment Plan
- ensuring that Piracy by Design and Default are embedded in the business
- defining PIMS objectives and how to achieve them
- documenting procedures
- implementing awareness training
- implementing supporting PIMS procedures
- monitoring, measuring and reviewing the PIMS
- auditing the PIMS
- management reviews of the PIMS
- continuous improvement of the PIMS
- assistance in gaining a BS 10012 Certificate of Registration.
The A-GRC approach gives you the ability to:
- align business needs with PIMS deliverables
- allow you to make contractual bids, where if you were not compliant with GDPR or hold a Certificate of Registration to BS 10012, you may be precluded
- assure management and customers of Data Privacy levels in place
- create an organisational structure to ensure that roles and responsibilities for Data Privacy management are established
- demonstrate compliance verified by a third-party Conformance Assessment Body
- enable interoperability between disparate management systems
- ensure that a high-level corporate Personal Information Management Policy exists and is implemented
- ensure that an information asset register and data flows are created and managed
- ensure that the register of Processing Activities (RoPA) is implemented and maintained
- implement and maintain Data Privacy awareness within your business
- identify risk and evaluate risks to your business
- increase customer confidence in your handling of their Personal Data and their client’s Personal Data
- make a public statement that you have addressed Personal Data security needs of your, and your client’, data
- manage and treat significant risks to reduce them to an acceptable level in line with risk appetite
- validate the adequacy of organisational and technical security measures including communications and operational procedures, logical access controls, systems development and maintenance arrangements
- validate the adequacy of physical and environmental security arrangements
- validate the existence or adequacy of ensuing continuity of information security when invoking business continuity and/or disaster recovery arrangements.
- A-GRC are justifiably proud of our 100% SUCCESS RATE, of achieving first time certification through an Accredited Conformance Assessment Body for our Clients
- A-GRC is committed to providing a consistently high value service to our Clients
- David Lilburn Watson, who remains personally ‘hands-on’ throughout the process, manages this process.
- to understand how the A-GRC suite of offerings can be used to transform your business, please contact us
- we look forward to discussing your specific requirements, at your convenience
- we offer a free Health Check consultation for GDPR
- whatever other type of consultancy you require, we can possibly offer a free Health Check.
Mapping GDPR to BS 10012
|GDPR Article||Article title||BS 10012:2017 Clause|
|5||Principles relating to processing of personal data||5.2
|6||Lawfulness of processing||6.1.3
|7||Conditions for consent||18.104.22.168
|8||Conditions applicable to child’s consent in relation to information society services||22.214.171.124|
|9||Processing of special categories of personal data||126.96.36.199|
|10||Processing of personal data relating to criminal convictions and offences||6.1.4|
|12||Transparent information, communication and modalities for the exercise of the rights of the data subject||188.8.131.52
|13||Information to be provided where personal data are collected from the data subject||184.108.40.206
|14||Information to be provided where personal data have not been obtained from the data subject||220.127.116.11
|15||Right of access by the data subject||18.104.22.168|
|16||Right to rectification||22.214.171.124|
|17||Right to erasure (‘right to be forgotten’)||126.96.36.199|
|18||Right to restriction of processing||188.8.131.52|
|19||Notification obligation regarding rectification or erasure of personal data or restriction of processing||184.108.40.206|
|20||Right to data portability||220.127.116.11|
|21||Right to object||18.104.22.168|
|22||Automated decision-making, including profiling||22.214.171.124|
|24||Responsibility of the controller||4.4 6.1.1
|25||Data protection by design and by default||6.1.7|
|27||Representatives of controllers or processors not established in the Union||126.96.36.199|
|29||Processing under the authority of the controller or processor||188.8.131.52|
|30||Records of processing activities||6.1.2
|31||Cooperation with the supervisory authority||4.2
|32||Security of processing||8.2.11|
|33||Notification of a personal data breach to the supervisory authority||184.108.40.206|
|34||Communication of a personal data breach to the data subject||220.127.116.11|
|35||Data protection impact assessment||6.1.4
|37||Designation of the data protection officer||5.3
|38||Position of the data protection officer||18.104.22.168|
|39||Tasks of the data protection officer||22.214.171.124|
|44||General principle for transfers||126.96.36.199|
|45||Transfers on the basis of an adequacy decision||188.8.131.52|
|46||Transfers subject to appropriate safeguards||184.108.40.206|
|47||Binding corporate rules||220.127.116.11|