Getting GDPR Stay Compliance Continuously with Useful Management System Tool – BS10012 Management System

10/19/2018

Prepared by Ricky Ng

Deputy Sales and Marketing Director, BSI

1

10/19/2018

EU GDPR Background

Who does it affect:

• Both controllers and processors of personal data of EU Citizen

2

History

• European Directive (ED) had been adopting that was implemented by UK Data Protection Act 1998 (95/46/EC) , BS10012:2009 aligned with

• GDPR replaces the ED (95/46/EC) on 25-May-2018, BS10012:2017 aligned with

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU

law on data protection and privacy for all individuals within the European Union (EU) and

the European Economic Area (EEA).

It also addresses the export of personal data outside the EU and EEA areas.

Penality:

• up to €20 million or

• 4% of global worldwide turnover

Do I need to comply with GDPR even the office located out of EU?

• Article 3 Territorial scope

Controller or processor in the EU

Offering of goods or services, data subjects in the EU

Monitoring of their behavior takes place in the EU

4

How to get ready for GDPR compliance?

Copyright © 2018 BSI. All rights reserved.

10/19/2018

Preparation for GDPR

5

Risk assessment The high fines that will be enforced by the new regulations (up to €20 million or up to 4% of annual worldwide turnover of the parent company) could have a major financial impact on your organization.

Compliance The new law will be enforced from 25 May 2018 so you must review your obligations.

Data classification Personal data must be processed in a manner that ensures appropriate security.

Reporting breach notification Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered.

Cooperation with authorities Under EU GDPR, organizations must cooperate with the authorities e.g. privacy or data protection regulators

Asset Management EU GDPR requires you to understand what personal data you collect, how it was obtained, where it’s stored, how long it’s kept for and who has access.

Privacy by design The adoption of privacy by design is another EU GDPR requirement.

Supplier relationships EU GDPR applies to suppliers who process personal data on behalf of others; it requires controls and restrictions to be included in formal agreements.

Documentation Under EU GDPR, controllers must maintain documentation concerning privacy e.g. the purposes for which personal information is gathered and processed, ‘categories’ of data subjects and personal data.

10/19/2018

More….

Training and awareness Make sure your business leaders and key stakeholders are aware of this change in law.

6

Review your incident management process Make sure that you can respond in the tight timescales required by the new regulation should a personal information incident occur.

Internal Audit /PIA Use your internal audit to assess what personal data you hold, where it came from and who you share it with.

Review your management framework Depending on the scope of your ISMS and the controls you’ve implemented, there may be additional guidance that can help such as BS 10012 and ISO/IEC 27018.

ISO 27001:2013, ISO 27018:2014 and BS 10012:2017 will help demonstrate adequate technical & organizational measures to protect personal data & systems

7

Context of BS10012

Copyright © 2018 BSI. All rights reserved.

10/19/2018

BS10012:2017 – BS Standard for Data Protection

8

BS 10012 provides a best practice framework for a personal information management system

(PIMS) that is aligned to the principles of the EU GDPR.

It outlines the core requirements organizations need to consider when collecting, storing,

processing, retaining or disposing of personal records related to individuals. Easily integrated

with other popular management system standards, BS 10012 brings big benefits to companies

of all sizes, including:

10/19/2018

9

BS10012:2017 4. Context of

the organization

5. Leadership

6. Planning

7. Support 8. Operation

9. Performance evaluation

Improvement

• ISO standardized management system Annex A

• Comparison between the GDPR 2016 and UK practice under DPA 1998

Annex B

• Codes, seals, certifications and trust marks

Annex C

11

How to get BS10012:2017?

Copyright © 2018 BSI. All rights reserved.

BSI offering on GDPR

Gap analysis is mainly a determination of the degree of conformance of your organization to the requirements of a specification or standard. BSI offering Gap assessment including: •Gap Analysis for your existing PIMS •Scoping Study •Gap Assessment Report for your team to easy follow up the implementation work

Gap Assessment against BS10012:2017

Under the GDPR it will now be a legal mandate to ensure that all staff receive training appropriate to their role within the organization, this responsibility shall rest with an identified lead, who needs to have full understanding of GDPR & risk levels across the organization. BSI offering: 2 days General Awareness Training (Bespoke) for all employees. Training on Data protection impact assessment, Data inventory and Data flow.

