1. IS0 27001 ISMS according to ISO/IEC 27001:2013:
Even in your company or organization there is information, that has to be protected against misuse, loss, exposure, destruction and manipulation. Apart from personal data also business and company secrets have to be taken into account. The confidentiality, availability and integrity of these information are of important significance, also in the interest of clients, business partners and employees. Therefore more and more companies and organizations count the protection of information as an integral part of business politics and an indispensable factor of success.
The international standard ISO/IEC 27001:2013
A proven opportunity to initiate, process, monitor, check and last but not least improve actions for information security, is the establishment of an Information Security Management System (ISMS) on the basis of the international standard ISO/IEC 27001:2005. This management system can be run beside existing management systems, for example systems according to ISO 14001 or ISO/IEC 20000, and make information security measurable and comparable at a later stage.
With us as a partner: Change from being driven to being a driver
For us it makes no difference wether your company or organization “just” wants to go along according to standard ISO/IEC 27001:2005 or if you strive after a certification of your company and therefore a strict usage of the standard. We provide customized solutions for your needs, which lay the foundation for an active dealing with risks in the area of information security.
Our basic analysis provides you for example the current status of your security level. Using controlled interviews the subjects organization, risk management, emergency management, sensitizing of employees, physical security, IT-service-management, IT-security and complicance will be analysed. The evaluation takes place in a report that uses graphics and provides suggestions for action for improving your security level. Our basic analysis of information security can be excellently combined with technical security analysis (penetration test) to detect beside organizational improvement potentials also technical weaknesses.
With our information security check according to ISO/IEC 27001:2005 we provide an assessment of the Information Security Management System (ISMS) as well as a review of the implementation of the goals of action and actions from annex A to our clients, who strive after a certification according to this standard or already have implemented this. Here we work modular, which means that we are able to provide both parts of the information security check independently from each other and if needed also particularly.
- The GDPR strengthens the rights that individuals have to control their own data. One of the most significant examples of this is a new right that has been granted to individuals: The right to data portability. It basically says that an individual has the right to transport his personal data from one organisation to the next – hence the word ‘portability’. The personal data must be provided to the individual in a structured, commonly used and machine-readable format. And the rules also stipulate that when technically feasible, organisations should facilitate electronic transfer of personal data from one to another, if the individual requests this.
- The impact of this rule could large. What does it mean commercially when your client can ask a copy of all his personal data and take it to your competitor? But also technically it may be a challenge: Are you able to provide an individual with a copy of all his personal, can your systems handle that?
Data breach notification
- Every organisation that processes personal data needs to make sure that this data is properly safeguarded against loss, theft, unauthorised access, etc. In other words: the security of the personal data is important. So important that the GDPR includes a personal data breach notification rule. This says that when a breach of security occurs, this breach should be reported to the supervisory authority within 72 hours. And if the security breach also is likely to result in a high privacy risk for individuals, than these individuals should also be informed of the breach! Organisations in the Netherlands were of course already familiar with such a rule, as it is in the current legislation, however now it is valid throughout Europe.
- The legislators have made good on their promise to remove red tape, as the obligation to notify local authorities of personal data being processed, is gone. This has for a long time been seen as a difficult and rather bureaucratic rule, putting a large burden especially on internationally operating organisations. However, in its place a rule has been created that an organisation now must maintain a record of processing activities under its responsibility – or, in short, that they must keep an inventory of all personal data processed. The minimum information of what should be in the inventory has been described and it goes beyond just knowing what data the organisation processes. Also included should be for example the purposes of the processing, whether or not the personal data is exported and all third parties receiving the data.
Data protection by design and by default
- Data protection by design and by default are both included in the GDPR. This basically means two things. First, it will be mandatory when designing a new system, process, service, etc. that processes personal data, to make sure that data protection considerations are taken into account starting from the early stages of the design process. Moreover, organisations need to be able to prove that they have done so. Second, when the system, process, service, etc. to be designed will include choices for the individual on how much personal data he shares with others, the default setting is the most privacy friendly one, so the one that says to not share any information at all. This data protection by default notion further includes data minimisation principles.
· Expanded territorial scope
- Interesting to see in the GDPR is the notion of territorial scope. This states that the GDPR (and therefore the European privacy laws) also applies to organisations that are not located within the EU, but that do offer goods or services to, or monitor behaviour of data subjects in the EU! In other words, organisations that target EU residents via the internet with services, goods or for monitoring, have to be compliant with EU rules on privacy of those residents’ data. It looks like this creates an interesting precedent, where the rules follow the data instead of being strictly territorial.
- If you are processor (you process personal data on behalf of another organisation), the GDPR has a significant change for you in store. Where so far all the burden of compliance with privacy legislation was on the controller (your client), now you get some obligations yourself directly as well. You will get responsibilities directly under the law and will be accountable as well. Some of these new responsibilities include that a processor must appoint a Data Protection Officer and keep records of all their processing activities they perform on behalf of clients. Moreover, a supervisory authority can go to processors directly with requests and demands. It is to be expected that this will shift the balance of power between controllers and processors to a more equal playing field.
· Right to be forgotten
- Another data subject right that already got a lot of attention the past years is the right to be forgotten. The data subject’s right to erasure of his personal data did already exist in the current Data Protection Directive but is now elevated in the GDPR. Under the new regulation all organisations that process personal data must remove all of that data if one condition (out of a list of six) is met. The list of conditions includes when it is clear that data have been processed unlawfully and the case when a data subject withdraws previously given consent. This ‘new’ right received a lot of attention due to the Google v. Spain case in which the Court of Justice of the European Union ruled in accordance with this new obligation.
- The GDPR introduces Data Protection Impact Assessments (DPIA) as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these are identified, the GDPR expects that an organisation formulates measures to address these risks. This assessment should happen prior to the start of processing the personal data and should focus on topics like the systematic description of the processing activity and the necessity and proportionality of the operations. With that the DPIA resembles Privacy Impact Assessments (PIAs) that many organisations already execute regularly. The contents of PIAs however was never strictly defined, so perhaps this helps in getting more uniform assessments.
- The need to take proper information security measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services has always been a part of privacy legislation. New is that the GDPR championspseudonymisation and encryption of personal data: These security measure are thought so valuable that they have been specifically mentioned in the text of the act. Furthermore it is stressed that security should be based on a risk assessment, however not of the risks the organisation faces, but the risks for the rights and freedoms of natural persons, i.e. the risks that an individual’s privacy is compromised.
Accountability and data governance
- Data protection legislation in the EU has always been based on a number of principles that need to be adhered to. Lawfulness, fairness, purpose limitation and transparency are well known examples of those. The GDPR introduces a new principle: accountability. Organisations will not only be responsible for adhering to all the principles, they also must be able to demonstrate compliance with them! For most organisations this means they will have to elevate their internal privacy governance maturity, not only because of this new accountability principle but also because the public opinion will expect it from modern organisations.
- One of the most discussed aspect of the GDPR must be its explicit mentioning of fines. Whereas the Data Protection Directive only had one line stating that sanctions had to be defined by the Member States, the GDPR exactly details what administrative fines can be incurred for violating articles of the GDPR. The maximum fines depend on what the “category” in which the violation occurs: For less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%.
One stop shop
- As a partial relief for organisations that operate across the EU, a sort of ‘one stop shop’ system for supervisory authorities in Europe will be introduced. The GDPR introduces a co-operation system between supervisory authorities. The ‘Lead Supervisory Authority’ will be the supervisory authority of the country in which the data controller or processor has its main establishment. The Lead Supervisory Authority will be the primary authority organisations need to deal with, but under circumstances local authorities can step in as well. They need to co-operate, but it will be interesting to see how this co-operation will function in practice.
Approved certification mechanism
- The legislators have acknowledged that for many organisations being able to proof that they adhere to the GDPR will be an advantage. For that purpose data protection certification mechanisms and data protection seals and marks are introduced. The GDPR even speaks about the possibility to come to a common European Data Protection Seal. And although for now the GDPR provides scant details it is to be expected this mechanism for showing adherence will develop in the coming years.
- It is critical to note that the GDPR is a Regulation, not a Directive. Where the Directive 95/46/EC was transposed into local laws in each European country the GDPR, as EU Regulations go, will be directly valid. This will be a relief to many organisations that operate in multiple countries within the EU – having to account and comply with slightly different rules on data protection in each EU member state can be a legal and operational nightmare. However, we do note that in the GDPR the legislators have provided local governments the ability to add or adept provisions to fit their local data protection needs. Views on how much individuals’ personal data should be protected and from whom are deeply rooted in local culture. Even within the EU vastly different opinions exist on this from one country to another. It is expected that that many governments will make provisions in line with local cultural habits and views.
- Next steps for any organisations now that the final text of the GDPR is known, is to identify how this new legislation may impact them. This will of course vary per organisation, but in general terms, privacy consists of making sure you address not only the legal aspects. This new regulation emphasises that it is also about making sure that you have organised yourself properly to deal with privacy and you have the technical ability to do so. In a next update we will provide more insight into how this can be done.In the meantime, should you have any specific question on the GDPR or privacy and data protection within your organisation, please contact Jan-Jan Lowijs from the Deloitte Privacy Team. The effects of the GDPR has will differ per organisation and we are more than happy to provide you with tailored insights and updates.
- The CLAVIGEROUS SYSTEMS Privacy Team remains in contact with the leaders of the Global Privacy Practice on the impact and consequences the GDPR may have, to ensure we can advise global clients on the next steps to take. As privacy requires a legal, technical and organisational approach, we have our specialists bundled in one multidisciplinary privacy team enabling all round solutions.