The General Data Protection

Regulation (GDPR):
What the new law means for you and your organisation

19
Building a culture of privacy
in your organisation
The General Data Protection Regulation (GDPR) is the biggest development
in data protection law this century – increasing safeguards for individuals
and making organisations more accountable for how they use our personal
data. The GDPR brings data protection to the forefront of your organisation’s
processes; whether you handle personal information relating to your
customers or employees, GDPR will have an impact on the way you work.

‘‘ If your organisation can’t demonstrate that good data protection is a

cornerstone of your business policy and practices, you’re leaving your
organisation open to enforcement action that can damage both public
reputation and bank balance. But there’s a carrot here as well as a stick:
‘‘
get data protection right, and you can see a real business benefit.

Elizabeth Denham
UK Information Commissioner

ICO Blog - Businesses warned to prepare with one year until data protection law

The official text of the GDPR doesn’t
tell us exactly what we’ll need to
do to be compliant by May 2018
and the national and regional lead
supervisory authorities, who will be the
regulators for the GDPR, are providing
interpretation and advice as that date
approaches. In this guide, we outline
the main aspects of the GDPR and the
areas to consider in your preparations.
Much has been written about the high
fines for failing to comply with the new
law and although there are questions
about how the law will be enforced,
that is no excuse for inaction. So with
less than a year until the GDPR comes
into force, now is the time to prepare.

DISCLAIMER: This overview guide is intended as a general introduction to the GDPR.

Please contact your nearest LRQA office for advice specific to your organisation.
02
What is GDPR?
The European Parliament approved
the General Data Protection
Regulation (GDPR) [Regulation (EU)
2016/679] in April 2016 and it will
apply from 25 May 2018.
It will strengthen data protection
for all individuals within the EU
regardless of where the data is held.
It builds on existing regulations
to improve consistency and the
safeguards in place.
Who does it apply to?
Article 3 of the GDPR sets out the
territorial scope of the regulation,
which covers:
• The processing of personal data
in the context of the activities of
organisations in the European Union,
regardless of whether the processing
takes place in the Union or not.
• The processing of personal data of
data subjects (i.e. living individuals)
who are in the Union by a controller
or processor not based in the EU,
where the processing activities relate
to offering goods or services to
data subjects in the Union; or to the
monitoring of their behaviour within
the Union.
• The processing of personal data by
organisations not established in the
Union, but in a place where Member
State law applies by virtue of public
international law.
03
Key concepts
The lead supervisory authority is the
main data protection regulator that a controller would
refer to for compliance, to register a data protection
officer, or to report a breach – see page 18 for the full list of
supervisory authorities. A controller can determine
its lead supervisory authority according to where its
‘main establishment’ or base is within the EU.

Personal data is any data that Special categories of personal data

you hold about a living individual (data
subject), held either electronically or
manually in a structured system, that
could identify that person. This could include a
name, an email address, bank details, an IP address
or even a photo. It’s worth noting, that national
legislation will apply and different countries have
their own definitions of the categories of personal
data, so in the US, for example, bank details are
classed as sensitive personal data.
refers to sensitive personal data, such as
racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade
union membership, genetic or biometric
?
data, data concerning physical or mental
health, sex life or sexual orientation where
it is processed to identify an individual.
Criminal convictions are not included in this
category, but similar safeguards apply to its
data processing.

The controller is an organisation or

individual who determines how and why
personal data is processed. The controller
must make sure that its contracts with
processors comply with the GDPR.

The processor refers to an organisation or individual,

other than an employee of the data controller, who
processes personal data on behalf of the controller.
Under certain conditions, the GDPR brings new
requirements for processors including keeping
records of personal data and processing activities.
Under the GDPR, processors face greater liability
if they are responsible for a breach.

Data protection by design and by default is an approach that promotes data

protection and privacy from the start of a project. This makes it easier to identify and address
potential issues and raises awareness of data protection within the organisation. The GDPR
requires organisations to consider appropriate technical and organisational measures and
integrate data protection into their processing activities to minimise the amount of personal
data collected, the extent of processing, the storage period and accessibility.

A personal data breach occurs

when personal data is destroyed, lost,
altered, shared, accessed, transmitted,
stored or processed without the proper The UK government has confirmed that Brexit
authorisation. Organisations will need will not stop the UK adopting the GDPR, but it
to report a personal data breach under could mean that UK-based organisations have
the GDPR if it’s likely to result in a risk to deal with regulators across every EU member
to a data subject’s rights and freedoms. state that they are active in. The same issue will
apply to organisations based in non-EU countries
that need to be GDPR compliant, but don’t have
a base within the EU.

04
The six principles of the GDPR
The main responsibilities for organisations are set out in the GDPR’s six principles.
As individuals, we expect our data to be treated securely and with respect. In an
organisational setting, it’s important to remember that the personal data that we deal
with relates to an actual person and how we process it could have an impact on them.

