Professional Documents
Culture Documents
Regulation (GDPR):
What the new law means for you and your organisation
19
Building a culture of privacy
in your organisation
The General Data Protection Regulation (GDPR) is the biggest development
in data protection law this century – increasing safeguards for individuals
and making organisations more accountable for how they use our personal
data. The GDPR brings data protection to the forefront of your organisation’s
processes; whether you handle personal information relating to your
customers or employees, GDPR will have an impact on the way you work.
The official text of the GDPR doesn’t Much has been written about the high
tell us exactly what we’ll need to fines for failing to comply with the new
do to be compliant by May 2018 law and although there are questions
and the national and regional lead about how the law will be enforced,
supervisory authorities, who will be the that is no excuse for inaction. So with
regulators for the GDPR, are providing less than a year until the GDPR comes
interpretation and advice as that date into force, now is the time to prepare.
approaches. In this guide, we outline
the main aspects of the GDPR and the
areas to consider in your preparations.
03
Key concepts
The lead supervisory authority is the
main data protection regulator that a controller would
refer to for compliance, to register a data protection
officer, or to report a breach – see page 18 for the full list of
supervisory authorities. A controller can determine
its lead supervisory authority according to where its
‘main establishment’ or base is within the EU.
04
The six principles of the GDPR
The main responsibilities for organisations are set out in the GDPR’s six principles.
As individuals, we expect our data to be treated securely and with respect. In an
organisational setting, it’s important to remember that the personal data that we deal
with relates to an actual person and how we process it could have an impact on them.
http://www.itproportal.com/2016/07/10/eu-gdpr-an-action-guide-for-it/
05
The legal grounds
for processing data
Article 6 of the GDPR sets out six legal
grounds for processing personal data.
Extra legal grounds are set out for
specific categories of sensitive personal
data. You will need to determine the
basis for processing personal data and
document it to fulfil the principle of
lawful processing.
‘‘
The six bases are:
Consent
1. The data subject has given consent.
2. Data processing is necessary for the performance of Consent should be given by a
a contract.
clear affirmative act establishing
3. Data processing is necessary to comply with a a freely given, specific, informed
statutory legal obligation.
4. Data processing is necessary to protect the vital
and unambiguous indication of the
interests of a data subject or another person. data subject’s agreement to the
5. Data processing is necessary to perform a task in the processing of personal data relating
public interest.
6. Data processing is necessary for the purposes of
legitimate interests pursued by the controller
to him or her, such as by a written
statement, including by electronic
‘‘
or a third party, except where such interests are means, or an oral statement.
overridden by the interests, rights or freedoms of Recital 32
the data subject.
06
Individuals’ rights
1. The right to be informed This means being transparent about how you use personal data and in many cases this
information can be shared through your organisation’s privacy notice.
2. The right of access Individuals have the right to request confirmation that their data is being
processed and they are entitled to obtain access to their personal data and, if requested,
organisations must provide a copy of the information free of charge. However, article 12 (5)
states that where the controller can demonstrate that requests from a data subject are
manifestly unfounded, excessive or repetitive, they can charge a reasonable administrative
fee or refuse to act on the request. You must respond to requests for access within one
month, which can be extended to two months if the request is complex.
Organisations must take reasonable steps to verify the identity of the person making the
request.
Recital 63 of the GDPR recommends that, where possible, organisations should provide
remote access to a secure self-service system that would provide an individual with direct
access to their personal data.
3. The right to rectification Data should be rectified if it is inaccurate or incomplete. If the data has been shared with
third parties, you are responsible for informing them of the rectification and you need to
inform the individual about the third parties where appropriate.
You must respond to requests for rectification without undue delay.
4. The right to erasure Also known as the ‘right to be forgotten’, it means that an individual can request that their
personal data be removed or where one of the qualifying conditions set out in article 17
applies.
Article 17 (3) sets out a number of circumstances where you can refuse to comply with a
request for erasure. They are:
• To exercise the right of freedom of expression and information.
• To comply with a statutory legal obligation or for the performance of a public interest task
or exercise of official authority.
• For public health purposes in the public interest in accordance with national legislation.