Training to Data Owners Internal Audit for data protection is one of important process to comply with GDPR. As a result, it carries with it heavy responsibilities, tough challenges and complex problems. BSI Offering: 1 day intensive course prepares delegates for the qualification process for BS 10012 trains them to plan, manage and implement the audit programme. It also empowers them to give practical help and information to those who are working towards compliance and certification.

Data Protection Governance Internal Audit

1st Pre Assessment acts on Technical & Organizational Measures to implement procedures for compliance to Data Subject Rights and Data Protection Principles for processors and controllers; Implementation of Data Protection by Design and Default including adequate Security of Data; Management Engagement; Data Protection Framework; Records to check compliance to GDPR.

BSI Offering: 1st Pre Assessment on BS10012 and GDPR at project implementation stage. It gives a better view for implementing BS10012 and GDPR

1st Pre Assessment on Technical

and Organizational Measures 2nd Pre Assessment on Technical & Organizational Measures to implement procedures for compliance to Data Subject Rights and Data Protection Principles for processors and controllers; Implementation of Data Protection by Design and Default including adequate Security of Data; Management Engagement; Data Protection Framework; Records to check compliance to GDPR.

BSI Offering: 2nd Pre Assessment on BS10012 and GDPR at implementation stage. It helps customer to understand the maturity status on BS10012 assessment

2nd Pre Assessment on Technical and Organizational Measures

Overall readiness for BS 10012:2017 will be assessed.

The assessment would be done in 2 stages – Stage 1 wherein the intent of your management system would be checked by looking at the documentation, approach to personal data on your site, making sure you understand the requirements of PIMS.

In stage 2 BSI assessors would look at the implementation and effectiveness of PIMS as established by you.

BSI offering: Assessment to BS10012

Demonstrate your GDPR readiness

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6 Capacity Building Program designed to facilitate compliance to the best practice principles of GDPR (reference BS 10012:2017).

Training – CIPP/E & GDPR Foundation Course

14

Certificate Sample

10/19/2018

Copyright © 2012 BSI. All rights reserved.

15 19/10/2018

Project Reference of adopting BS10012:2017 to demonstrate their GDPR Compliance

16

Why BS10012:2017?

Copyright © 2018 BSI. All rights reserved.

GDPR – Art 42 Certification

• 1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, … , the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.

• 2. … data protection certification mechanisms, seals or marks … may be established for the purpose of demonstrating the existence of appropriate safeguards ...

GDPR – Art 83 General conditions for imposing administrative fines

Mitigating factors

• Nature, gravity and duration of the infringement and number of data subjects affected and the level of damage suffered by them;

• Action taken by the controller or processor to mitigate the damage

• Degree of responsibility of the controller or processor taking into account technical and organizational measures implemented;

• Categories of personal data affected by the infringement;

• Controller or processor notified the infringement;

• adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

• …

Other Benefits of BS10012:2017 Certification

• GDPR Art 42 Certification - demonstrating compliance

• GDPR Art 83 fines – demonstrating due care and may reduce the fines (subject to the court judgment & Sup Auth.)

• Effective system to keep your team on complying GDPR continuously

• Gain the trust of your stakeholders and customers

• Differentiate with your competitors

• More Competitive

• Based on HLS (High Level Structure ) – Easy to work with ISO

• Protecting brand equity and company reputation

Don’t Wait, Act Now!

21

Other assurances applicable on SMART Products

Copyright © 2018 BSI. All rights reserved.

10/19/2018

ISO 20000 – Service Management

ISO 9001 – Quality Management

ISO 22301 – Business Continuity Management

ISO 50001 Energy

Management System

ISO 14001 Environmental Management System

ISO14064 - GHG Emissions Inventories and Verification

ISO 27001 – IT Security Management

Cloud Security CSA STAR

BS 10012 and GDPR – Data Protection

Other Assurances for “Smart Products”

22

Information Resilience Services provided by

23

Information Security GDPR Compliance

Cloud Security

Network/System/ Application Security

• Vulnerability

Scanning

• Penetration Testing

• NIST cybersecurity

framework

Payment Security IoT Security Assurance

24

My Contact

Mr. Ricky Ng

Deputy Sales and Marketing Director

Tel: 6088 0042/ 3149 3319

email: ricky.ng@bsigroup.com

Copyright © 2018 BSI. All rights reserved.

25

Thank you