Article 5 states that personal data shall be:

Article 5 (2) sets out the
1. Processed lawfully, fairly and in a transparent manner in relation to individuals. accountability concept and states
2. Collected for specified, explicit and legitimate purposes and not processed that the controller “shall be
beyond those purposes. Further processing for archiving purposes shall, in responsible for, and be able to
accordance with Article 89(1), not be considered to be incompatible with the demonstrate compliance with”
initial purposes. the above principles. This means
that organisations need to be
3. Adequate, relevant and limited to what is necessary in relation to the purposes able to demonstrate how they
for which they are processed. comply with the principles. It’s
4. Accurate and, where necessary, kept up-to-date. Reasonable steps must be taken important to understand the risks
to ensure that inaccurate personal data is corrected or erased without delay. to individuals when you use their
data, and how you can mitigate
5. Kept in a form that permits identification of data subjects for no longer than is the risks.
necessary for the purposes for which the personal data are processed.
Personal data may be stored for longer periods for archiving purposes in The use of data is so widespread
accordance with Article 89(1) subject to implementation of the appropriate in how we all work, that GDPR is
technical and organisational measures required to safeguard the rights and likely to impact all areas of your
freedoms of the data subjects. organisation.
6. Processed in a manner that ensures appropriate security of the personal data
through the use of technical and organisational measures.

‘‘ Think of data as borrowing an expensive item from a friend.

It is never actually yours; it is on loan from the data subjects.
They can ask for it back, they can check that you are using it correctly,
they can demand that you do not further loan it to someone else
‘‘
without their approval, and they have rights over what you do with it.
Nigel Hawthorn
Skyhigh Networks’ European spokesperson

http://www.itproportal.com/2016/07/10/eu-gdpr-an-action-guide-for-it/
05
The legal grounds
for processing data
Article 6 of the GDPR sets out six legal
grounds for processing personal data.
Extra legal grounds are set out for
specific categories of sensitive personal
data. You will need to determine the
basis for processing personal data and
document it to fulfil the principle of
lawful processing.

In your privacy notice, you will need to make it clear to

data subjects which legal ground you are using and why
that is the basis for data processing.

‘‘
The six bases are:
Consent
1. The data subject has given consent.
2. Data processing is necessary for the performance of Consent should be given by a
a contract.
clear affirmative act establishing
3. Data processing is necessary to comply with a a freely given, specific, informed
statutory legal obligation.
4. Data processing is necessary to protect the vital
and unambiguous indication of the
interests of a data subject or another person. data subject’s agreement to the
5. Data processing is necessary to perform a task in the processing of personal data relating
public interest.
6. Data processing is necessary for the purposes of
legitimate interests pursued by the controller
to him or her, such as by a written
statement, including by electronic
‘‘
or a third party, except where such interests are means, or an oral statement.
overridden by the interests, rights or freedoms of Recital 32
the data subject.

What does this mean in practice?

• GDPR sets much higher standards
for consent than most current data
protection legislation. Opt-outs will
no longer be acceptable. As recital
32 states, “Silence, pre-ticked boxes
or inactivity should not therefore
constitute consent.”
• You must say who the data controller
is and name any third parties who may
process the data, why you want the
data and what you plan to do with it.
You also need to make it clear how to
withdraw consent if that is the legal
basis being used.
• The burden of proof is on the
data controller and processor to
demonstrate that an individual has
given consent.
• Article 8 of the GDPR strengthens the
protection of children’s personal data.
A child under the age of consent
cannot give consent themselves and
an adult with ‘parental responsibility’
would need to give it on their behalf.
EU Member States can set their own
age of consent as long as it is not
below 13. Where a different legal
basis is used for processing a child’s
data, the privacy notice must be
written in a clear way that a child
will understand.
It should also be noted that other EU
directives (2016/680 the Law Enforcement
Directive and 2016/681 on the use of
the Passenger Name Record) apply from
the same date as the GDPR. They relate
to the legitimate processing of data by
criminal investigation authorities for the
prevention of criminal or terrorist acts
and complement the GDPR.
The ePrivacy Directive (2002/58) is
being reformed and is also due to apply
from May 2018 to ensure that the laws
governing internet-based services keep
step with evolving technology.

06
Individuals’ rights
1. The right to be informed This means being transparent about how you use personal data and in many cases this
information can be shared through your organisation’s privacy notice.

2. The right of access Individuals have the right to request confirmation that their data is being
processed and they are entitled to obtain access to their personal data and, if requested,
organisations must provide a copy of the information free of charge. However, article 12 (5)
states that where the controller can demonstrate that requests from a data subject are
manifestly unfounded, excessive or repetitive, they can charge a reasonable administrative
fee or refuse to act on the request. You must respond to requests for access within one
month, which can be extended to two months if the request is complex.
Organisations must take reasonable steps to verify the identity of the person making the
request.
Recital 63 of the GDPR recommends that, where possible, organisations should provide
remote access to a secure self-service system that would provide an individual with direct
access to their personal data.

3. The right to rectification Data should be rectified if it is inaccurate or incomplete. If the data has been shared with
third parties, you are responsible for informing them of the rectification and you need to
inform the individual about the third parties where appropriate.
You must respond to requests for rectification without undue delay.

4. The right to erasure Also known as the ‘right to be forgotten’, it means that an individual can request that their
personal data be removed or where one of the qualifying conditions set out in article 17
applies.
Article 17 (3) sets out a number of circumstances where you can refuse to comply with a
request for erasure. They are:
• To exercise the right of freedom of expression and information.
• To comply with a statutory legal obligation or for the performance of a public interest task
or exercise of official authority.
• For public health purposes in the public interest in accordance with national legislation.
• For archiving purposes in the public interest, scientific research, historical research or
statistical purposes in accordance with article 89 (1).
• The exercise or defence of legal claims.

5. The right to restrict Individuals can block the processing of their personal data where one of the conditions in
processing Article 18 is met.
The controller is responsible for communicating any rectification, erasure, or restriction to
each recipient of the personal data, unless this involves disproportionate effort. They should
also inform the data subject about those recipients if requested.

6. The right to data Article 20 applies to automated data processing based on consent or a contractual obligation.
portability It means that the data subject has the right to receive the personal data concerning him or
her, which he or she has provided to a controller, in a structured, commonly used and
machine-readable format and has the right to transmit those data to another controller.

7. The right to object Objections can relate to processing based on legitimate interests or the performance of a task
in the public interest/exercise of official authority (including profiling); processing for
purposes of scientific/historical research and statistics and for direct marketing.
You must inform data subjects clearly of their right to object at the ‘point of first
communication’ and in your privacy notice.

8. Rights in relation to This is a safeguard against the risk that a potentially damaging decision is taken based on a
automated decision making system of automatic processing or profiling.
and profiling

9. The right to Under article 7 (3) the data subject can withdraw consent at any time and this should be as
withdraw consent easy as the process to give consent. This does not affect the lawfulness of any processing
conducted before the withdrawal.

10. Rights in relation to Article 77 explains that a data subject has the right to complain to a supervisory authority
lodging a complaint with if he or she considers that the processing of his or her personal data breaks the law.
a supervisory authority, Articles 78 and 79 set out when a data subject can take a supervisory authority, controller
judicial remedy and or processor to court for failing to fulfil their obligations under the GDPR. Article 82 (1)
compensation covers the right to receive compensation for material or non-material damage as a result
of an infringement of the GDPR.

07
How can you demonstrate
that you comply with the
GDPR?
Organisations need to be able to show that they
comply with the principles of the GDPR to meet the
accountability requirements.

The measures that you take should be
comprehensive yet proportionate to
the complexity and types of personal
data you deal with. Data protection
policies, staff training, internal audits of
processing and HR policies can be used to
demonstrate compliance. Implementing
data protection by design and by
default in your processes will help to
demonstrate the measures being taken.
Records of processing activities need to
be kept for all organisations with more
than 250 employees. Organisations
with fewer than 250 employees also
need to keep records of their processing
activities in higher risk situations, such
as processing that could risk the rights
and freedoms of individuals or if the
processing relates to special categories
of data or criminal convictions. If you are
investigated you many need to make
these records available to the relevant
supervisory authority.
The GDPR supports the use of approved
codes of conduct and certification to
demonstrate compliance, although this
isn’t currently mandated. At the time of
writing, the Article 29 Working Party was
developing guidelines on certification,
which should clarify what standards and
schemes will be applicable, or if new ones
will be developed. Achieving certification
or following a code of conduct
demonstrates compliance, encourages
best practice and builds trust with your
customers and partners. Preferred
standards and schemes may become a
licence to trade in certain industries.

What needs to be recorded? In the information security and data

protection arena, LRQA delivers a range
The following information about your processing activities needs to be recorded: of training and certification services
for ISO 27001 – the international
Name and details of your organisation and a representative or contact point standard that sets out the requirements
Purposes of the processing for establishing, implementing and
improving an information security
Description of the categories of individuals and the categories of personal data management system (ISMS) within
Categories of the recipients of personal data including those in third countries the context of the organisation. It
provides organisations with a best
Details of transfers to third countries including documentation of the transfer practice framework to identify, analyse
mechanism safeguards in place and implement controls to manage
Retention schedules information security risks and safeguard
the integrity of business-critical data.
Descriptions of technical and organisation security measures

Restrictions on the transfer

of personal data
The GDPR places restrictions on the
transfer of personal data outside of
the European Economic Area (EEA) to
maintain the required level of protection.
These are detailed in chapter V of the
GDPR. The European Commission will
decide if a third country, territory, or an
international organisation ensures an
adequate level of protection. In other
cases, where transfers are on a one-off or
infrequent basis, these may be allowed
if adequate safeguards are in place, such
as legally binding agreements between
public authorities or binding corporate
rules, or compliance with an approved
code of conduct or certification scheme.
This will have many implications both
for multinational organisations and
those trading across borders. The Article
29 Working Party will publish further
guidelines later this year.