• For archiving purposes in the public interest, scientific research, historical research or
statistical purposes in accordance with article 89 (1).
• The exercise or defence of legal claims.
5. The right to restrict Individuals can block the processing of their personal data where one of the conditions in
processing Article 18 is met.
The controller is responsible for communicating any rectification, erasure, or restriction to
each recipient of the personal data, unless this involves disproportionate effort. They should
also inform the data subject about those recipients if requested.
6. The right to data Article 20 applies to automated data processing based on consent or a contractual obligation.
portability It means that the data subject has the right to receive the personal data concerning him or
her, which he or she has provided to a controller, in a structured, commonly used and
machine-readable format and has the right to transmit those data to another controller.
7. The right to object Objections can relate to processing based on legitimate interests or the performance of a task
in the public interest/exercise of official authority (including profiling); processing for
purposes of scientific/historical research and statistics and for direct marketing.
You must inform data subjects clearly of their right to object at the ‘point of first
communication’ and in your privacy notice.
8. Rights in relation to This is a safeguard against the risk that a potentially damaging decision is taken based on a
automated decision making system of automatic processing or profiling.
and profiling
9. The right to Under article 7 (3) the data subject can withdraw consent at any time and this should be as
withdraw consent easy as the process to give consent. This does not affect the lawfulness of any processing
conducted before the withdrawal.
10. Rights in relation to Article 77 explains that a data subject has the right to complain to a supervisory authority
lodging a complaint with if he or she considers that the processing of his or her personal data breaks the law.
a supervisory authority, Articles 78 and 79 set out when a data subject can take a supervisory authority, controller
judicial remedy and or processor to court for failing to fulfil their obligations under the GDPR. Article 82 (1)
compensation covers the right to receive compensation for material or non-material damage as a result
of an infringement of the GDPR.
07
How can you demonstrate
that you comply with the
GDPR?
Organisations need to be able to show that they
comply with the principles of the GDPR to meet the
accountability requirements.
The measures that you take should be Records of processing activities need to The GDPR supports the use of approved
comprehensive yet proportionate to be kept for all organisations with more codes of conduct and certification to
the complexity and types of personal than 250 employees. Organisations demonstrate compliance, although this
data you deal with. Data protection with fewer than 250 employees also isn’t currently mandated. At the time of
policies, staff training, internal audits of need to keep records of their processing writing, the Article 29 Working Party was
processing and HR policies can be used to activities in higher risk situations, such developing guidelines on certification,
demonstrate compliance. Implementing as processing that could risk the rights which should clarify what standards and
data protection by design and by and freedoms of individuals or if the schemes will be applicable, or if new ones
default in your processes will help to processing relates to special categories will be developed. Achieving certification
demonstrate the measures being taken. of data or criminal convictions. If you are or following a code of conduct
investigated you many need to make demonstrates compliance, encourages
these records available to the relevant best practice and builds trust with your
supervisory authority. customers and partners. Preferred
standards and schemes may become a
licence to trade in certain industries.
08
Who is responsible for data protection
within the organisation?
Are you a
public authority?
Yes No
Are you a court judge acting Do your core commercial activities carry out large
in a judicial capacity? scale systematic monitoring of individuals?
Yes No Yes No
You do not need You MUST You MUST Do you carry out large scale processing
to appoint a DPO appoint a DPO appoint a DPO of special categories of data or data
relating to criminal offences?
There is no clear definition for how The DPO must report to the highest How can LRQA help?
many data subjects would constitute level of management, must be
‘large scale processing’. Recital 91 states provided with adequate resources to If you are taking on the role of a
that: “The processing of personal data meet the GDPR requirements, and DPO, LRQA’s two-day workshop will
should not be considered to be on a cannot be dismissed or penalised for give you a detailed understanding
large scale if the processing concerns performing their role. of your role and responsibilities
personal data from patients or clients under the GDPR. Filled with
by an individual physician, other health The DPO’s minimum tasks are defined practical advice, this workshop
care professional or lawyer.” within article 39 of the GDPR: will help you to establish
• To inform and advise the effective systems and engage
From this, one could assume that if organisation and its employees your organisation to meet the
you have special categories of data for about their data protection legal requirements of the new regulation.
more than a couple of thousand data obligations.
subjects, then a DPO is required, but On the course, you will learn:
• To monitor compliance with the
until the case law develops, we may not
GDPR and other data protection • About the role of the DPO and
have a definitive answer to this.
laws, including raising awareness how to establish and manage
and training employees, advising on compliance as a DPO, consistent
The DPO can be an employee, as long
data protection impact assessments with the GDPR requirements.
as there isn’t a conflict of interest with
and conducting internal audits. • How to set up a risk-based,
their existing role, or the role can
be outsourced. One DPO can act for • To be the main point of contact sustainable and effective data
a group of companies or a group of for the supervisory authorities and protection compliance programme.
public authorities, but depending on data subjects on questions of data • How to draft policies, procedures,
the size and complexity of the group, protection and compliance. and guidance materials.
more may be needed. There are no • To assess the risks associated with • How to develop engagement
specific qualifications or credentials to the data processing operations. across your organisation and how
be a DPO, but they do need professional to communicate with various
experience and knowledge of data stakeholders.
protection law. The DPOs contact details
• The role of the DPO in crisis
should be published and communicated
situations.
to the relevant supervisory authority.
09
When do you need to complete a
data protection impact assessment?
Data protection impact assessments (DPIA) can be used to
identify and fix potential issues at an early stage and are an
effective way to take a ‘data protection by design’ approach.
DPIAs are already seen as good practice and the GDPR takes them a step
further by making them mandatory in the following circumstances:
10
What do we need to do if there’s
a personal data breach?
Under the GDPR, organisations will What we know so far, is that: The controller needs to keep records
be duty bound to report certain • Breaches must be reported within of their investigation into the breach
types of personal data breach to 72 hours of becoming aware of the to demonstrate compliance to the
the relevant supervisory authority incident. Information can be provided supervisory authority in accordance
when the breach is likely to lead to in phases as the investigation unfolds. with article 33.
a risk to the rights and freedoms of
• Failing to notify a breach within the
individuals, such as discrimination, The most common cause of
timescale can result in a fine of up
loss of confidentiality or financial information security breaches are
to 10 million EUR or 2% of global
loss. The breach has to be assessed human error so it’s important that
turnover.
on a case by case basis. everyone within your organisation
• If more than one article is breached, who deals with personal data
Organisations also need to let the it will be the one with the highest understands what a data breach is,
individuals affected know where the penalty that will be imposed. and what the reporting procedure is.
breach is likely to result in a high risk • The breach notification should
to their rights and freedoms. include: With only 72 hours to report a breach,
– The nature of the personal data robust detection, investigation and
The Article 29 Working Party will breach, including the category reporting procedures will be vital.
issue guidelines on the notification of and number of records and
personal data breaches during 2017. individuals affected.
– The contact details of the data
protection officer or other
point of contact, if there isn’t a DPO.
– The likely consequences of the
data breach and the measures
taken or proposed to deal with
the breach to mitigate its impact.
11
Failure to comply with If all else
the law fails...
The supervisory authority can Regulators are not likely to look How can LRQA help?
impose warnings, reprimands favourably on organisations that
and temporary suspensions of have made no effort to prepare for ISO 22301:2012 is the international
data processing as well as fines. the GDPR. The maximum fine for standard for Business Continuity. It
National laws may also have failing to comply – for example using identifies best practice in establishing a
other sanctions, such as custodial personal data without consent or management system that minimises the
sentences. failing to protect personal data – risks of impact from disrupted service
is up to 20 million EUR or 4% of provision. Like most international
The level of the penalty will global turnover for the previous management system standards, it is
depend on: year – whichever is greater. Data based on the Plan, Do, Check, Act cycle.
