Вы находитесь на странице: 1из 20

The General Data Protection

Regulation (GDPR):
What the new law means for you and your organisation

19
Building a culture of privacy
in your organisation
The General Data Protection Regulation (GDPR) is the biggest development
in data protection law this century – increasing safeguards for individuals
and making organisations more accountable for how they use our personal
data. The GDPR brings data protection to the forefront of your organisation’s
processes; whether you handle personal information relating to your
customers or employees, GDPR will have an impact on the way you work.

‘‘ If your organisation can’t demonstrate that good data protection is a


cornerstone of your business policy and practices, you’re leaving your
organisation open to enforcement action that can damage both public
reputation and bank balance. But there’s a carrot here as well as a stick:
‘‘
get data protection right, and you can see a real business benefit.

Elizabeth Denham
UK Information Commissioner

ICO Blog - Businesses warned to prepare with one year until data protection law

The official text of the GDPR doesn’t Much has been written about the high
tell us exactly what we’ll need to fines for failing to comply with the new
do to be compliant by May 2018 law and although there are questions
and the national and regional lead about how the law will be enforced,
supervisory authorities, who will be the that is no excuse for inaction. So with
regulators for the GDPR, are providing less than a year until the GDPR comes
interpretation and advice as that date into force, now is the time to prepare.
approaches. In this guide, we outline
the main aspects of the GDPR and the
areas to consider in your preparations.

DISCLAIMER: This overview guide is intended as a general introduction to the GDPR.


Please contact your nearest LRQA office for advice specific to your organisation.
02
What is GDPR?
The European Parliament approved Who does it apply to?
the General Data Protection Article 3 of the GDPR sets out the where the processing activities relate
Regulation (GDPR) [Regulation (EU) territorial scope of the regulation, to offering goods or services to
2016/679] in April 2016 and it will which covers: data subjects in the Union; or to the
apply from 25 May 2018. monitoring of their behaviour within
• The processing of personal data
in the context of the activities of the Union.
It will strengthen data protection
organisations in the European Union, • The processing of personal data by
for all individuals within the EU
regardless of whether the processing organisations not established in the
regardless of where the data is held.
takes place in the Union or not. Union, but in a place where Member
It builds on existing regulations
• The processing of personal data of State law applies by virtue of public
to improve consistency and the
data subjects (i.e. living individuals) international law.
safeguards in place.
who are in the Union by a controller
or processor not based in the EU,

03
Key concepts
The lead supervisory authority is the
main data protection regulator that a controller would
refer to for compliance, to register a data protection
officer, or to report a breach – see page 18 for the full list of
supervisory authorities. A controller can determine
its lead supervisory authority according to where its
‘main establishment’ or base is within the EU.

Personal data is any data that Special categories of personal data


you hold about a living individual (data refers to sensitive personal data, such as
subject), held either electronically or
manually in a structured system, that
could identify that person. This could include a
racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade
union membership, genetic or biometric
?
name, an email address, bank details, an IP address data, data concerning physical or mental
or even a photo. It’s worth noting, that national health, sex life or sexual orientation where
legislation will apply and different countries have it is processed to identify an individual.
their own definitions of the categories of personal Criminal convictions are not included in this
data, so in the US, for example, bank details are category, but similar safeguards apply to its
classed as sensitive personal data. data processing.

The controller is an organisation or


individual who determines how and why
personal data is processed. The controller
must make sure that its contracts with
processors comply with the GDPR.

The processor refers to an organisation or individual,


other than an employee of the data controller, who
processes personal data on behalf of the controller.
Under certain conditions, the GDPR brings new
requirements for processors including keeping
records of personal data and processing activities.
Under the GDPR, processors face greater liability
if they are responsible for a breach.

Data protection by design and by default is an approach that promotes data


protection and privacy from the start of a project. This makes it easier to identify and address
potential issues and raises awareness of data protection within the organisation. The GDPR
requires organisations to consider appropriate technical and organisational measures and
integrate data protection into their processing activities to minimise the amount of personal
data collected, the extent of processing, the storage period and accessibility.

A personal data breach occurs


when personal data is destroyed, lost,
altered, shared, accessed, transmitted,
stored or processed without the proper The UK government has confirmed that Brexit
authorisation. Organisations will need will not stop the UK adopting the GDPR, but it
to report a personal data breach under could mean that UK-based organisations have
the GDPR if it’s likely to result in a risk to deal with regulators across every EU member
to a data subject’s rights and freedoms. state that they are active in. The same issue will
apply to organisations based in non-EU countries
that need to be GDPR compliant, but don’t have
a base within the EU.

04
The six principles of the GDPR
The main responsibilities for organisations are set out in the GDPR’s six principles.
As individuals, we expect our data to be treated securely and with respect. In an
organisational setting, it’s important to remember that the personal data that we deal
with relates to an actual person and how we process it could have an impact on them.

Article 5 states that personal data shall be:


Article 5 (2) sets out the
1. Processed lawfully, fairly and in a transparent manner in relation to individuals. accountability concept and states
2. Collected for specified, explicit and legitimate purposes and not processed that the controller “shall be
beyond those purposes. Further processing for archiving purposes shall, in responsible for, and be able to
accordance with Article 89(1), not be considered to be incompatible with the demonstrate compliance with”
initial purposes. the above principles. This means
that organisations need to be
3. Adequate, relevant and limited to what is necessary in relation to the purposes able to demonstrate how they
for which they are processed. comply with the principles. It’s
4. Accurate and, where necessary, kept up-to-date. Reasonable steps must be taken important to understand the risks
to ensure that inaccurate personal data is corrected or erased without delay. to individuals when you use their
data, and how you can mitigate
5. Kept in a form that permits identification of data subjects for no longer than is the risks.
necessary for the purposes for which the personal data are processed.
Personal data may be stored for longer periods for archiving purposes in The use of data is so widespread
accordance with Article 89(1) subject to implementation of the appropriate in how we all work, that GDPR is
technical and organisational measures required to safeguard the rights and likely to impact all areas of your
freedoms of the data subjects. organisation.
6. Processed in a manner that ensures appropriate security of the personal data
through the use of technical and organisational measures.

‘‘ Think of data as borrowing an expensive item from a friend.


It is never actually yours; it is on loan from the data subjects.
They can ask for it back, they can check that you are using it correctly,
they can demand that you do not further loan it to someone else
‘‘
without their approval, and they have rights over what you do with it.
Nigel Hawthorn
Skyhigh Networks’ European spokesperson

http://www.itproportal.com/2016/07/10/eu-gdpr-an-action-guide-for-it/
05
The legal grounds
for processing data
Article 6 of the GDPR sets out six legal
grounds for processing personal data.
Extra legal grounds are set out for
specific categories of sensitive personal
data. You will need to determine the
basis for processing personal data and
document it to fulfil the principle of
lawful processing.

In your privacy notice, you will need to make it clear to


data subjects which legal ground you are using and why
that is the basis for data processing.

‘‘
The six bases are:
Consent
1. The data subject has given consent.
2. Data processing is necessary for the performance of Consent should be given by a
a contract.
clear affirmative act establishing
3. Data processing is necessary to comply with a a freely given, specific, informed
statutory legal obligation.
4. Data processing is necessary to protect the vital
and unambiguous indication of the
interests of a data subject or another person. data subject’s agreement to the
5. Data processing is necessary to perform a task in the processing of personal data relating
public interest.
6. Data processing is necessary for the purposes of
legitimate interests pursued by the controller
to him or her, such as by a written
statement, including by electronic
‘‘
or a third party, except where such interests are means, or an oral statement.
overridden by the interests, rights or freedoms of Recital 32
the data subject.

What does this mean in practice?


• GDPR sets much higher standards • Article 8 of the GDPR strengthens the It should also be noted that other EU
for consent than most current data protection of children’s personal data. directives (2016/680 the Law Enforcement
protection legislation. Opt-outs will A child under the age of consent Directive and 2016/681 on the use of
no longer be acceptable. As recital cannot give consent themselves and the Passenger Name Record) apply from
32 states, “Silence, pre-ticked boxes an adult with ‘parental responsibility’ the same date as the GDPR. They relate
or inactivity should not therefore would need to give it on their behalf. to the legitimate processing of data by
constitute consent.” EU Member States can set their own criminal investigation authorities for the
• You must say who the data controller age of consent as long as it is not prevention of criminal or terrorist acts
is and name any third parties who may below 13. Where a different legal and complement the GDPR.
process the data, why you want the basis is used for processing a child’s
data and what you plan to do with it. data, the privacy notice must be The ePrivacy Directive (2002/58) is
You also need to make it clear how to written in a clear way that a child being reformed and is also due to apply
withdraw consent if that is the legal will understand. from May 2018 to ensure that the laws
basis being used. governing internet-based services keep
step with evolving technology.
• The burden of proof is on the
data controller and processor to
demonstrate that an individual has
given consent.

06
Individuals’ rights
1. The right to be informed This means being transparent about how you use personal data and in many cases this
information can be shared through your organisation’s privacy notice.

2. The right of access Individuals have the right to request confirmation that their data is being
processed and they are entitled to obtain access to their personal data and, if requested,
organisations must provide a copy of the information free of charge. However, article 12 (5)
states that where the controller can demonstrate that requests from a data subject are
manifestly unfounded, excessive or repetitive, they can charge a reasonable administrative
fee or refuse to act on the request. You must respond to requests for access within one
month, which can be extended to two months if the request is complex.
Organisations must take reasonable steps to verify the identity of the person making the
request.
Recital 63 of the GDPR recommends that, where possible, organisations should provide
remote access to a secure self-service system that would provide an individual with direct
access to their personal data.

3. The right to rectification Data should be rectified if it is inaccurate or incomplete. If the data has been shared with
third parties, you are responsible for informing them of the rectification and you need to
inform the individual about the third parties where appropriate.
You must respond to requests for rectification without undue delay.

4. The right to erasure Also known as the ‘right to be forgotten’, it means that an individual can request that their
personal data be removed or where one of the qualifying conditions set out in article 17
applies.
Article 17 (3) sets out a number of circumstances where you can refuse to comply with a
request for erasure. They are:
• To exercise the right of freedom of expression and information.
• To comply with a statutory legal obligation or for the performance of a public interest task
or exercise of official authority.
• For public health purposes in the public interest in accordance with national legislation.
• For archiving purposes in the public interest, scientific research, historical research or
statistical purposes in accordance with article 89 (1).
• The exercise or defence of legal claims.

