GDPR Q&A: Compliance and certification

As the compliance deadline for the EU General Data Protection Regulation (GDPR) approaches, we’ve been running a dedicated GDPR webinar series to help you prepare. Each webinar covers a specific concern related to the Regulation, and ends with our presenter answering your questions.

This month, we’ve been collecting some of those questions and answers and posting them here. This week’s blog focuses on compliance and certification, following last week’s article on consent.

Q: Could you please say something about the level of detail necessary to demonstrate compliance in policies, instructions for employees, etc. if the company doesn’t use an ISO standard?

A: Although it’s up to each organisation to determine what ‘appropriate’ might mean in their context, the benefit of following something such as ISO 27001 is that it demonstrates deployment of a widely recognised best-practice standard in terms of what appropriate documentation looks like.

Q: I’m keen to prepare a checklist of required controls, particularly on the technical side, to help confirm if we are (or aren’t) complying with the GDPR. Has the Information Commissioner’s Office (ICO), or any other government function, provided something like this?

A: There is no such checklist. Appropriate controls will vary from organisation to organisation, but they are always likely to include encryption, penetration testing, access controls and backups. You should carry out a detailed risk assessment in order to determine where your risks are and what the appropriate mitigation may be.

Q: We have ISO 27001 certification. Do we need to refer to the GDPR?

A: Yes. Although ISO 27001 will provide a good foundation for a GDPR compliance framework, it won’t be sufficient in itself to ensure compliance with the new regulations.

Q: Is there any certification designed to demonstrate compliance with GDPR issues?

A: Organisations with ISO 27001 certification are likely to meet many of the “appropriate technical and administrative” security requirements of the GDPR, but they may need to make some adjustments. Conducting a GDPR gap analysis will help identify what is required to get an ISO 27001-compliant system that’s up to scratch with the GDPR.

Q: The Payment Card Industry Data Security Standard (PCI DSS) and Data Protection Act (DPA) suggest that we use background checks on potential new hires, but the GDPR states that we cannot use such data if it may have a negative impact on the individual. How will this contradiction work?

A: There is no contradiction. You can do background checks; you just have to inform data subjects of the possible outcome of automated processing. They can object, and you can refuse to take the application any further.

Q: Could you provide some detail on the requirement to have a record of data processing activities? How detailed should this be?

A: The GDPR sets out explicitly what these should be. See Article 30 of the Regulation.

Q: We have hundreds of employment records, which we have to keep for a number of years. How would you suggest we deal with this while staying compliant with the Regulation?

A: Inventory the records, determine the basis for continued processing, set retention periods accordingly and act on them.

Q: How much of the GDPR do you believe to be technical – e.g. appropriate technical and organisational measures? Do you have to create GDPR-specific policies if you have adequately covered these areas in an information security management system (ISMS) policy?

A: The GDPR is a modernisation of data protection laws. It recognises that data protection considerations must necessarily factor in information security if the confidentiality, integrity and availability of personal data is to be preserved. Additionally, the thrust of the GDPR is that data protection must become the cornerstone of an organisation.

This means that organisational and technical measures are of equal importance to GDPR compliance. The balance of organisational and technical measures you implement will depend on the nature and purpose of the data you process.

It’s therefore likely that companies that already have a developed ISMS will have a good foundation upon which to build a GDPR compliance framework.

Q: For a business with 10–15 staff, what would be the immediate impact on them in terms of implementation? Is there anything they need to do to get ready?

A: As a first step, businesses of any size should identify what data they hold or process, from where that data was obtained, and whether they have the appropriate permissions and grounds for continuing to process that data in accordance with the new legislation.

This can be done through a data mapping exercise, which will allow you to identify which steps you need to take next.

Watch our webinars to find out more

For more information on compliance and certification under the GDPR, take a look at our webinar series. Some of the most appropriate webinars to get started with are: