getting gdpr stay compliance bs10012 management system...you hold, where it came from and who you...
TRANSCRIPT
![Page 1: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/1.jpg)
Getting GDPR Stay Compliance Continuously with Useful Management System Tool – BS10012 Management System
10/19/2018
Prepared by Ricky Ng
Deputy Sales and Marketing Director, BSI
1
![Page 2: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/2.jpg)
10/19/2018
EU GDPR Background
Who does it affect:
• Both controllers and processors of personal data of EU Citizen
2
History
• European Directive (ED) had been adopting that was implemented by UK Data Protection Act 1998 (95/46/EC) , BS10012:2009 aligned with
• GDPR replaces the ED (95/46/EC) on 25-May-2018, BS10012:2017 aligned with
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU
law on data protection and privacy for all individuals within the European Union (EU) and
the European Economic Area (EEA).
It also addresses the export of personal data outside the EU and EEA areas.
Penality:
• up to €20 million or
• 4% of global worldwide turnover
![Page 3: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/3.jpg)
Do I need to comply with GDPR even the office located out of EU?
• Article 3 Territorial scope
Controller or processor in the EU
Offering of goods or services, data subjects in the EU
Monitoring of their behavior takes place in the EU
![Page 4: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/4.jpg)
4
How to get ready for GDPR compliance?
Copyright © 2018 BSI. All rights reserved.
![Page 5: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/5.jpg)
10/19/2018
Preparation for GDPR
5
Risk assessment The high fines that will be enforced by the new regulations (up to €20 million or up to 4% of annual worldwide turnover of the parent company) could have a major financial impact on your organization.
Compliance The new law will be enforced from 25 May 2018 so you must review your obligations.
Data classification Personal data must be processed in a manner that ensures appropriate security.
Reporting breach notification Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered.
Cooperation with authorities Under EU GDPR, organizations must cooperate with the authorities e.g. privacy or data protection regulators
Asset Management EU GDPR requires you to understand what personal data you collect, how it was obtained, where it’s stored, how long it’s kept for and who has access.
Privacy by design The adoption of privacy by design is another EU GDPR requirement.
Supplier relationships EU GDPR applies to suppliers who process personal data on behalf of others; it requires controls and restrictions to be included in formal agreements.
Documentation Under EU GDPR, controllers must maintain documentation concerning privacy e.g. the purposes for which personal information is gathered and processed, ‘categories’ of data subjects and personal data.
![Page 6: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/6.jpg)
10/19/2018
More….
Training and awareness Make sure your business leaders and key stakeholders are aware of this change in law.
6
Review your incident management process Make sure that you can respond in the tight timescales required by the new regulation should a personal information incident occur.
Internal Audit /PIA Use your internal audit to assess what personal data you hold, where it came from and who you share it with.
Review your management framework Depending on the scope of your ISMS and the controls you’ve implemented, there may be additional guidance that can help such as BS 10012 and ISO/IEC 27018.
ISO 27001:2013, ISO 27018:2014 and BS 10012:2017 will help demonstrate adequate technical & organizational measures to protect personal data & systems
![Page 7: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/7.jpg)
7
Context of BS10012
Copyright © 2018 BSI. All rights reserved.
![Page 8: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/8.jpg)
10/19/2018
BS10012:2017 – BS Standard for Data Protection
8
BS 10012 provides a best practice framework for a personal information management system
(PIMS) that is aligned to the principles of the EU GDPR.
It outlines the core requirements organizations need to consider when collecting, storing,
processing, retaining or disposing of personal records related to individuals. Easily integrated
with other popular management system standards, BS 10012 brings big benefits to companies
of all sizes, including:
![Page 9: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/9.jpg)
10/19/2018
9
![Page 10: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/10.jpg)
BS10012:2017 4. Context of
the organization
5. Leadership
6. Planning
7. Support 8. Operation
9. Performance evaluation
Improvement
• ISO standardized management system Annex A
• Comparison between the GDPR 2016 and UK practice under DPA 1998
Annex B
• Codes, seals, certifications and trust marks
Annex C
![Page 11: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/11.jpg)
11
How to get BS10012:2017?
Copyright © 2018 BSI. All rights reserved.
![Page 12: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/12.jpg)
BSI offering on GDPR
Gap analysis is mainly a determination of the degree of conformance of your organization to the requirements of a specification or standard. BSI offering Gap assessment including: •Gap Analysis for your existing PIMS •Scoping Study •Gap Assessment Report for your team to easy follow up the implementation work
Gap Assessment against BS10012:2017
Under the GDPR it will now be a legal mandate to ensure that all staff receive training appropriate to their role within the organization, this responsibility shall rest with an identified lead, who needs to have full understanding of GDPR & risk levels across the organization. BSI offering: 2 days General Awareness Training (Bespoke) for all employees. Training on Data protection impact assessment, Data inventory and Data flow.
Training to Data Owners Internal Audit for data protection is one of important process to comply with GDPR. As a result, it carries with it heavy responsibilities, tough challenges and complex problems. BSI Offering: 1 day intensive course prepares delegates for the qualification process for BS 10012 trains them to plan, manage and implement the audit programme. It also empowers them to give practical help and information to those who are working towards compliance and certification.
Data Protection Governance Internal Audit
1st Pre Assessment acts on Technical & Organizational Measures to implement procedures for compliance to Data Subject Rights and Data Protection Principles for processors and controllers; Implementation of Data Protection by Design and Default including adequate Security of Data; Management Engagement; Data Protection Framework; Records to check compliance to GDPR.
BSI Offering: 1st Pre Assessment on BS10012 and GDPR at project implementation stage. It gives a better view for implementing BS10012 and GDPR
1st Pre Assessment on Technical
and Organizational Measures 2nd Pre Assessment on Technical & Organizational Measures to implement procedures for compliance to Data Subject Rights and Data Protection Principles for processors and controllers; Implementation of Data Protection by Design and Default including adequate Security of Data; Management Engagement; Data Protection Framework; Records to check compliance to GDPR.
BSI Offering: 2nd Pre Assessment on BS10012 and GDPR at implementation stage. It helps customer to understand the maturity status on BS10012 assessment
2nd Pre Assessment on Technical and Organizational Measures
Overall readiness for BS 10012:2017 will be assessed.
The assessment would be done in 2 stages – Stage 1 wherein the intent of your management system would be checked by looking at the documentation, approach to personal data on your site, making sure you understand the requirements of PIMS.
In stage 2 BSI assessors would look at the implementation and effectiveness of PIMS as established by you.
BSI offering: Assessment to BS10012
Demonstrate your GDPR readiness
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6 Capacity Building Program designed to facilitate compliance to the best practice principles of GDPR (reference BS 10012:2017).
![Page 13: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/13.jpg)
Training – CIPP/E & GDPR Foundation Course
![Page 14: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/14.jpg)
14
Certificate Sample
10/19/2018
![Page 15: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/15.jpg)
Copyright © 2012 BSI. All rights reserved.
15 19/10/2018
Project Reference of adopting BS10012:2017 to demonstrate their GDPR Compliance
![Page 16: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/16.jpg)
16
Why BS10012:2017?
Copyright © 2018 BSI. All rights reserved.
![Page 17: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/17.jpg)
GDPR – Art 42 Certification
• 1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, … , the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.
• 2. … data protection certification mechanisms, seals or marks … may be established for the purpose of demonstrating the existence of appropriate safeguards ...
![Page 18: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/18.jpg)
GDPR – Art 83 General conditions for imposing administrative fines
Mitigating factors
• Nature, gravity and duration of the infringement and number of data subjects affected and the level of damage suffered by them;
• Action taken by the controller or processor to mitigate the damage
• Degree of responsibility of the controller or processor taking into account technical and organizational measures implemented;
• Categories of personal data affected by the infringement;
• Controller or processor notified the infringement;
• adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
• …
![Page 19: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/19.jpg)
Other Benefits of BS10012:2017 Certification
• GDPR Art 42 Certification - demonstrating compliance
• GDPR Art 83 fines – demonstrating due care and may reduce the fines (subject to the court judgment & Sup Auth.)
• Effective system to keep your team on complying GDPR continuously
• Gain the trust of your stakeholders and customers
• Differentiate with your competitors
• More Competitive
• Based on HLS (High Level Structure ) – Easy to work with ISO
• Protecting brand equity and company reputation
![Page 20: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/20.jpg)
Don’t Wait, Act Now!
![Page 21: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/21.jpg)
21
Other assurances applicable on SMART Products
Copyright © 2018 BSI. All rights reserved.
![Page 22: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/22.jpg)
10/19/2018
ISO 20000 – Service Management
ISO 9001 – Quality Management
ISO 22301 – Business Continuity Management
ISO 50001 Energy
Management System
ISO 14001 Environmental Management System
ISO14064 - GHG Emissions Inventories and Verification
ISO 27001 – IT Security Management
Cloud Security CSA STAR
BS 10012 and GDPR – Data Protection
Other Assurances for “Smart Products”
22
![Page 23: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/23.jpg)
Information Resilience Services provided by
23
Information Security GDPR Compliance
Cloud Security
Network/System/ Application Security
• Vulnerability
Scanning
• Penetration Testing
• NIST cybersecurity
framework
Payment Security IoT Security Assurance
![Page 24: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/24.jpg)
24
My Contact
Mr. Ricky Ng
Deputy Sales and Marketing Director
Tel: 6088 0042/ 3149 3319
email: [email protected]
Copyright © 2018 BSI. All rights reserved.
![Page 25: Getting GDPR Stay Compliance BS10012 Management System...you hold, where it came from and who you share it with. Review your management framework Depending on the scope of your ISMS](https://reader034.vdocument.in/reader034/viewer/2022042407/5f21d7cf5d1822180d0bd5e6/html5/thumbnails/25.jpg)
25
Thank you