5. The right to restrict Individuals can block the processing of their personal data where one of the conditions in
processing Article 18 is met.
The controller is responsible for communicating any rectification, erasure, or restriction to
each recipient of the personal data, unless this involves disproportionate effort. They should
also inform the data subject about those recipients if requested.

6. The right to data Article 20 applies to automated data processing based on consent or a contractual obligation.
portability It means that the data subject has the right to receive the personal data concerning him or
her, which he or she has provided to a controller, in a structured, commonly used and
machine-readable format and has the right to transmit those data to another controller.

7. The right to object Objections can relate to processing based on legitimate interests or the performance of a task
in the public interest/exercise of official authority (including profiling); processing for
purposes of scientific/historical research and statistics and for direct marketing.
You must inform data subjects clearly of their right to object at the ‘point of first
communication’ and in your privacy notice.

8. Rights in relation to This is a safeguard against the risk that a potentially damaging decision is taken based on a
automated decision making system of automatic processing or profiling.
and profiling

9. The right to Under article 7 (3) the data subject can withdraw consent at any time and this should be as
withdraw consent easy as the process to give consent. This does not affect the lawfulness of any processing
conducted before the withdrawal.

10. Rights in relation to Article 77 explains that a data subject has the right to complain to a supervisory authority
lodging a complaint with if he or she considers that the processing of his or her personal data breaks the law.
a supervisory authority, Articles 78 and 79 set out when a data subject can take a supervisory authority, controller
judicial remedy and or processor to court for failing to fulfil their obligations under the GDPR. Article 82 (1)
compensation covers the right to receive compensation for material or non-material damage as a result
of an infringement of the GDPR.

07
How can you demonstrate
that you comply with the
GDPR?
Organisations need to be able to show that they
comply with the principles of the GDPR to meet the
accountability requirements.

The measures that you take should be Records of processing activities need to The GDPR supports the use of approved
comprehensive yet proportionate to be kept for all organisations with more codes of conduct and certification to
the complexity and types of personal than 250 employees. Organisations demonstrate compliance, although this
data you deal with. Data protection with fewer than 250 employees also isn’t currently mandated. At the time of
policies, staff training, internal audits of need to keep records of their processing writing, the Article 29 Working Party was
processing and HR policies can be used to activities in higher risk situations, such developing guidelines on certification,
demonstrate compliance. Implementing as processing that could risk the rights which should clarify what standards and
data protection by design and by and freedoms of individuals or if the schemes will be applicable, or if new ones
default in your processes will help to processing relates to special categories will be developed. Achieving certification
demonstrate the measures being taken. of data or criminal convictions. If you are or following a code of conduct
investigated you many need to make demonstrates compliance, encourages
these records available to the relevant best practice and builds trust with your
supervisory authority. customers and partners. Preferred
standards and schemes may become a
licence to trade in certain industries.

What needs to be recorded? In the information security and data


protection arena, LRQA delivers a range
The following information about your processing activities needs to be recorded: of training and certification services
for ISO 27001 – the international
Name and details of your organisation and a representative or contact point standard that sets out the requirements
Purposes of the processing for establishing, implementing and
improving an information security
Description of the categories of individuals and the categories of personal data management system (ISMS) within
Categories of the recipients of personal data including those in third countries the context of the organisation. It
provides organisations with a best
Details of transfers to third countries including documentation of the transfer practice framework to identify, analyse
mechanism safeguards in place and implement controls to manage
Retention schedules information security risks and safeguard
the integrity of business-critical data.
Descriptions of technical and organisation security measures

Restrictions on the transfer


of personal data
The GDPR places restrictions on the if adequate safeguards are in place, such
transfer of personal data outside of as legally binding agreements between
the European Economic Area (EEA) to public authorities or binding corporate
maintain the required level of protection. rules, or compliance with an approved
These are detailed in chapter V of the code of conduct or certification scheme.
GDPR. The European Commission will This will have many implications both
decide if a third country, territory, or an for multinational organisations and
international organisation ensures an those trading across borders. The Article
adequate level of protection. In other 29 Working Party will publish further
cases, where transfers are on a one-off or guidelines later this year.
infrequent basis, these may be allowed

08
Who is responsible for data protection
within the organisation?
Are you a
public authority?

Yes No

Are you a court judge acting Do your core commercial activities carry out large
in a judicial capacity? scale systematic monitoring of individuals?

Yes No Yes No

You do not need You MUST You MUST Do you carry out large scale processing
to appoint a DPO appoint a DPO appoint a DPO of special categories of data or data
relating to criminal offences?

A data protection officer (DPO) is the Yes No


independent face of data protection within
an organisation. You MUST You do not need
appoint a DPO to appoint a DPO
All organisations must make sure that they have sufficient skills and
resources to meet their GDPR requirements, and in some cases, the
GDPR states you must appoint a DPO.

There is no clear definition for how The DPO must report to the highest How can LRQA help?
many data subjects would constitute level of management, must be
‘large scale processing’. Recital 91 states provided with adequate resources to If you are taking on the role of a
that: “The processing of personal data meet the GDPR requirements, and DPO, LRQA’s two-day workshop will
should not be considered to be on a cannot be dismissed or penalised for give you a detailed understanding
large scale if the processing concerns performing their role. of your role and responsibilities
personal data from patients or clients under the GDPR. Filled with
by an individual physician, other health The DPO’s minimum tasks are defined practical advice, this workshop
care professional or lawyer.” within article 39 of the GDPR: will help you to establish
• To inform and advise the effective systems and engage
From this, one could assume that if organisation and its employees your organisation to meet the
you have special categories of data for about their data protection legal requirements of the new regulation.
more than a couple of thousand data obligations.
subjects, then a DPO is required, but On the course, you will learn:
• To monitor compliance with the
until the case law develops, we may not
GDPR and other data protection • About the role of the DPO and
have a definitive answer to this.
laws, including raising awareness how to establish and manage
and training employees, advising on compliance as a DPO, consistent
The DPO can be an employee, as long
data protection impact assessments with the GDPR requirements.
as there isn’t a conflict of interest with
and conducting internal audits. • How to set up a risk-based,
their existing role, or the role can
be outsourced. One DPO can act for • To be the main point of contact sustainable and effective data
a group of companies or a group of for the supervisory authorities and protection compliance programme.
public authorities, but depending on data subjects on questions of data • How to draft policies, procedures,
the size and complexity of the group, protection and compliance. and guidance materials.
more may be needed. There are no • To assess the risks associated with • How to develop engagement
specific qualifications or credentials to the data processing operations. across your organisation and how
be a DPO, but they do need professional to communicate with various
experience and knowledge of data stakeholders.
protection law. The DPOs contact details
• The role of the DPO in crisis
should be published and communicated
situations.
to the relevant supervisory authority.

09
When do you need to complete a
data protection impact assessment?
Data protection impact assessments (DPIA) can be used to
identify and fix potential issues at an early stage and are an
effective way to take a ‘data protection by design’ approach.

DPIAs are already seen as good practice and the GDPR takes them a step
further by making them mandatory in the following circumstances:

• When using new technologies for • Large scale processing of special


processing that presents a high risk to categories of personal data,
individuals’ rights and freedoms. including those relating to criminal
• Systematic profiling on which convictions.
decisions are based that have an • Large scale, systematic monitoring
impact on the data subject. of public areas – notably CCTV.

What information should a DPIA include? How can LRQA help?


A description of the processing, why it is being carried out, and We can provide DPIA training
the legal basis. that gives practical guidance on
how to conduct DPIA within your
An assessment of the need and proportionality of the processing. organisation.
As assessment of the risks to individuals.
If you are responsible for carrying
The measures in place to address the risks and demonstrate out DPIA, LRQA’s one-day in-
compliance with the regulation. company workshop gives practical
According to article 35 (11), the controller needs to review that guidance on conducting Data
the processing is conducted in line with the DPIAs, particularly Protection Impact Assessments
when there is a change to the risk level. (DPIA). This includes:

• What a DPIA is and when one


should be carried out.
• Your national regulators’
recommendations and guidance.
• The stages of a DPIA and what
to do in practice.
• The relationship between
conducting DPIAs with other
risk and project management
activities, such as other risk
assessments or data protection
audits.
• What legal and compliance
issues you will need to consider
within your organisation.

Additionally, LRQA can carry


out the Data Protection Impact
Assessments on your behalf. Our
specialist assessors will use proven
risk-based methodologies and
the opportunity can be used to
mentor internal staff.

10
What do we need to do if there’s
a personal data breach?
Under the GDPR, organisations will What we know so far, is that: The controller needs to keep records
be duty bound to report certain • Breaches must be reported within of their investigation into the breach
types of personal data breach to 72 hours of becoming aware of the to demonstrate compliance to the
the relevant supervisory authority incident. Information can be provided supervisory authority in accordance
when the breach is likely to lead to in phases as the investigation unfolds. with article 33.
a risk to the rights and freedoms of
• Failing to notify a breach within the
individuals, such as discrimination, The most common cause of
timescale can result in a fine of up
loss of confidentiality or financial information security breaches are
to 10 million EUR or 2% of global
loss. The breach has to be assessed human error so it’s important that
turnover.
on a case by case basis. everyone within your organisation
• If more than one article is breached, who deals with personal data
Organisations also need to let the it will be the one with the highest understands what a data breach is,
individuals affected know where the penalty that will be imposed. and what the reporting procedure is.
breach is likely to result in a high risk • The breach notification should
to their rights and freedoms. include: With only 72 hours to report a breach,
– The nature of the personal data robust detection, investigation and
The Article 29 Working Party will breach, including the category reporting procedures will be vital.
issue guidelines on the notification of and number of records and
personal data breaches during 2017. individuals affected.
– The contact details of the data
protection officer or other
point of contact, if there isn’t a DPO.
– The likely consequences of the
data breach and the measures
taken or proposed to deal with
the breach to mitigate its impact.

11
Failure to comply with If all else
the law fails...
The supervisory authority can Regulators are not likely to look How can LRQA help?
impose warnings, reprimands favourably on organisations that
and temporary suspensions of have made no effort to prepare for ISO 22301:2012 is the international
data processing as well as fines. the GDPR. The maximum fine for standard for Business Continuity. It
National laws may also have failing to comply – for example using identifies best practice in establishing a
other sanctions, such as custodial personal data without consent or management system that minimises the
sentences. failing to protect personal data – risks of impact from disrupted service
is up to 20 million EUR or 4% of provision. Like most international
The level of the penalty will global turnover for the previous management system standards, it is
depend on: year – whichever is greater. Data based on the Plan, Do, Check, Act cycle.
– the nature, duration and gravity subjects will also be able to claim
of the infringement, compensation from the controllers or A business continuity management
processors who break the law for the (BCM) system will help organisations
– the type and volume of data put structures in place to identify the
damage they have suffered.
involved, potential threats that may exist, the
– whether it was intentional or Regulatory fines could be just impact of incidents and how to guard
negligent, the tip of the iceberg. Even if against them. It gives a framework for
– the steps taken by the an organisation were able to managing the organisation through
organisation to mitigate weather the financial penalties, the the process of preparing strategies and
potential damage, consequences represent a significant methods to reduce the impact of any
business risk, including: incident and building the capability
– how the regulator found out
– reputational and brand damage, to respond effectively should one
about the breach,
occur. In this context it provides the
– adherence to a code of conduct, – consumer mistrust and loss of perfect mechanism for managing data
and market share, breaches. LRQA provides training, gap
– if it’s a repeat offence. – increased scrutiny from analysis and accredited certification to
shareholders and investors, and this standard.
– cost of forensic investigation and
remedial actions.

12
What does it mean for
your organisation?
While the eye-watering fines have grabbed
headlines in the business press, the
GDPR offers organisations opportunities
to streamline processes, develop their
employees and build trust with consumers.

As one email marketing agency put it, • How will you manage the There may also be training requirements
GDPR is less about Gloom, Doom, Panic requirements to delete data when to ensure that your employees comply
and Retribution and more about the it is no longer needed? And how with the regulations, regardless of
opportunity for Great Data and a more will you ensure data is completely whether the personal data they handle
Personal Relationship. removed from your systems if a relates to customers, service users, or
data subject invokes their right employees.
Leaders to be erased?
The focus on accountability and • Do the security settings on your Finance
governance means greater engagement database ensure that data is Finance teams will need to have a clear
from leaders to ensure that the only shared with individuals or understanding of the data that they
organisation has the resources and skills organisations that have permission hold, what would be classed as sensitive
to fulfil the requirements of GDPR. If to use that data? personal data, why they need that data
your organisation has a data protection and who has access to it. What are
• Do your systems contain duplicate
officer, they should report to the the risks related to the personal data
data? Can you consolidate the data?
highest level of management. that you hold? How will you manage
How will you manage that and
requests for access, rectification, or
ensure that any personal data caught
The GDPR provides an opportunity to erasure? How will you manage any third
in a silo is processed in accordance
transform your organisation’s culture parties who process the personal data
with the regulations? For example,
and processes to be more customer- you hold?
if a data subject withdraws consent –
centric and streamlined. Culture change
how will you ensure that request is
needs to be led from the top to role Sales and Marketing
respected across all systems?
model the new practices and behaviours Early adoption of the GDPR has the
that will create a ‘culture of privacy’. • Are you confident that your systems potential to inspire greater confidence
All organisations are in the same boat, would identify a data breach in any in your brand, boosting your reputation
so if you take a proactive approach, you form they may take? as a trusted organisation.
can create an early mover advantage • Encryption can be used to reduce the
and promote your approach as a clear risk of data loss. To what extent is data Consent is the big issue for sales and
signal that you respect your customers’ encryption part of your processes? marketing teams, as prospects and
individual rights. • Have you reviewed and updated your customers will need to confirm that
privacy policies to ensure they are they’ve agreed to receive marketing
IT compliant? communications, and via which
While the responsibility for data channels, before you can contact them.
protection is spread across many HR While this means that subscribed
departments, IT has a major role to play National law or collective agreements lists may shrink, the quality of the
to ensure compliance with the GDPR. may provide more specific rules relating data will be higher, enabling better
to the processing of employees’ personal segmentation to create relevant,
Here are a few things to consider: data in a work context, but these laws personalised content.
• Where is personal data stored? must include appropriate safeguards
to protect their employees rights and The result? Data analytics that can
• Does any of the data come into the
freedoms, right from the recruitment deliver more accurate customer insight,
sensitive personal data category?
stage. better engagement and ultimately
• What are your procedures for data conversion.
transfer?
The record keeping and security
• Do you outsource any data requirements equally apply so HR
processing? Do you use any cloud professionals will need a clear grip of
based services? all the places personal data is saved and
• How do you demonstrate that the processes may need to be reviewed to
personal data in your systems is ensure compliance. For multinational
secure? Can you track its movement? employers, data flows and the transfer
of data through the company will need
to be reviewed.