08
Who is responsible for data protection
within the organisation?
Yes
Are you a court judge acting
in a judicial capacity?
Yes No
You do not need You MUST
to appoint a DPO appoint a DPO
A data protection officer (DPO) is the
independent face of data protection within
an organisation.
All organisations must make sure that they have sufficient skills and
resources to meet their GDPR requirements, and in some cases, the
GDPR states you must appoint a DPO.
There is no clear definition for how
many data subjects would constitute
‘large scale processing’. Recital 91 states
that: “The processing of personal data
should not be considered to be on a
large scale if the processing concerns
personal data from patients or clients
by an individual physician, other health
care professional or lawyer.”
From this, one could assume that if
you have special categories of data for
more than a couple of thousand data
subjects, then a DPO is required, but
until the case law develops, we may not
have a definitive answer to this.
The DPO can be an employee, as long
as there isn’t a conflict of interest with
their existing role, or the role can
be outsourced. One DPO can act for
a group of companies or a group of
public authorities, but depending on
the size and complexity of the group,
more may be needed. There are no
specific qualifications or credentials to
be a DPO, but they do need professional
experience and knowledge of data
protection law. The DPOs contact details
should be published and communicated
to the relevant supervisory authority.
Are you a
public authority?
No
Do your core commercial activities carry out large
scale systematic monitoring of individuals?
Yes
You MUST
appoint a DPO
You MUST
appoint a DPO
The DPO must report to the highest
level of management, must be
provided with adequate resources to
meet the GDPR requirements, and
cannot be dismissed or penalised for
performing their role.
The DPO’s minimum tasks are defined
within article 39 of the GDPR:
• To inform and advise the
organisation and its employees
about their data protection legal
obligations.
• To monitor compliance with the
GDPR and other data protection
laws, including raising awareness
and training employees, advising on
data protection impact assessments
and conducting internal audits.
• To be the main point of contact
for the supervisory authorities and
data subjects on questions of data
protection and compliance.
• To assess the risks associated with
the data processing operations.
No
Do you carry out large scale processing
of special categories of data or data
relating to criminal offences?
Yes No
You do not need
to appoint a DPO
How can LRQA help?
If you are taking on the role of a
DPO, LRQA’s two-day workshop will
give you a detailed understanding
of your role and responsibilities
under the GDPR. Filled with
practical advice, this workshop
will help you to establish
effective systems and engage
your organisation to meet the
requirements of the new regulation.
On the course, you will learn:
• About the role of the DPO and
how to establish and manage
compliance as a DPO, consistent
with the GDPR requirements.
• How to set up a risk-based,
sustainable and effective data
protection compliance programme.
• How to draft policies, procedures,
and guidance materials.
• How to develop engagement
across your organisation and how
to communicate with various
stakeholders.
• The role of the DPO in crisis
situations.
09
When do you need to complete a
data protection impact assessment?
Data protection impact assessments (DPIA) can be used to
identify and fix potential issues at an early stage and are an
effective way to take a ‘data protection by design’ approach.

DPIAs are already seen as good practice and the GDPR takes them a step
further by making them mandatory in the following circumstances:

• When using new technologies for • Large scale processing of special

processing that presents a high risk to
individuals’ rights and freedoms.
• Systematic profiling on which
decisions are based that have an
impact on the data subject.
categories of personal data,
including those relating to criminal
convictions.
• Large scale, systematic monitoring
of public areas – notably CCTV.

What information should a DPIA include? How can LRQA help?

A description of the processing, why it is being carried out, and We can provide DPIA training
the legal basis. that gives practical guidance on
how to conduct DPIA within your
An assessment of the need and proportionality of the processing. organisation.
As assessment of the risks to individuals.
If you are responsible for carrying
The measures in place to address the risks and demonstrate out DPIA, LRQA’s one-day in-
compliance with the regulation. company workshop gives practical
According to article 35 (11), the controller needs to review that guidance on conducting Data
the processing is conducted in line with the DPIAs, particularly Protection Impact Assessments
when there is a change to the risk level. (DPIA). This includes:

• What a DPIA is and when one

should be carried out.
• Your national regulators’
recommendations and guidance.
• The stages of a DPIA and what
to do in practice.
• The relationship between
conducting DPIAs with other
risk and project management
activities, such as other risk
assessments or data protection
audits.
• What legal and compliance
issues you will need to consider
within your organisation.

Additionally, LRQA can carry

out the Data Protection Impact
Assessments on your behalf. Our
specialist assessors will use proven
risk-based methodologies and
the opportunity can be used to
mentor internal staff.

10
What do we need to do if there’s
a personal data breach?
Under the GDPR, organisations will
be duty bound to report certain
types of personal data breach to
the relevant supervisory authority
when the breach is likely to lead to
a risk to the rights and freedoms of
individuals, such as discrimination,
loss of confidentiality or financial
loss. The breach has to be assessed
on a case by case basis.
Organisations also need to let the
individuals affected know where the
breach is likely to result in a high risk
to their rights and freedoms.
The Article 29 Working Party will
issue guidelines on the notification of
personal data breaches during 2017.
What we know so far, is that: The controller needs to keep records
• Breaches must be reported within of their investigation into the breach
72 hours of becoming aware of the to demonstrate compliance to the
incident. Information can be provided supervisory authority in accordance
in phases as the investigation unfolds. with article 33.
• Failing to notify a breach within the
The most common cause of
timescale can result in a fine of up
information security breaches are
to 10 million EUR or 2% of global
human error so it’s important that
turnover.
everyone within your organisation
• If more than one article is breached, who deals with personal data
it will be the one with the highest understands what a data breach is,
penalty that will be imposed. and what the reporting procedure is.
• The breach notification should
include: With only 72 hours to report a breach,
– The nature of the personal data robust detection, investigation and
breach, including the category reporting procedures will be vital.
and number of records and
individuals affected.
– The contact details of the data
protection officer or other
point of contact, if there isn’t a DPO.
– The likely consequences of the
data breach and the measures
taken or proposed to deal with
the breach to mitigate its impact.
11
Failure to comply with
the law
The supervisory authority can
impose warnings, reprimands
and temporary suspensions of
data processing as well as fines.
National laws may also have
other sanctions, such as custodial
sentences.
The level of the penalty will
depend on:
– the nature, duration and gravity
of the infringement,
– the type and volume of data
involved,
– whether it was intentional or
negligent,
– the steps taken by the
organisation to mitigate
potential damage,
– how the regulator found out
about the breach,
– adherence to a code of conduct,
and
– if it’s a repeat offence.
Regulators are not likely to look
favourably on organisations that
have made no effort to prepare for
the GDPR. The maximum fine for
failing to comply – for example using
personal data without consent or
failing to protect personal data –
is up to 20 million EUR or 4% of
global turnover for the previous
year – whichever is greater. Data
subjects will also be able to claim
compensation from the controllers or
processors who break the law for the
damage they have suffered.
Regulatory fines could be just
the tip of the iceberg. Even if
an organisation were able to
weather the financial penalties, the
consequences represent a significant
business risk, including:
– reputational and brand damage,
– consumer mistrust and loss of
market share,
– increased scrutiny from
shareholders and investors, and
– cost of forensic investigation and
remedial actions.
If all else
fails...
How can LRQA help?
ISO 22301:2012 is the international
standard for Business Continuity. It
identifies best practice in establishing a
management system that minimises the
risks of impact from disrupted service
provision. Like most international
management system standards, it is
based on the Plan, Do, Check, Act cycle.
A business continuity management
(BCM) system will help organisations
put structures in place to identify the
potential threats that may exist, the
impact of incidents and how to guard
against them. It gives a framework for
managing the organisation through
the process of preparing strategies and
methods to reduce the impact of any
incident and building the capability
to respond effectively should one
occur. In this context it provides the
perfect mechanism for managing data
breaches. LRQA provides training, gap
analysis and accredited certification to
this standard.
12
What does it mean for
your organisation?
While the eye-watering fines have grabbed
headlines in the business press, the
GDPR offers organisations opportunities
to streamline processes, develop their
employees and build trust with consumers.
As one email marketing agency put it,
GDPR is less about Gloom, Doom, Panic
and Retribution and more about the
opportunity for Great Data and a more
Personal Relationship.
Leaders
The focus on accountability and
governance means greater engagement
from leaders to ensure that the
organisation has the resources and skills
to fulfil the requirements of GDPR. If
your organisation has a data protection
officer, they should report to the
highest level of management.
The GDPR provides an opportunity to
transform your organisation’s culture
and processes to be more customer-
centric and streamlined. Culture change
needs to be led from the top to role
model the new practices and behaviours
that will create a ‘culture of privacy’.
All organisations are in the same boat,
so if you take a proactive approach, you
can create an early mover advantage
and promote your approach as a clear
signal that you respect your customers’
individual rights.
IT
While the responsibility for data
protection is spread across many
departments, IT has a major role to play
to ensure compliance with the GDPR.
Here are a few things to consider:
• Where is personal data stored?
• Does any of the data come into the
sensitive personal data category?
• What are your procedures for data
transfer?
• Do you outsource any data
processing? Do you use any cloud
based services?
• How do you demonstrate that the
personal data in your systems is
secure? Can you track its movement?
• How will you manage the
requirements to delete data when
it is no longer needed? And how
will you ensure data is completely
removed from your systems if a
data subject invokes their right
to be erased?
• Do the security settings on your
database ensure that data is
only shared with individuals or
organisations that have permission
to use that data?
• Do your systems contain duplicate
data? Can you consolidate the data?
How will you manage that and
ensure that any personal data caught
in a silo is processed in accordance
with the regulations? For example,
if a data subject withdraws consent –
how will you ensure that request is
respected across all systems?
• Are you confident that your systems
would identify a data breach in any
form they may take?
• Encryption can be used to reduce the
risk of data loss. To what extent is data
encryption part of your processes?
• Have you reviewed and updated your
privacy policies to ensure they are
compliant?
HR
National law or collective agreements
may provide more specific rules relating
to the processing of employees’ personal
data in a work context, but these laws
must include appropriate safeguards
to protect their employees rights and
freedoms, right from the recruitment
stage.
The record keeping and security
requirements equally apply so HR
professionals will need a clear grip of
all the places personal data is saved and
processes may need to be reviewed to
ensure compliance. For multinational
employers, data flows and the transfer
of data through the company will need
to be reviewed.
There may also be training requirements
to ensure that your employees comply
with the regulations, regardless of
whether the personal data they handle
relates to customers, service users, or
employees.
Finance
Finance teams will need to have a clear
understanding of the data that they
hold, what would be classed as sensitive
personal data, why they need that data
and who has access to it. What are
the risks related to the personal data
that you hold? How will you manage
requests for access, rectification, or
erasure? How will you manage any third
parties who process the personal data
you hold?
Sales and Marketing
Early adoption of the GDPR has the
potential to inspire greater confidence
in your brand, boosting your reputation
as a trusted organisation.
Consent is the big issue for sales and
marketing teams, as prospects and
customers will need to confirm that
they’ve agreed to receive marketing
communications, and via which
channels, before you can contact them.
While this means that subscribed
lists may shrink, the quality of the
data will be higher, enabling better
segmentation to create relevant,
personalised content.
The result? Data analytics that can
deliver more accurate customer insight,
better engagement and ultimately
conversion.
13
Here are a few other areas to
consider:
• Double opt-in will become the
norm.
• Think about how you can better
use your email preference centre
(EPC) to help segment your
customer data.
• What processes do you have to
ensure that you do not contact
your unconfirmed or unsubscribed
contacts by mistake?
• At events, you will need to make
consent very clear if you plan to
send follow-up communications to
visitors.
• From a PR perspective, you need
permission from journalists to
contact them too. If you use a
news distribution service, you will
need to check that they have the
appropriate consent in place.
Customer Services
Although it might be painful to get
there, a clean database will make
it easier to deliver a great customer
experience. The principles of limiting
the data to what’s necessary and
ensure it is accurate and up-to-
date may lead to new processes
for customer services teams. It will
be important to think about who
within the organisation has access
to personal data and about any data
flows within the organisation that
involve a third party processor or
transfer outside of the EU.
Remote working
For your employees out in the field, How can LRQA help?
data security will be an important
issue to consider. How are physical Our range of GDPR training services
records managed? What are the data has been developed to address a
protection risks from their day-to-day wide range of stakeholders within
activities? What would be the risk if your organisation.
a laptop or other device was lost or
• The GDPR Briefing gives an
stolen? Understanding where data is
introduction to the principles
stored and who has access will be vital
and concepts found in the GDPR.
to mitigate the risks.
• The GDPR Foundation course
SMEs explains the implications for your
The scale and scope of the GDPR can organisation and the steps to
seem quite daunting to organisations take to become compliant.
of any size, let alone a small business. • Data Protection Officer (DPO)
However, as a small business, you may training helps DPOs prepare
still be processing a large amount of for the requirements and
personal data and will need to comply responsibilities of their new role.
with the law in the same way a larger • Data protection and information
organisation would. SMEs are often security onboarding via
more agile than large organisations, eLearning.
so you may find that it’s easier to
implement the changes needed and
gain an early mover advantage over
larger rivals – showing your customers You can find the full text of the GDPR
and employees that you are a brand here
to trust.
Organisations with fewer than 250
employees need to keep records of
their processing activities in higher
risk situations, such as processing that
could risk the rights and freedoms
of individuals or if the processing
relates to special categories of data or
criminal convictions.
14
5 step GDPR Implementation Plan
How LRQA can help
Training
Training Business Assessment
Assessment
Improvement

1 Raise Awareness GDPR

Foundation
Increase knowledge of the GDPR within Data Protection/
your organisation Information
From a general overview to role-specific Security
knowledge required to ensure compliance onboarding
(eLearning)

2 Map your data

Data Protection Data Protection
Impact Assessment Impact Assessment
Identify the current situation.
Workshop GDPR
How does your company shape up? Data Protection
Data Protection Officer Workshop Gap Analysis
By mapping your data, conducting a review of
Officer Workshop
policies, processes and practices, and carrying Data Mapping and
out an in-depth gap analysis, you can identify Classification
the risks and what needs to be done.

3 Develop an action plan

Prepare your GDPR Action Plan GDPR
‘Pathway’
Bring together the people from across your
organisation who will commit to and take
ownership of the plan.

4 Implement your plan

GDPR Readiness
Take action and do what you’ve planned Assessment
GDPR
Deployment should be time bound and ‘Pathway’ GDPR Controls
project managed against the objectives set Assessment and
in your action plan. Attestation

5 Manage and improve ISO 27001

your system and ISO 22301
Data Protection/
Information Certification and
Demonstrate compliance and commitment Security Gap Analysis
Review your outputs to date against the onboarding BS 10012
gaps identified in phase 2. Review the (eLearning) Compliance and
system and controls continuously to ensure Gap Analysis
they stay effective.

15
Our GDPR services in summary
In the information security and data protection arena our services cover both training and assessment including:
• The GDPR Briefing gives an
introduction to the principles and
concepts found in the GDPR.
• The GDPR Foundation course
explains the implications for your
organisation and the steps to take
to become compliant.
• Data Protection Officer (DPO)
training helps DPOs prepare
for the requirements and
responsibilities of their new role.
Demonstrating compliance through
Management Systems
We deliver a range of training and
certification services for ISO 27001 –
the international standard that sets
out the requirements for establishing,
implementing and improving an
information security management
system (ISMS) within the context of
the organisation. It provides a best
practice framework to identify, analyse
and implement controls to manage
information security risks and safeguard
the integrity of business-critical data.
How will ISO 27001:2013 certification
benefit my organisation?
• Minimises risk – ensures controls are
in place to reduce the risk of security
threats and to avoid any system
weaknesses being exploited. Your
ISMS is part of a business continuity
plan which means you’re in a good
position to recover quickly should the
worst happen.
A new personal information management system standard
BS 10012:2017 has been written
specifically to address the
requirements of the GDPR. BS 10012
covers employee security awareness
training, risk assessments, data
retention and disposal, helping you
to implement policies and procedures
to manage individual’s personal data
effectively. As it is based on the Annex
SL High Level Structure, it is easy to
integrate with other management
system standards and provides the
assurance that your organisation can
demonstrate compliance with GDPR.
• GDPR readiness assessment and
gap analysis.
• Data mapping and classification.
• We can carry out Data Protection
Impact Assessment (DPIA) on
your behalf and we can provide
DPIA training that gives practical
guidance on how to conduct DPIA
within your organisation.
• GDPR controls assessment and
attestation.
• Best practice – widely recognised as
providing best practice guidance in
information security management.
• Stay within the law – compliance
requires you to identify applicable
legislation, which has a positive
impact on risk management and
corporate governance.
• Competitive edge – certification by
LRQA gives your customers, trading
partners and other key stakeholders
confidence that you have addressed
all security risks including IT, people,
physical and business continuity. It is a
public and independent statement of
your capability, which may help when
responding to tenders.
• Management system integration –
the basis of the standard is the Plan
Do Check Act cycle in common with
other management system standards,
making it simpler for you to develop a
single management system that meets
the requirements of other standards.
It helps you:
• Identify risks to personal
information and put controls in
place to manage or reduce them
• Demonstrate compliance with data
protection legislation and gain
preferred supplier status
• Gain stakeholder and customer
trust
• Gain a tender advantage and win
new business
• Data protection and
information security
onboarding via eLearning.
• Training, Gap Analysis and
Certification for ISO 27001
(information security
management), ISO 22301 (societal
security – business continuity
management systems) and
BS 10012 (personal information
management system).
• Reduced costs – following a
methodical risk assessment approach
ensures that resources are applied to
reduce overall risk, rather than just
focusing on one aspect which can
leave other areas exposed.
At present, the GDPR does not mandate
third-party certification. However, there
is alignment between the requirements
of ISO 27001 and the GDPR in terms of
how organisations should manage their
information security policies, controls
and processes.
Achieving certification to
ISO/IEC 27001:2013 demonstrates
a commitment to meeting the
requirements of the GDPR –
demonstrating both compliance
and accountability.
• Safeguard your organisation’s
reputation and avoid adverse
publicity
• Protect you and your organisation
against civil and criminal liability
• Benchmark your own personal
information management practices
with recognised best practice
16
Better safe than sorry
Information is one of the most
valuable and business-critical assets for
any organisation. In today’s hyper-
connected world, organisations are
exposed to large scale information
security threats and destructive cyber-
attacks, regardless of size, industry, or
geographical location.
When information security systems
are not properly managed and
maintained, organisations run the
risk of sustaining serious financial and
reputational losses. Ensuring your
organisation has the right controls in
place to reduce the risk of serious data
security threats and avoid any system
weaknesses from being exploited is
essential.
Our expertise
LRQA has been at the forefront of
standards development and involved
in information security management
system (ISMS) assessment and
certification for many years.
Our roster of high-profile clients in
the finance, telecommunications,
software, internet, consultancy, justice
and government sectors, trust LRQA
to deliver high quality, consistent and
impartial assessments with the full
back-up of a highly dedicated support
package.
Our assessors are management systems
experts qualified in information
security and other aspects of IT, whose
objective view will give you confidence
in your own security measures as
judged against best industry practice
About us
LRQA is a recognised, world leading
professional assurance services
organisation. We specialise in
management systems compliance
and expert advice across a broad
spectrum of standards, schemes
and business improvement services
including customised training
and assurance programs. We are
recognised by almost 50 accreditation
bodies and deliver our services to
clients in more than 120 countries.
Our unique assessment methodology
takes your management systems
from compliance to performance,
in order to reduce business risk, and
enhance the effectiveness, efficiency,
and continuous improvement of your
management systems.
17
Lead Supervisory Authorities