– the nature, duration and gravity subjects will also be able to claim
of the infringement, compensation from the controllers or A business continuity management
processors who break the law for the (BCM) system will help organisations
– the type and volume of data put structures in place to identify the
damage they have suffered.
involved, potential threats that may exist, the
– whether it was intentional or Regulatory fines could be just impact of incidents and how to guard
negligent, the tip of the iceberg. Even if against them. It gives a framework for
– the steps taken by the an organisation were able to managing the organisation through
organisation to mitigate weather the financial penalties, the the process of preparing strategies and
potential damage, consequences represent a significant methods to reduce the impact of any
business risk, including: incident and building the capability
– how the regulator found out
– reputational and brand damage, to respond effectively should one
about the breach,
occur. In this context it provides the
– adherence to a code of conduct, – consumer mistrust and loss of perfect mechanism for managing data
and market share, breaches. LRQA provides training, gap
– if it’s a repeat offence. – increased scrutiny from analysis and accredited certification to
shareholders and investors, and this standard.
– cost of forensic investigation and
remedial actions.
12
What does it mean for
your organisation?
While the eye-watering fines have grabbed
headlines in the business press, the
GDPR offers organisations opportunities
to streamline processes, develop their
employees and build trust with consumers.
As one email marketing agency put it, • How will you manage the There may also be training requirements
GDPR is less about Gloom, Doom, Panic requirements to delete data when to ensure that your employees comply
and Retribution and more about the it is no longer needed? And how with the regulations, regardless of
opportunity for Great Data and a more will you ensure data is completely whether the personal data they handle
Personal Relationship. removed from your systems if a relates to customers, service users, or
data subject invokes their right employees.
Leaders to be erased?
The focus on accountability and • Do the security settings on your Finance
governance means greater engagement database ensure that data is Finance teams will need to have a clear
from leaders to ensure that the only shared with individuals or understanding of the data that they
organisation has the resources and skills organisations that have permission hold, what would be classed as sensitive
to fulfil the requirements of GDPR. If to use that data? personal data, why they need that data
your organisation has a data protection and who has access to it. What are
• Do your systems contain duplicate
officer, they should report to the the risks related to the personal data
data? Can you consolidate the data?
highest level of management. that you hold? How will you manage
How will you manage that and
requests for access, rectification, or
ensure that any personal data caught
The GDPR provides an opportunity to erasure? How will you manage any third
in a silo is processed in accordance
transform your organisation’s culture parties who process the personal data
with the regulations? For example,
and processes to be more customer- you hold?
if a data subject withdraws consent –
centric and streamlined. Culture change
how will you ensure that request is
needs to be led from the top to role Sales and Marketing
respected across all systems?
model the new practices and behaviours Early adoption of the GDPR has the
that will create a ‘culture of privacy’. • Are you confident that your systems potential to inspire greater confidence
All organisations are in the same boat, would identify a data breach in any in your brand, boosting your reputation
so if you take a proactive approach, you form they may take? as a trusted organisation.
can create an early mover advantage • Encryption can be used to reduce the
and promote your approach as a clear risk of data loss. To what extent is data Consent is the big issue for sales and
signal that you respect your customers’ encryption part of your processes? marketing teams, as prospects and
individual rights. • Have you reviewed and updated your customers will need to confirm that
privacy policies to ensure they are they’ve agreed to receive marketing
IT compliant? communications, and via which
While the responsibility for data channels, before you can contact them.
protection is spread across many HR While this means that subscribed
departments, IT has a major role to play National law or collective agreements lists may shrink, the quality of the
to ensure compliance with the GDPR. may provide more specific rules relating data will be higher, enabling better
to the processing of employees’ personal segmentation to create relevant,
Here are a few things to consider: data in a work context, but these laws personalised content.
• Where is personal data stored? must include appropriate safeguards
to protect their employees rights and The result? Data analytics that can
• Does any of the data come into the
freedoms, right from the recruitment deliver more accurate customer insight,
sensitive personal data category?
stage. better engagement and ultimately
• What are your procedures for data conversion.
transfer?
The record keeping and security
• Do you outsource any data requirements equally apply so HR
processing? Do you use any cloud professionals will need a clear grip of
based services? all the places personal data is saved and
• How do you demonstrate that the processes may need to be reviewed to
personal data in your systems is ensure compliance. For multinational
secure? Can you track its movement? employers, data flows and the transfer
of data through the company will need
to be reviewed.
13
Here are a few other areas to Remote working
consider: For your employees out in the field, How can LRQA help?
• Double opt-in will become the data security will be an important
norm. issue to consider. How are physical Our range of GDPR training services
records managed? What are the data has been developed to address a
• Think about how you can better
protection risks from their day-to-day wide range of stakeholders within
use your email preference centre
activities? What would be the risk if your organisation.
(EPC) to help segment your
a laptop or other device was lost or
customer data. • The GDPR Briefing gives an
stolen? Understanding where data is
• What processes do you have to introduction to the principles
stored and who has access will be vital
ensure that you do not contact and concepts found in the GDPR.
to mitigate the risks.
your unconfirmed or unsubscribed • The GDPR Foundation course
contacts by mistake? SMEs explains the implications for your
• At events, you will need to make The scale and scope of the GDPR can organisation and the steps to
consent very clear if you plan to seem quite daunting to organisations take to become compliant.
send follow-up communications to of any size, let alone a small business. • Data Protection Officer (DPO)
visitors. However, as a small business, you may training helps DPOs prepare
• From a PR perspective, you need still be processing a large amount of for the requirements and
permission from journalists to personal data and will need to comply responsibilities of their new role.
contact them too. If you use a with the law in the same way a larger • Data protection and information
news distribution service, you will organisation would. SMEs are often security onboarding via
need to check that they have the more agile than large organisations, eLearning.
appropriate consent in place. so you may find that it’s easier to
implement the changes needed and
Customer Services gain an early mover advantage over
Although it might be painful to get larger rivals – showing your customers You can find the full text of the GDPR
there, a clean database will make and employees that you are a brand here
it easier to deliver a great customer to trust.
experience. The principles of limiting
the data to what’s necessary and Organisations with fewer than 250
ensure it is accurate and up-to- employees need to keep records of
date may lead to new processes their processing activities in higher
for customer services teams. It will risk situations, such as processing that
be important to think about who could risk the rights and freedoms
within the organisation has access of individuals or if the processing
to personal data and about any data relates to special categories of data or
flows within the organisation that criminal convictions.
involve a third party processor or
transfer outside of the EU.
14
5 step GDPR Implementation Plan
How LRQA can help
Training
Training Business Assessment
Assessment
Improvement
15
Our GDPR services in summary
In the information security and data protection arena our services cover both training and assessment including:
• The GDPR Briefing gives an • GDPR readiness assessment and • Data protection and
introduction to the principles and gap analysis. information security
concepts found in the GDPR. • Data mapping and classification. onboarding via eLearning.
• The GDPR Foundation course • We can carry out Data Protection • Training, Gap Analysis and
explains the implications for your Impact Assessment (DPIA) on Certification for ISO 27001
organisation and the steps to take your behalf and we can provide (information security
to become compliant. DPIA training that gives practical management), ISO 22301 (societal
• Data Protection Officer (DPO) guidance on how to conduct DPIA security – business continuity
training helps DPOs prepare within your organisation. management systems) and
for the requirements and BS 10012 (personal information
• GDPR controls assessment and
responsibilities of their new role. management system).
attestation.
Demonstrating compliance through • Best practice – widely recognised as • Reduced costs – following a
Management Systems providing best practice guidance in methodical risk assessment approach
We deliver a range of training and information security management. ensures that resources are applied to
certification services for ISO 27001 – • Stay within the law – compliance reduce overall risk, rather than just
the international standard that sets requires you to identify applicable focusing on one aspect which can
out the requirements for establishing, legislation, which has a positive leave other areas exposed.
implementing and improving an impact on risk management and
information security management corporate governance. At present, the GDPR does not mandate
system (ISMS) within the context of third-party certification. However, there
• Competitive edge – certification by
the organisation. It provides a best is alignment between the requirements
LRQA gives your customers, trading
practice framework to identify, analyse of ISO 27001 and the GDPR in terms of
partners and other key stakeholders
and implement controls to manage how organisations should manage their
confidence that you have addressed
information security risks and safeguard information security policies, controls
all security risks including IT, people,
the integrity of business-critical data. and processes.
physical and business continuity. It is a
public and independent statement of
How will ISO 27001:2013 certification Achieving certification to
your capability, which may help when
benefit my organisation? ISO/IEC 27001:2013 demonstrates
responding to tenders.
