5 Oct, 2017
Welcome to the October 2017 edition of the ISO Quality Services Ltd Newsletter. This month’s edition is focused on GDPR!
We recently attended a presentation on GDPR given by speakers who had presented nationwide to representatives ranging from large premiership football clubs to local SMEs. What was clear from them was that many businesses are still largely in the dark about GDPR and the impact it could have on their business.
We all need to be aware that compliance with GDPR is not optional. Whilst it is more relevant to some businesses than others (marketing, PR, HR and recruitment to name a few), all businesses need to take on board what GDPR is and what they need to do to comply. In this article we have tried to condense a meaty topic down in to the basics
GDPR applies to both “controllers” and “processors” of data. The definitions for these are broadly the same as the Data Protection Act (‘DPA’). A controller says how and why personal data is processed and a processor acts on the controllers behalf (think of a business and its outsourced IT – the business is the controller but the IT company processes the data by holding it on their servers).
GDPR places specific legal obligations on processors including more legal liability if you are responsible for a breach. Controllers will need to ensure they contract with processors that are compliant with GDPR.
GDPR applies to personal data. Be careful not to be too narrow with your definition of personal data. This is much more detailed and wider than DPA to reflect technological changes and the way that organisations collect data, for example a work e-mail address can now be construed as personal data. Anything that previously fell under DPA will fall under GDPR including HR records, consumer lists and contact details. It applies to:
This is wider than under DPA.
Coded personal data could be caught by GDPR if it can be attributed to a particular individual.
This is “special categories” of personal data and whilst similar to DPA now includes genetic data and biometric data where it is processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included within this category but safeguards do apply to its processing.
GDPR is going to be introducing some new rights for individuals when it comes into force in May 2018, as well as strengthen some existing rights that are under the Data Protection Act.
The Law Society has release unprecedented guidance to law firms to consider adopting ISO 27100 Information Security. Here we explore why.
In the countdown to the EU’s General Data Protection Regulation (GDPR), the Law Society has released unprecedented guidance to law firms to consider adopting ISO 27001 Information Security to assist them with compliance. Usually a ‘closed-shop’ when it comes to recommending certifications, the Law Society must feel there is good reason to recommend ISO 27001.
In their article, the Law Society quotes statistics from the Information Commissioner’s Office (ICO) stating that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter. Given that processing highly confidential personal data is a core part of legal work, it’s easy to see how law firms could be in danger of falling foul of the new legislation. Add to that the new fines for breaches under GDPR which can be between 2-4% of global annual turnover or €20 million (whichever the greater) and it’s a grim outlook.
Whilst it’s fair to say that the majority of law firms are tech savvy nowadays, embracing new technologies and backup systems, the majority of law firms still operate a largely paper based office. This brings with it any number of potential issues; files left open on desks, files left in communal meeting rooms, faxes being sent to the wrong numbers, staff taking files home and working on trains where documents can be seen by other passengers to name but a few. As the Law Society warns “make no mistake: these are data breaches, just as incidents caused by cyber-attacks are, and under the GDPR you’d be just as liable.”
Some of the top players in the legal market have already been proactive when it comes to dealing with this. Clifford Chance, Allen & Overy and Linklaters have already taken the plunge and achieved ISO 27001 certification. But it’s not just for the big boys. ISO 27001 is a perfect fit for firms of all sizes.
So what have they and the Law Society seen in ISO 27001 that has prompted this decision? Well, many of controls within ISO 27001 are great best practice for complying with GDPR including disposal of media, physical transfer of media, security of equipment and assets off-premises and clear desk/screen policy.
But there are other benefits to having ISO 27001.
BENEFITS TO YOU
BENFITS TO YOUR CLIENTS
BENEFITS TO YOUR STAFF
At ISO Quality Services Limited, we have already been taking enquiries from law firms keen to steal a march on both GDPR and their competitors. Interestingly, many are looking at not just ISO 27001 but ISO 9001 Quality Management System to boost their position in the market. One of the many questions we get asked is how difficult and time consuming is the process? We can reassure firms that we make the process to certification to both standards simple and straightforward. Further, we aim to get you certified within 6-8 weeks leaving you free to get on with your job of serving your clients.
If you would like to find our more by having a free no obligation conversation about what is involved in achieving either ISO 27001, ISO 9001 or both then please call our office on 01905 670303 or e-mail firstname.lastname@example.org
Thursday 12th October 2017
9.30am – 4.30pm
The European Union General Data Protection Regulations (or the EU GDPR) will replace the current UK Data Protection Act. It will impact upon all organisations, regardless of size and sector and will determine how we manage data both online and offline. The current Data Protection legislation was launched in 1998 and the world has clearly progressed since then with new technologies (tablets, cloud storage), new ways of working (on / offsite) and a greater dependency on 3rd party providers for goods and services.
UK businesses will need to be compliant when the new legislation becomes law on 25th May 2018. This interactive workshop will use business scenarios to introduce the new legislation and will provide an overview of the steps that businesses will need to take to become complaint.
By the end of this workshop you will be able to:
Find out more information about the course and book your place here.
If you haven’t joined already – what are you waiting for?
ISO news, training updates and offers, meet the ISO QSL team and connect with other like-minded individuals.
Visit our LinkedIn Page: ISO QSL LinkedIn Company page
Visit our Twitter Page: @ISOQSL
Take your pick of a £50 donation to Midlands Air Ambulance, a case of wine or a £50 Marks & Spencer’s Voucher!
(To qualify for this you must refer a successful lead.)
To offer your referrals please contact – email@example.com or 01905 670303.
ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.
Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.