13
Here are a few other areas to Remote working
consider: For your employees out in the field, How can LRQA help?
• Double opt-in will become the data security will be an important
norm. issue to consider. How are physical Our range of GDPR training services
records managed? What are the data has been developed to address a
• Think about how you can better
protection risks from their day-to-day wide range of stakeholders within
use your email preference centre
activities? What would be the risk if your organisation.
(EPC) to help segment your
a laptop or other device was lost or
customer data. • The GDPR Briefing gives an
stolen? Understanding where data is
• What processes do you have to introduction to the principles
stored and who has access will be vital
ensure that you do not contact and concepts found in the GDPR.
to mitigate the risks.
your unconfirmed or unsubscribed • The GDPR Foundation course
contacts by mistake? SMEs explains the implications for your
• At events, you will need to make The scale and scope of the GDPR can organisation and the steps to
consent very clear if you plan to seem quite daunting to organisations take to become compliant.
send follow-up communications to of any size, let alone a small business. • Data Protection Officer (DPO)
visitors. However, as a small business, you may training helps DPOs prepare
• From a PR perspective, you need still be processing a large amount of for the requirements and
permission from journalists to personal data and will need to comply responsibilities of their new role.
contact them too. If you use a with the law in the same way a larger • Data protection and information
news distribution service, you will organisation would. SMEs are often security onboarding via
need to check that they have the more agile than large organisations, eLearning.
appropriate consent in place. so you may find that it’s easier to
implement the changes needed and
Customer Services gain an early mover advantage over
Although it might be painful to get larger rivals – showing your customers You can find the full text of the GDPR
there, a clean database will make and employees that you are a brand here
it easier to deliver a great customer to trust.
experience. The principles of limiting
the data to what’s necessary and Organisations with fewer than 250
ensure it is accurate and up-to- employees need to keep records of
date may lead to new processes their processing activities in higher
for customer services teams. It will risk situations, such as processing that
be important to think about who could risk the rights and freedoms
within the organisation has access of individuals or if the processing
to personal data and about any data relates to special categories of data or
flows within the organisation that criminal convictions.
involve a third party processor or
transfer outside of the EU.

14
5 step GDPR Implementation Plan
How LRQA can help
Training
Training Business Assessment
Assessment
Improvement

1 Raise Awareness GDPR


Foundation
Increase knowledge of the GDPR within Data Protection/
your organisation Information
From a general overview to role-specific Security
knowledge required to ensure compliance onboarding
(eLearning)

2 Map your data


Data Protection Data Protection
Impact Assessment Impact Assessment
Identify the current situation.
Workshop GDPR
How does your company shape up? Data Protection
Data Protection Officer Workshop Gap Analysis
By mapping your data, conducting a review of
Officer Workshop
policies, processes and practices, and carrying Data Mapping and
out an in-depth gap analysis, you can identify Classification
the risks and what needs to be done.

3 Develop an action plan


Prepare your GDPR Action Plan GDPR
‘Pathway’
Bring together the people from across your
organisation who will commit to and take
ownership of the plan.

4 Implement your plan


GDPR Readiness
Take action and do what you’ve planned Assessment
GDPR
Deployment should be time bound and ‘Pathway’ GDPR Controls
project managed against the objectives set Assessment and
in your action plan. Attestation

5 Manage and improve ISO 27001


your system and ISO 22301
Data Protection/
Information Certification and
Demonstrate compliance and commitment Security Gap Analysis
Review your outputs to date against the onboarding BS 10012
gaps identified in phase 2. Review the (eLearning) Compliance and
system and controls continuously to ensure Gap Analysis
they stay effective.

15
Our GDPR services in summary
In the information security and data protection arena our services cover both training and assessment including:

• The GDPR Briefing gives an • GDPR readiness assessment and • Data protection and
introduction to the principles and gap analysis. information security
concepts found in the GDPR. • Data mapping and classification. onboarding via eLearning.
• The GDPR Foundation course • We can carry out Data Protection • Training, Gap Analysis and
explains the implications for your Impact Assessment (DPIA) on Certification for ISO 27001
organisation and the steps to take your behalf and we can provide (information security
to become compliant. DPIA training that gives practical management), ISO 22301 (societal
• Data Protection Officer (DPO) guidance on how to conduct DPIA security – business continuity
training helps DPOs prepare within your organisation. management systems) and
for the requirements and BS 10012 (personal information
• GDPR controls assessment and
responsibilities of their new role. management system).
attestation.

Demonstrating compliance through • Best practice – widely recognised as • Reduced costs – following a
Management Systems providing best practice guidance in methodical risk assessment approach
We deliver a range of training and information security management. ensures that resources are applied to
certification services for ISO 27001 – • Stay within the law – compliance reduce overall risk, rather than just
the international standard that sets requires you to identify applicable focusing on one aspect which can
out the requirements for establishing, legislation, which has a positive leave other areas exposed.
implementing and improving an impact on risk management and
information security management corporate governance. At present, the GDPR does not mandate
system (ISMS) within the context of third-party certification. However, there
• Competitive edge – certification by
the organisation. It provides a best is alignment between the requirements
LRQA gives your customers, trading
practice framework to identify, analyse of ISO 27001 and the GDPR in terms of
partners and other key stakeholders
and implement controls to manage how organisations should manage their
confidence that you have addressed
information security risks and safeguard information security policies, controls
all security risks including IT, people,
the integrity of business-critical data. and processes.
physical and business continuity. It is a
public and independent statement of
How will ISO 27001:2013 certification Achieving certification to
your capability, which may help when
benefit my organisation? ISO/IEC 27001:2013 demonstrates
responding to tenders.
• Minimises risk – ensures controls are a commitment to meeting the
in place to reduce the risk of security • Management system integration – requirements of the GDPR –
threats and to avoid any system the basis of the standard is the Plan demonstrating both compliance
weaknesses being exploited. Your Do Check Act cycle in common with and accountability.
ISMS is part of a business continuity other management system standards,
plan which means you’re in a good making it simpler for you to develop a
position to recover quickly should the single management system that meets
worst happen. the requirements of other standards.

