ISO Quality Services Ltd – October 2017 Newsletter

5 Oct, 2017

What’s in this issue?

Understanding the basics of GDPR

What are your new rights as an individual under GDPR?

QHow can ISO 27001 help law firms comply with the new GDPR legislation?

NEW COURSE – GDPR Training

Offsite Servers Video Case Study

Be a part of our online community

Refer a friend

Understanding the basics of GDPR

We recently attended a presentation on GDPR given by speakers who had presented nationwide to representatives ranging from large premiership football clubs to local SMEs.  What was clear from them was that many businesses are still largely in the dark about GDPR and the impact it could have on their business.

We all need to be aware that compliance with GDPR is not optional.  Whilst it is more relevant to some businesses than others (marketing, PR, HR and recruitment to name a few), all businesses need to take on board what GDPR is and what they need to do to comply.  In this article we have tried to condense a meaty topic down in to the basics

• Who does it apply to?

GDPR applies to both “controllers” and “processors” of data.  The definitions for these are broadly the same as the Data Protection Act (‘DPA’).  A controller says how and why personal data is processed and a processor acts on the controllers behalf (think of a business and its outsourced IT – the business is the controller but the IT company processes the data by holding it on their servers).

GDPR places specific legal obligations on processors including more legal liability if you are responsible for a breach.  Controllers will need to ensure they contract with processors that are compliant with GDPR.

• What information does GDPR apply to?

Personal data

GDPR applies to personal data. Be careful not to be too narrow with your definition of personal data. This is much more detailed and wider than DPA to reflect technological changes and the way that organisations collect data, for example a work e-mail address can now be construed as personal data.   Anything that previously fell under DPA will fall under GDPR including HR records, consumer lists and contact details.  It applies to:

• Automated personal data
• Manual filing systems where data is accessible according to specific criteria

This is wider than under DPA.

Coded personal data could be caught by GDPR if it can be attributed to a particular individual.

Sensitive data

This is “special categories” of personal data and whilst similar to DPA now includes genetic data and biometric data where it is processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included within this category but safeguards do apply to its processing.

You can read our full article by clicking here.

What are your new rights as an individual under GDPR?

GDPR is going to be introducing some new rights for individuals when it comes into force in May 2018, as well as strengthen some existing rights that are under the Data Protection Act.

Would you like more information on your individual rights with GDPR? You can view our whitepaper by clicking here.

How can ISO 27001 help law firms comply with the new GDPR legislation?

The Law Society has release unprecedented guidance to law firms to consider adopting ISO 27100 Information Security.  Here we explore why.

In the countdown to the EU’s General Data Protection Regulation (GDPR), the Law Society has released unprecedented guidance to law firms to consider adopting ISO 27001 Information Security to assist them with compliance. Usually a ‘closed-shop’ when it comes to recommending certifications, the Law Society must feel there is good reason to recommend ISO 27001.

In their article, the Law Society quotes statistics from the Information Commissioner’s Office (ICO) stating that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.  Given that processing highly confidential personal data is a core part of legal work, it’s easy to see how law firms could be in danger of falling foul of the new legislation.  Add to that the new fines for breaches under GDPR which can be between 2-4% of global annual turnover or €20 million (whichever the greater) and it’s a grim outlook.

Whilst it’s fair to say that the majority of law firms are tech savvy nowadays, embracing new technologies and backup systems, the majority of law firms still operate a largely paper based office.   This brings with it any number of potential issues; files left open on desks, files left in communal meeting rooms, faxes being sent to the wrong numbers, staff taking files home and working on trains where documents can be seen by other passengers to name but a few.  As the Law Society warns “make no mistake: these are data breaches, just as incidents caused by cyber-attacks are, and under the GDPR you’d be just as liable.”

Some of the top players in the legal market have already been proactive when it comes to dealing with this.  Clifford Chance, Allen & Overy and Linklaters have already taken the plunge and achieved ISO 27001 certification.  But it’s not just for the big boys.  ISO 27001 is a perfect fit for firms of all sizes.

So what have they and the Law Society seen in ISO 27001 that has prompted this decision?   Well, many of controls within ISO 27001 are great best practice for complying with GDPR including disposal of media, physical transfer of media, security of equipment and assets off-premises and clear desk/screen policy.

But there are other benefits to having ISO 27001.

BENEFITS TO YOU

• Cost reductions due to avoiding incidents
• Smoother running of operations as responsibilities and processes are clearly defined
• Improved business image in the marketplace – clients have peace of mind that the company is trustworthy

BENFITS TO YOUR CLIENTS

• Working with a trustworthy provider maintains the their own integrity to the safeguarding of its data
• It instils confidence further down the supply chain resulting in stronger client/supplier relationships
• Having appropriate access controls in place lowers the risk of accidental exposure to employees of confidential/sensitive information

BENEFITS TO YOUR STAFF

• Reassurance that their employer is meeting data handling security guidelines
• Defines clearly and precisely roles and responsibilities therefore job satisfaction and productivity is increased.

At ISO Quality Services Limited, we have already been taking enquiries from law firms keen to steal a march on both GDPR and their competitors.   Interestingly, many are looking at not just ISO 27001 but ISO 9001 Quality Management System to boost their position in the market.   One of the many questions we get asked is how difficult and time consuming is the process?  We can reassure firms that we make the process to certification to both standards simple and straightforward.  Further, we aim to get you certified within 6-8 weeks leaving you free to get on with your job of serving your clients.

If you would like to find our more by having a free no obligation conversation about what is involved in achieving either ISO 27001, ISO 9001 or both then please call our office on 01905 670303 or e-mail clientservices@isoqsltd.com

GDPR Training

2 SPACES REMAINING!

In Partnership with Risk Evolves

Thursday 12th October 2017

9.30am – 4.30pm

Worcester

The European Union General Data Protection Regulations (or the EU GDPR) will replace the current UK Data Protection Act. It will impact upon all organisations, regardless of size and sector and will determine how we manage data both online and offline. The current Data Protection legislation was launched in 1998 and the world has clearly progressed since then with new technologies (tablets, cloud storage), new ways of working (on / offsite) and a greater dependency on 3^rd party providers for goods and services.

UK businesses will need to be compliant when the new legislation becomes law on 25^th May 2018. This interactive workshop will use business scenarios to introduce the new legislation and will provide an overview of the steps that businesses will need to take to become complaint.

By the end of this workshop you will be able to:

• Understand what the EU GDPR is and why the law is changing
• Explain what has changed from the Data Protection Act 1998 and what is expected going forward
• Understand what the impact of the EU GDPR means for your business
• Understand what you need to do to become compliant

Find out more information about the course and book your place here.

Offsite Servers – ISO 9001 & ISO 27001

Video Case Study

Hear from our client, Offsite Servers, about their experience obtaining the ISO 9001 Quality Management and ISO 27001 Information Security Management Standards.

Be a part of our Online Community

If you haven’t joined already – what are you waiting for?

ISO news, training updates and offers, meet the ISO QSL team and connect with other like-minded individuals.

Visit our LinkedIn Page: ISO QSL LinkedIn Company page

Visit our Twitter Page: @ISOQSL

Are you a client of ours? Would you recommend our services to your clients/suppliers… why not refer a friend?

Take your pick of a £50 donation to Midlands Air Ambulance, a case of wine or a £50 Marks & Spencer’s Voucher!

(To qualify for this you must refer a successful lead.)

To offer your referrals please contact – info@isoqsltd.com or 01905 670303.