• Minimises risk – ensures controls are a commitment to meeting the
in place to reduce the risk of security • Management system integration – requirements of the GDPR –
threats and to avoid any system the basis of the standard is the Plan demonstrating both compliance
weaknesses being exploited. Your Do Check Act cycle in common with and accountability.
ISMS is part of a business continuity other management system standards,
plan which means you’re in a good making it simpler for you to develop a
position to recover quickly should the single management system that meets
worst happen. the requirements of other standards.
16
Better safe than sorry Our expertise About us
Information is one of the most LRQA has been at the forefront of LRQA is a recognised, world leading
valuable and business-critical assets for standards development and involved professional assurance services
any organisation. In today’s hyper- in information security management organisation. We specialise in
connected world, organisations are system (ISMS) assessment and management systems compliance
exposed to large scale information certification for many years. and expert advice across a broad
security threats and destructive cyber- spectrum of standards, schemes
attacks, regardless of size, industry, or Our roster of high-profile clients in and business improvement services
geographical location. the finance, telecommunications, including customised training
software, internet, consultancy, justice and assurance programs. We are
When information security systems and government sectors, trust LRQA recognised by almost 50 accreditation
are not properly managed and to deliver high quality, consistent and bodies and deliver our services to
maintained, organisations run the impartial assessments with the full clients in more than 120 countries.
risk of sustaining serious financial and back-up of a highly dedicated support
reputational losses. Ensuring your package. Our unique assessment methodology
organisation has the right controls in takes your management systems
place to reduce the risk of serious data Our assessors are management systems from compliance to performance,
security threats and avoid any system experts qualified in information in order to reduce business risk, and
weaknesses from being exploited is security and other aspects of IT, whose enhance the effectiveness, efficiency,
essential. objective view will give you confidence and continuous improvement of your
in your own security measures as management systems.
judged against best industry practice
17
Lead Supervisory Authorities
Bulgaria Bulgarian Data Protection Authority комисия за защита на личните данни www.cpdp.bg
Croatia Croatian Personal Data Protection Agency Agencija za zaštitu osobnih podataka www.azop.hr
Czech Republic The office for Personal Data Protection Úřad pro ochranu osobních údajů (ÚOOÚ) www.uoou.cz
Germany Federal Commissioner for Data Protection Die Bundesbeauftragte für den www.bfdi.bund.de
and Freedom of Information Datenschutz und die
Informationsfreiheit (BfDI)
• Berlin Commissioner for Data Protection Berliner Beauftragte für Datenschutz www.datenschutz-berlin.de
and Freedom of Information und Informationsfreiheit
• The Thuringian State Commissioner for Data Der Thüringer Landesbeauftragter www.tlfdi.de
Protection and Freedom of Information für den Datenschutz und die
Informationsfreiheit
18
Lead Supervisory Authorities (continued)
Greece Hellenic Data Protection Authority Αρχή Προστασίας Προσωπικών Δεδομένων www.dpa.gr
Italy Italian Data Protection Authority Garante per la Protezione dei www.garanteprivacy.it
Dati Personali
Luxembourg National Commission for Data Protection Commission nationale pour la https://cnpd.public.lu/en/
protection des données
Poland Inspector General for the Protection Generalny Inspektor Ochrony www.giodo.gov.pl/
of Personal Data Danych Osobowych
Slovakia Office for Personal Data Protection Úrad na ochranu osobných údajov www.dataprotection.gov.sk
of the Slovak Republic Slovenskej republiky
EEA
National Data Protection Authority Local name Website
19
Lloyd’s Register Quality Assurance Ltd
1 Trinity Park
Bickenhill Lane
Birmingham
B37 7ES
United Kingdom
E enquiries@lrqa.com
www.lrqa.com
Lloyd’s Register and LRQA are trading names of the Lloyd’s Register group of entities.
Services are provided by members of the Lloyd’s Register group, for details see www.lr.org
Care is taken to ensure that all information provided is accurate and up to date. However, Lloyd’s
Register LRQA accepts no responsibility for inaccuracies in, or changes to, information. Lloyd’s Register
and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates.
Copyright © Lloyd’s Register Quality Assurance Limited, 2017. A member of the Lloyd’s Register group. GL / CYB / 005 / V1-2017