GDPR Frequently Asked Questions

22 Feb, 2018

Does having an ISO Standard mean I’m GDPR compliant?

In a word, no.

Even having the Information Security Standard (ISO 27001) doesn’t make you fully compliant, although it helps significantly.

Although we can help you achieve compliance in three different ways (as outlined below), every business including those running internationally recognised management systems will need to take steps to review their data and update their policies and procedures.

Why is GDPR a buzzword at the moment?

GDPR is a beefed up version of Data Protection. It has been a regulation for a while but becomes legislation on the 25^th May.  That’s when businesses run the risk of big fines from the ICO Information Commissioner’s Office. The potential fines for failing to comply with GDPR could reach up to €20 million or 4% of the group worldwide turnover (whichever is the greater) against both data controllers and data processors.  Whilst GDPR will apply from 25^th May 2018, it is an ongoing matter that your business will need to continually comply with.

We don’t know what to do, can ISO Quality Services help?

Whilst GDPR can seem a little daunting, here at ISO Quality Services we pride ourselves on keeping it simple.  Whether you’ve been putting off your GDPR preparations or have made a start but feel you require guidance, ISO Quality Services can help in three ways:

1. GDPR training

We offer a one-day interactive workshop that uses business scenarios to introduce the new legislation and provide an overview of the steps that businesses will need to take as dictated by law to become compliant.

By the end of the day, you’ll be able to:

• Understand what the EU GDPR is and why the law is changing.
• Explain what has changed from the Data Protection Act 1998 and what is expected going forward.
• Understand what the impact of the EU GDPR means for your business.
• Be able to formulate a plan of action.

Further information on this course can be found here.

2. GDPR consultancy

We appreciate that every business is different and each will manage their data in different ways.  We can therefore arrange for one of our GDPR consultants to come into your business and provide one-to-one guidance tailored for your needs.

To explore this option, call us on 01905 670303 or email info@isoqsltd.com.

3. We can help you implement ISO 27001

Businesses with ISO 27001 are already half way to achieving compliance. Certification is normally achieved in eight weeks, regardless of the business size or sector.

One of our expert auditors will carry out an initial assessment.  This process involves a gap analysis, identifying areas of non-compliance, recommending areas of improvement to meet the requirements and the gathering of information to compile documentation

Once you are certified, we work with you to ensure you stay on track. We help you monitor your progress with a six monthly review from our expert auditor and an annual recertification audit. We also provide over the phone support all year to help you keep on top of things.

More information on ISO 27001 certification can be found here.

I already have ISO 27001, do I need to worry about this?

You do, but you’ve already got an advantage in that many of the processes within ISO 27001, such as disposal of media and security of equipment, are great best practice for complying with GDPR.  If you require any help, we can arrange for one of our consultants to conduct a gap analysis to help bring you up to compliance.  Alternatively, take a look at one of our upcoming GDPR training courses.

We’re an existing client, is GDPR included in our package?

The GDPR is not a change to an international management system, it’s a fundamental shift in the way data is used and stored within your business’s operations. As such, we cannot issue an update to a manual to help you achieve GDPR compliance.

To give another example, if we help a client run a BS 18001 Health & Safety management system and new H&S legislation comes in, such as a change to manual handling, our client will still need to make operational changes to ensure compliance with the new legislation.