EU Member States National Data Protection Authority Local name Website

Austria Austrian Data Protection Authority Datenschutzbehörde www.dsb.gv.at

Belgium Commission for the Protection of Privacy Commission de la protection www.privacycommission.be

de la vie privée (CPVP)
Commissie voor de bescherming
von de persoonlijke levensfeer

Bulgaria Bulgarian Data Protection Authority комисия за защита на личните данни www.cpdp.bg

Croatia Croatian Personal Data Protection Agency Agencija za zaštitu osobnih podataka www.azop.hr

Cyprus Office of the Commissioner for Γραφείου Επιτρόπου Προστασίας www.dataprotection.gov.cy

Personal Data Protection Δεδομένων Προσωπικού Χαρακτήρα

Czech Republic The office for Personal Data Protection Úřad pro ochranu osobních údajů (ÚOOÚ) www.uoou.cz

Denmark Danish Data Protection Agency Datatilsynet www.datatilsynet.dk

Estonia Estonian Data Protection Inspectorate Andmekaitse Inspektsioon www.aki.ee

Finland Office of the Data Protection Ombudsman Tietosuojavaltuutetun toimisto http://www.tietosuoja.fi

France National Commission on Informatics Commission Nationale de www.cnil.fr

and Liberty l’informatique et des libertés (CNIL)

Germany Federal Commissioner for Data Protection Die Bundesbeauftragte für den www.bfdi.bund.de
and Freedom of Information Datenschutz und die
Informationsfreiheit (BfDI)

• State Commissioner for Data Protection Landesbeauftragter für www.baden-

Baden-Wurttemberg Datenschutz und Informationsfreiheit wuerttemberg.datenschutz.de
Baden-Württemberg (LfDBW)

• The Bavarian State Commissioner Der Bayerische Landesbeauftragte www.datenschutz-bayern.de

for Data Protection für den Datenschutz

• Berlin Commissioner for Data Protection Berliner Beauftragte für Datenschutz www.datenschutz-berlin.de
and Freedom of Information und Informationsfreiheit

• The Federal Commissioner for Die Landesbeauftragte für den www.lda.brandenburg.de

Data Protection and the Law on the Datenschutz und für das Recht auf
Inspection of Files Brandenburg Akteneinsicht Brandenburg

• The State Commissioner for Die Landesbeauftragte https://

Data Protection and Freedom of für Datenschutz und ssl.bremen.de/datenschutz
Information Bremen Informationsfreiheit: Bremen

• The Hamburg Commissioner for Der Hamburgische Beauftragte für www.datenschutz-hamburg.de

Data Protection and Freedom Datenschutz und Informationsfreiheit
of Information (HmbBfDI)

• The Hessian Data Protection Commissioner Der Hessische Datenschutzbeauftragte www.datenschutz-hessen.de

• The State Commissioner for Data Der Landesbeauftragte für www.datenschutz-mv.de

Protection and Freedom of Information Datenschutz und Informationsfreiheit
Mecklenburg-Vorpommern Mecklenburg-Vorpommern

• The State Commissioner for Die Landesbeauftragte für den www.lfd.niedersachsen.de