A new personal information management system standard


BS 10012:2017 has been written It helps you:
specifically to address the
requirements of the GDPR. BS 10012 • Identify risks to personal • Safeguard your organisation’s
covers employee security awareness information and put controls in reputation and avoid adverse
training, risk assessments, data place to manage or reduce them publicity
retention and disposal, helping you • Demonstrate compliance with data • Protect you and your organisation
to implement policies and procedures protection legislation and gain against civil and criminal liability
to manage individual’s personal data preferred supplier status • Benchmark your own personal
effectively. As it is based on the Annex
• Gain stakeholder and customer information management practices
SL High Level Structure, it is easy to
trust with recognised best practice
integrate with other management
system standards and provides the • Gain a tender advantage and win
assurance that your organisation can new business
demonstrate compliance with GDPR.

16
Better safe than sorry Our expertise About us
Information is one of the most LRQA has been at the forefront of LRQA is a recognised, world leading
valuable and business-critical assets for standards development and involved professional assurance services
any organisation. In today’s hyper- in information security management organisation. We specialise in
connected world, organisations are system (ISMS) assessment and management systems compliance
exposed to large scale information certification for many years. and expert advice across a broad
security threats and destructive cyber- spectrum of standards, schemes
attacks, regardless of size, industry, or Our roster of high-profile clients in and business improvement services
geographical location. the finance, telecommunications, including customised training
software, internet, consultancy, justice and assurance programs. We are
When information security systems and government sectors, trust LRQA recognised by almost 50 accreditation
are not properly managed and to deliver high quality, consistent and bodies and deliver our services to
maintained, organisations run the impartial assessments with the full clients in more than 120 countries.
risk of sustaining serious financial and back-up of a highly dedicated support
reputational losses. Ensuring your package. Our unique assessment methodology
organisation has the right controls in takes your management systems
place to reduce the risk of serious data Our assessors are management systems from compliance to performance,
security threats and avoid any system experts qualified in information in order to reduce business risk, and
weaknesses from being exploited is security and other aspects of IT, whose enhance the effectiveness, efficiency,
essential. objective view will give you confidence and continuous improvement of your
in your own security measures as management systems.
judged against best industry practice

17
Lead Supervisory Authorities

EU Member States National Data Protection Authority Local name Website

Austria Austrian Data Protection Authority Datenschutzbehörde www.dsb.gv.at

Belgium Commission for the Protection of Privacy Commission de la protection www.privacycommission.be


de la vie privée (CPVP)
Commissie voor de bescherming
von de persoonlijke levensfeer

Bulgaria Bulgarian Data Protection Authority комисия за защита на личните данни www.cpdp.bg

Croatia Croatian Personal Data Protection Agency Agencija za zaštitu osobnih podataka www.azop.hr

Cyprus Office of the Commissioner for Γραφείου Επιτρόπου Προστασίας www.dataprotection.gov.cy


Personal Data Protection Δεδομένων Προσωπικού Χαρακτήρα

Czech Republic The office for Personal Data Protection Úřad pro ochranu osobních údajů (ÚOOÚ) www.uoou.cz

Denmark Danish Data Protection Agency Datatilsynet www.datatilsynet.dk

Estonia Estonian Data Protection Inspectorate Andmekaitse Inspektsioon www.aki.ee

Finland Office of the Data Protection Ombudsman Tietosuojavaltuutetun toimisto http://www.tietosuoja.fi

France National Commission on Informatics Commission Nationale de www.cnil.fr


and Liberty l’informatique et des libertés (CNIL)

Germany Federal Commissioner for Data Protection Die Bundesbeauftragte für den www.bfdi.bund.de
and Freedom of Information Datenschutz und die
Informationsfreiheit (BfDI)

• State Commissioner for Data Protection Landesbeauftragter für www.baden-


Baden-Wurttemberg Datenschutz und Informationsfreiheit wuerttemberg.datenschutz.de
Baden-Württemberg (LfDBW)

• The Bavarian State Commissioner Der Bayerische Landesbeauftragte www.datenschutz-bayern.de


for Data Protection für den Datenschutz

• Berlin Commissioner for Data Protection Berliner Beauftragte für Datenschutz www.datenschutz-berlin.de
and Freedom of Information und Informationsfreiheit

• The Federal Commissioner for Die Landesbeauftragte für den www.lda.brandenburg.de


Data Protection and the Law on the Datenschutz und für das Recht auf
Inspection of Files Brandenburg Akteneinsicht Brandenburg

• The State Commissioner for Die Landesbeauftragte https://


Data Protection and Freedom of für Datenschutz und ssl.bremen.de/datenschutz
Information Bremen Informationsfreiheit: Bremen

• The Hamburg Commissioner for Der Hamburgische Beauftragte für www.datenschutz-hamburg.de


Data Protection and Freedom Datenschutz und Informationsfreiheit
of Information (HmbBfDI)

• The Hessian Data Protection Commissioner Der Hessische Datenschutzbeauftragte www.datenschutz-hessen.de

• The State Commissioner for Data Der Landesbeauftragte für www.datenschutz-mv.de


Protection and Freedom of Information Datenschutz und Informationsfreiheit
Mecklenburg-Vorpommern Mecklenburg-Vorpommern

• The State Commissioner for Die Landesbeauftragte für den www.lfd.niedersachsen.de


Data Protection Lower Saxony Datenschutz Niedersachsen

• The State Commissioner for Die Landesbeauftragte für www.ldi.nrw.de


Data Protection and Freedom of Datenschutz und Informationsfreiheit
Information North Rhine-Westphalia Nordrhein-Westfalen

