7 Sep, 2017
Welcome to the September 2017 edition of the ISO Quality Services Ltd Newsletter. This month’s edition is focused on Information Security and GDPR!
On 25th May 2018, the EU General Data Protection Regulation (GDPR) will come in to force. But what is this and what should you do to ensure you’re compliant?
GDPR is the new framework for data protection laws, taking the place of the Data Protection Act. It is stated on the EU GDPR website that it is designed to “harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.”
One of the biggest changes with the introduction of GDPR is the increased territorial scope. This means that GDPR will be applying to all companies processing data of subjects residing in the EU, regardless of their location.
Penalties have also been revised, with companies who are in breach of GDPR at risk of being fined up to 4% of their annual global turnover (or €20 million – whichever is greater). This is the maximum fine for serious infringements, such as not having sufficient consent for data or violating the core of Privacy by Design concepts. It’s a tiered approach for fines, and it’s important to keep in mind that the penalties apply to both controllers and processors.
The conditions for consent have also been built upon, with companies now no longer able to use long illegible terms and conditions, as the request needs to be given in an easily accessible form. The purpose for the data processing also needs to be attached to that form. Consent needs to be clear and use plain language, with it being distinguishable from other matters. It must also be as straightforward to withdraw this consent as it is to give it.
Breach Notifications will now become mandatory under GDPR for where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Once you are aware of the breach, you have 72 hours to do this. Data processors will be required to notify their customers and controllers after becoming aware of the breach.
Data subjects will have the right under GDPR to obtain confirmation of what personal data concerning them is being processed, where and for what purpose. The data also needs to be provided in an electronic format free of charge.
This allows the data subject to get the data controller to erase their personal data, cease further distribution of their data and potentially have third parties stop the processing of that data. This can be done due to the data no longer being relevant for the original purposes or consent being withdrawn.
A new introduction by GDPR, Data Portability is the right for the data subject to receive the personal data that is concerning them. This would be what they have previously provided and they have the right to transfer that data to another controller.
Privacy by design is only recently becoming a legal requirement in GDPR, even though it has existed for years. This is the requirement for data protection to be included in the design of systems, rather than being seen as an addition.
Under GDPR you will be required to appoint a Data Protection Officer if you are a public authority, if you carry out larger scale systematic monitoring of individuals or if you carry out large scale processing of special categories of data.
The Data Protection Officer will be required to:
Decision makers and key people in the organisation need to be aware that the law is changing to GDPR, and they need to understand what impact this will have.
An audit will need to be conducted on all information that you are holding in the company, including personal data, where it came from and who it is shared with.
Carry out a review of your privacy notes and governance, identify gaps and plan how to prepare for the changes required by implementing GDPR.
Make sure procedures cover all individuals’ rights, including deleting personal data, providing data electronically and in a commonly used format.
Update procedures and have a plan for handling requests within the new time-frame and provide any additional information.
Understand the different data processing types the organisation performs and identify the legal basis for carrying it out and document it appropriately.
The way the organisation seeks, obtains and determines consent needs to be reviewed and changes made if necessary.
Systems should be designed and developed that can be used to verify ages, and can seek parental/guardian consent for a data processing activity.
Procedures need to be in place to detect, report and investigate a personal data breach to both the customer and the regulator.
Privacy Impact Assessments/Control Frameworks need to be developed with guidance from the regulator. Processes also need to be developed and have governance for their use.
Data Protection Offices should be appointed to take responsibility of data protection compliance. The organisation will need to decide where this role fits best.
If the organisation works internationally, which data protection authority is most appropriate needs to be decided and consideration given as to where processors and controllers are located.
Interested in developing your knowledge of GDPR so that you’re ready for 25th May 2018? ISO Quality Services are running a GDPR Training course on 12th October 2017 in partnership with Risk Evolves. You can find out more about the course here.
ISO Quality Services Limited (‘ISO’) and the National Cyber Skills Centre (‘NCSC’) are delighted to be joining forces over the next few months to demystify cyber security options for businesses.
In a series of articles to be published over 4 weeks from September, ISO and NCSC will be clarifying how Cyber Essentials, Cyber Essentials Plus, IASME and ISO 27001 can help businesses tackle cyber security issues. Crucially we will be highlighting the similarities and differences between the various standards and helping businesses establish the appropriate standard for them to implement. The hot topic of GDPR will also be covered looking at how the various standards support the regulatory needs of the GDPR framework.
Following the series of articles, a questionnaire will be circulated to West Midlands based businesses to find out more about businesses’ knowledge of the standards. The results will be used to formulate one of the biggest white papers on cyber security knowledge in the West Midlands. These results will then be delivered at an informative breakfast/networking event in November. Businesses will be able to sign up to one to ones with experts in the various standards to find out which one they should work towards.
Dr Stephen Wright of the National Cyber Skills Centre comments, “We have noticed for a while that whilst cyber security is a hot topic in the news, businesses are often confused about how to protect themselves. There are various standards out there but we don’t think anyone has ever clarified what they all do and how they fit together. We are aiming to resolve that and make it easier for businesses to understand.”
Jennifer Appleton, Operations Director at ISO QSL added “Whilst we specialise in offering ISO 27001 for businesses, we appreciate that it’s not necessarily appropriate for all businesses. By teaming up with the National Cyber Skills Centre we can help businesses make the right choices for them, whether that is by implementing 27001 or not.”
ISO Quality Services Limited is an independent organisation that specialises in the implementation, certification and continued auditing of ISO and BS EN Management standards including ISO 27001 and ISO 9001 https://www.isoqsltd.com/
The National Cyber Skills Centre is trusted by hundreds of businesses nationwide in providing cutting edge, accredited courses focused on cyber security including Cyber Essentials and Cyber Essentials Plus. http://www.cyberskillscentre.com/
Tuesday 12th September 2017
11:00am – 12:00pm
Take away practical tips to aid implementation or assist with management of your current standard.
We will be presenting an informative webinar on:
As a result of attending this webinar you will learn how Fusion Lifecycle can prove a real-time view of your quality data and critical processes, helping you prevent and respond rapidly to issues.
This session features Autodesk’s Fusion Lifecycle (formally PLM 360) solution.
To register your place click here or visit https://register.gotowebinar.com/register/3145575607973463809
Thursday 12th October 2017
9.30am – 4.30pm
The European Union General Data Protection Regulations (or the EU GDPR) will replace the current UK Data Protection Act. It will impact upon all organisations, regardless of size and sector and will determine how we manage data both online and offline. The current Data Protection legislation was launched in 1998 and the world has clearly progressed since then with new technologies (tablets, cloud storage), new ways of working (on / offsite) and a greater dependency on 3rd party providers for goods and services.
UK businesses will need to be compliant when the new legislation becomes law on 25th May 2018. This interactive workshop will use business scenarios to introduce the new legislation and will provide an overview of the steps that businesses will need to take to become complaint.
By the end of this workshop you will be able to:
Find out more information about the course and book your place here.
If you haven’t joined already – what are you waiting for?
ISO news, training updates and offers, meet the ISO QSL team and connect with other like-minded individuals.
Visit our LinkedIn Page: ISO QSL LinkedIn Company page
Visit our Twitter Page: @ISOQSL
Take your pick of a £50 donation to Midlands Air Ambulance, a case of wine or a £50 Marks & Spencer’s Voucher!
(To qualify for this you must refer a successful lead.)
To offer your referrals please contact – email@example.com or 01905 670303.
ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.
Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.