Data Protection Lower Saxony Datenschutz Niedersachsen

• The State Commissioner for Die Landesbeauftragte für www.ldi.nrw.de

Data Protection and Freedom of Datenschutz und Informationsfreiheit
Information North Rhine-Westphalia Nordrhein-Westfalen

• The State Commissioner for Data Die Landesbeauftragte für www.datenschutz.rlp.de

Protection and the Freedom of Datenschutz und die Informations-
Information Rhineland-Palatinate freiheit Rheinland-Pfalz

• Independent Data Protection Unabhängiges Datenschutzzentrum www.datenschutz.saarland.de

Center Saarland Saarland

• The Saxon Data Protection Officer Der Sächsische Datenschutzbeuftragte www.saechsdsb.de

• The State Commissioner for Die Landesbeauftragte für den www.datenschutz.sachsen-

Data Protection Saxony-Anhalt Datenschutz Sachsen-Anhalt anhalt.de

• Independent State Center for Unabhängiges Landeszentrum für www.datenschutzzentrum.de

Data Protection Schleswig-Holstein Datenschutz Schleswig-Holstein

• The Thuringian State Commissioner for Data Der Thüringer Landesbeauftragter www.tlfdi.de
Protection and Freedom of Information für den Datenschutz und die
Informationsfreiheit

18
Lead Supervisory Authorities (continued)

EU Member States National Data Protection Authority Local name Website

Greece Hellenic Data Protection Authority Αρχή Προστασίας Προσωπικών Δεδομένων www.dpa.gr

Hungary Hungarian National Authority for Nemzeti Adatvédelmi és www.naih.hu

Data Protection Információszabadság Hatóság

Ireland Data Protection Commissioner An Coimisinéir Teanga www.coimisineir.ie

Italy Italian Data Protection Authority Garante per la Protezione dei www.garanteprivacy.it
Dati Personali

Latvia Data State Inspectorate Datu valsts inspekcija www.dvi.gov.lv/lv

Lithuania State Data Protection Inspectorate Valstybinė Duomenų Apsaugos www.ada.lt

Inspekcija

Luxembourg National Commission for Data Protection Commission nationale pour la https://cnpd.public.lu/en/
protection des données

Malta Office of the Information and Nationale Kommission für https://idpc.org.mt

Data Protection Commissioner den Datenschutz

Netherlands Dutch Data Protection Authority Autoriteit Persoonsgegevens www.autoriteitpersoonsgegevens.

nl/

Poland Inspector General for the Protection Generalny Inspektor Ochrony www.giodo.gov.pl/
of Personal Data Danych Osobowych

Portugal National Commission Data Protection Comissão Nacional de Protecção www.cnpd.pt/

de Dados

Romania National Authority for the Supervision of Autoritatea Naţională de www.dataprotection.ro

Personal Data Processing Supraveghere a Prelucrării Datelor
cu Caracter Personal

Slovakia Office for Personal Data Protection Úrad na ochranu osobných údajov www.dataprotection.gov.sk
of the Slovak Republic Slovenskej republiky

Slovenia Information Commissioner of the Informacijski pooblaščenec www.ip-rs.si/

Republic of Slovenia

Spain Spanish Agency of Data Protection Agencia Española de

Protección de Datos (AEPD) www.agpd.es

Basque Data Protection Authority Datuak Babesteko Euskal Bulegoa www.avpd.euskadi.eus

Catalan Data Protection Agency Autoritat Catalana de Protecció http://apdcat.gencat.cat/ca/inici/

de Dades (APDCAT)

Sweden Swedish Data Protection Authority Datainspektionen www.datainspektionen.se

United Kingdom Information Commissioner’s Office www.ico.org.uk

EU European Data Protection Supervisor Le Contrôleur Européen de la https://edps.europa.eu/

(EDPS) Protection des Données
Der Europäische
Datenschutzbeauftragte

EEA
National Data Protection Authority Local name Website

Iceland The Icelandic Data Protection Authority Persónuvernd www.personuvernd.is

Liechtenstein Data Protection Office of Liechtenstein Datenschutzstelle (DSS) http://www.llv.li/#/1758/

datenschutzstelle

Norway Data Protection Norway Datatilsynet https://www.datatilsynet.no/

Switzerland Federal Data Protection and Eidgenössischer Datenschutz- und www.edoeb.admin.ch

Information Society Öffentlichkeitsbeauftragter (EDÖB)
Préposé fédéral à la protection des
données et à la transparence (PFPDT)
Incaricato federale della protezione
dei dati e della trasparenza (IFPDT)

Rest of world National Data Protection Authority Local name Website

USA Federal Trade Commission www.ftc.gov

19
Lloyd’s Register Quality Assurance Ltd
1 Trinity Park
Bickenhill Lane
Birmingham
B37 7ES
United Kingdom

E enquiries@lrqa.com

Follow us on Twitter @LRQA

www.lrqa.com
Lloyd’s Register and LRQA are trading names of the Lloyd’s Register group of entities.
Services are provided by members of the Lloyd’s Register group, for details see www.lr.org

Lloyd’s Register Quality Assurance is a member of the Lloyd’s Register group.

Registered Office: 71 Fenchurch Street, London EC3M 4BS
Registered number: 1879370
Follow us:

Care is taken to ensure that all information provided is accurate and up to date. However, Lloyd’s
Register LRQA accepts no responsibility for inaccuracies in, or changes to, information. Lloyd’s Register
and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates.
Copyright © Lloyd’s Register Quality Assurance Limited, 2017. A member of the Lloyd’s Register group. GL / CYB / 005 / V1-2017