• The State Commissioner for Data Die Landesbeauftragte für www.datenschutz.rlp.de


Protection and the Freedom of Datenschutz und die Informations-
Information Rhineland-Palatinate freiheit Rheinland-Pfalz

• Independent Data Protection Unabhängiges Datenschutzzentrum www.datenschutz.saarland.de


Center Saarland Saarland

• The Saxon Data Protection Officer Der Sächsische Datenschutzbeuftragte www.saechsdsb.de

• The State Commissioner for Die Landesbeauftragte für den www.datenschutz.sachsen-


Data Protection Saxony-Anhalt Datenschutz Sachsen-Anhalt anhalt.de

• Independent State Center for Unabhängiges Landeszentrum für www.datenschutzzentrum.de


Data Protection Schleswig-Holstein Datenschutz Schleswig-Holstein

• The Thuringian State Commissioner for Data Der Thüringer Landesbeauftragter www.tlfdi.de
Protection and Freedom of Information für den Datenschutz und die
Informationsfreiheit

18
Lead Supervisory Authorities (continued)

EU Member States National Data Protection Authority Local name Website

Greece Hellenic Data Protection Authority Αρχή Προστασίας Προσωπικών Δεδομένων www.dpa.gr

Hungary Hungarian National Authority for Nemzeti Adatvédelmi és www.naih.hu


Data Protection Információszabadság Hatóság

Ireland Data Protection Commissioner An Coimisinéir Teanga www.coimisineir.ie

Italy Italian Data Protection Authority Garante per la Protezione dei www.garanteprivacy.it
Dati Personali

Latvia Data State Inspectorate Datu valsts inspekcija www.dvi.gov.lv/lv

Lithuania State Data Protection Inspectorate Valstybinė Duomenų Apsaugos www.ada.lt


Inspekcija

Luxembourg National Commission for Data Protection Commission nationale pour la https://cnpd.public.lu/en/
protection des données

Malta Office of the Information and Nationale Kommission für https://idpc.org.mt


Data Protection Commissioner den Datenschutz

Netherlands Dutch Data Protection Authority Autoriteit Persoonsgegevens www.autoriteitpersoonsgegevens.


nl/

Poland Inspector General for the Protection Generalny Inspektor Ochrony www.giodo.gov.pl/
of Personal Data Danych Osobowych

Portugal National Commission Data Protection Comissão Nacional de Protecção www.cnpd.pt/


de Dados

Romania National Authority for the Supervision of Autoritatea Naţională de www.dataprotection.ro


Personal Data Processing Supraveghere a Prelucrării Datelor
cu Caracter Personal

Slovakia Office for Personal Data Protection Úrad na ochranu osobných údajov www.dataprotection.gov.sk
of the Slovak Republic Slovenskej republiky

Slovenia Information Commissioner of the Informacijski pooblaščenec www.ip-rs.si/


Republic of Slovenia

Spain Spanish Agency of Data Protection Agencia Española de


Protección de Datos (AEPD) www.agpd.es

Basque Data Protection Authority Datuak Babesteko Euskal Bulegoa www.avpd.euskadi.eus

Catalan Data Protection Agency Autoritat Catalana de Protecció http://apdcat.gencat.cat/ca/inici/


de Dades (APDCAT)

Sweden Swedish Data Protection Authority Datainspektionen www.datainspektionen.se

United Kingdom Information Commissioner’s Office www.ico.org.uk

EU European Data Protection Supervisor Le Contrôleur Européen de la https://edps.europa.eu/


(EDPS) Protection des Données
Der Europäische
Datenschutzbeauftragte

EEA
National Data Protection Authority Local name Website

Iceland The Icelandic Data Protection Authority Persónuvernd www.personuvernd.is

Liechtenstein Data Protection Office of Liechtenstein Datenschutzstelle (DSS) http://www.llv.li/#/1758/


datenschutzstelle

Norway Data Protection Norway Datatilsynet https://www.datatilsynet.no/

Switzerland Federal Data Protection and Eidgenössischer Datenschutz- und www.edoeb.admin.ch


Information Society Öffentlichkeitsbeauftragter (EDÖB)
Préposé fédéral à la protection des
données et à la transparence (PFPDT)
Incaricato federale della protezione
dei dati e della trasparenza (IFPDT)

Rest of world National Data Protection Authority Local name Website

USA Federal Trade Commission www.ftc.gov

19
Lloyd’s Register Quality Assurance Ltd
1 Trinity Park
Bickenhill Lane
Birmingham
B37 7ES
United Kingdom

E enquiries@lrqa.com

Follow us on Twitter @LRQA

www.lrqa.com
Lloyd’s Register and LRQA are trading names of the Lloyd’s Register group of entities.
Services are provided by members of the Lloyd’s Register group, for details see www.lr.org

Lloyd’s Register Quality Assurance is a member of the Lloyd’s Register group.


Registered Office: 71 Fenchurch Street, London EC3M 4BS
Registered number: 1879370
Follow us:

Care is taken to ensure that all information provided is accurate and up to date. However, Lloyd’s
Register LRQA accepts no responsibility for inaccuracies in, or changes to, information. Lloyd’s Register
and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates.
Copyright © Lloyd’s Register Quality Assurance Limited, 2017. A member of the Lloyd’s Register group. GL / CYB / 005 / V1-2017