How Can ISO 27001 Support GDPR Compliance?

“ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS).”

The GDPR encourages organisations to use certification schemes like ISO 27001 to ensure best data security practice.  ISO 27001 is the best choice since it is the only auditable international standard that defines the requirements of an information security management system (ISMS).  ISO 27001 is a comprehensive package that covers the three threats to information security: people, processes and technology.  Implementing ISO 27001 will enable you to constantly monitor and improve performance, and continually identify, minimise and eliminate internal and external risks to your organisation’s data.

How does ISO 27001 meet GDPR requirements?

Article 32 states:

‘…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’

1. ‘The pseudonymisation and encryption of personal data.’

“…the standard helps organisations to identify what data to select for encryption.”

ISO 27001 identifies data encryption as a way of reducing security risks.  Through a risk assessment, the standard helps organisations to identify what data to select for encryption.  At the heart of ISO 27001 is the ‘confidentiality, integrity and availability of data’.   Simply encrypting all data goes against these values as it might impede access for those who need it to perform their jobs.

2. ‘The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.’

“ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data…”

ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data by carrying out a thorough risk assessment to identify threats to personal data security.  Steps must then be taken to minimise or eliminate those threats.

3. ‘The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.’

ISO 27001 covers business continuity management.  The standard provides a set of procedures that will help an organisation to protect vital data processing activities in case of a serious incident.

4. ‘A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’

“ISO 27001 continually provides proof of best practices in line with GDPR compliance.”

ISO 27001 certified organisations receive regular audits from their accredited certification body to ensure that their ISMS continually meets the standard.  Therefore, ISO 27001 continually provides proof of best practices in line with GDPR compliance.

What are the other benefits of ISO 27001 certification?

ISO 27001 brings organisational advantages that reach beyond GDPR compliance, including:

• Peace of mind for your clients, employees and stakeholders.
• Allows for secure exchange of information.
• Provides you with a competitive advantage over companies who are not ISO 27001 accredited.
• Helps meet ISO 9001 requirements by identifying and managing data security as an ‘external threat’.
• Helps you comply with other regulations, e.g. the US Sarbanes-Oxley Act (SOX).

What steps does my organisation need to take to implement ISO 27001?

1. Perform a gap analysis

This will reveal the differences between your current information security processes and ISO 27001 requirements.  It helps you to identify the actions you need to take, and resources required to close the gap.

2. Write an ISMS Scope

Examine what sort of security threats you face from outside your organisation.

Consider:

• Where are the threats coming from?
• Who might want to compromise our information?
• What kinds of techniques might they use?

Once you understand this then write an ISMS scope.  If you start with a small scope, you can implement an ISMS quickly and then build up your strategy from there.

3. Information security policy

An information security policy is key to ensuring that your management understand your strategy and its benefits.

4. Management approval

The most effective way to convince management of the value of an ISMS based on ISO 27001 is to demonstrate how it will reduce their costs.  Costs can be reduced by a better understanding of business processes as this sometimes reveals opportunities for savings. ISO 27001 also brings with it customer confidence, which will increase sales.  Security breaches can also incur heavy fines under the GDPR.

5. Conduct a risk assessment

Plan how you are going to assess risks and identify what your most significant risks are.

6. Create a Risk Treatment Plan (RTP)

Once you have identified the risks, you can design a risk treatment plan.  A RTP is a way of setting out which risks can be reduced or managed and what actions you will take to do this.

7. Risk measures

Once you have identified your risks and decided what actions to take, look at Annex A of ISO 27001.  This lists 114 different security controls.  It seems overwhelming, but you don’t need to take all these measures – just select which ones are best for your organisation’s needs.

The importance of performing an internal audit

“An internal auditor has a vital role in reporting to senior management on how the ISMS is performing. “

Now that your controls are in place you need to carry out an internal audit.   This means that another person within your organisation, or from outside your organisation, will carry out an independent review of your ISMS.

An internal auditor has a vital role in reporting to senior management on how the ISMS is performing.  They need to continually monitor the effectiveness of ISMS so that senior managers can determine whether the ISMS’s objectives are consistent with the organisation’s business objectives.

The audit must be carried out by somebody who has relevant expertise but has not been involved with any of the work you have carried out.  Senior managers and HR managers are well placed for the role since they are used to ensuring that policies are kept up-to-date and they understand the requirements of the GDPR.  They can be trained as internal auditors by taking an ISO27001 Internal Auditor Training Course.

Contact us for more information on how ISO 27001 can benefit your organisation, and for support with implementation, audits and training.

 

 

 

Why Has the GDPR Introduced ‘Privacy by Design’ and ‘Privacy by Default’?

‘Privacy by Design’ and ‘Privacy by Default’ are not new concepts.  The right to privacy is a fundamental aspect of the European Convention on Human Rights and is already at the heart of all ethical organisations.  However, the GDPR is the first European data protection legislation to explicitly recognise these rules.

What is ‘privacy by design’?

“Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.”

Under the GDPR, organisations are legally required to embed data subjects’ privacy rights into every aspect of their business operations.  Through a ‘privacy policy’ data subjects must be made fully aware of their privacy rights and how to complain if they believe their data is being misused. Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.

Organisations must consider privacy at the initial stages and throughout the development of a new product, process or service that involves processing personal data.   The embedding of data privacy features into the design of projects can have the following benefits:

• potential problems are identified at an early stage making them less costly and easier to resolve
• increased awareness of privacy and data protection across the organization means less likelihood of breaching the GDPR
• the organisations’ actions are less likely to be intrusive and have a negative impact on data subjects

What is ‘privacy by default’?

“Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.”

‘Privacy by default’ means that organisations must implement technical and organisational measures that, by default, ensure only personal data that is necessary for a specific purpose is processed.  Minimising the amount of data collected reduces the risk of privacy breaches.  Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.

In addition, when an IT system includes choices for the data subject on how much personal data they share and with whom, the default settings should be privacy friendly.

What technical and organisational measures should be taken to protect privacy?

“…organisations need to consider the nature, scope, purposes and context of their data processing.”

When deciding what technical and organisational measures make the best investment, organisations need to consider the nature, scope, purposes and context of their data processing.  They need to weigh up the risks to individuals’ rights and freedoms should a data breach occur and consider how personal data can be pseudonymised.  As well as this, thought must be given to the ways in which systems meet other GDPR requirements.  For instance, can:

• personal data be collated with ease in order to comply with subject access requests?
• data be suppressed when customers have opted out of direct marketing communications?
• the data controller satisfy the GDPR data portability requirements?

What steps can your organisation take to meet the GDPR’s ‘privacy by design’ and ‘privacy by default’ rules?

1. Put in place an automated deletion process for particular personal data with a system that flags up when data should be deleted.
2. Make sure excessive data isn’t collected by revising data collection forms.
3. Revise contracts between yourself and the data processors you work with so that everybody understands how liability will be apportioned should a privacy breach occur.
4. Design a Privacy Impact Assessment (PIA) template that can be used every time the organisation implements a new system.

What is a Privacy Impact Assessment (PIA)?

“PIAs help organisations to identify, assess and minimise privacy risks when processing data.”

PIAs are an integral part of taking a ‘privacy by design’ approach.  They help organisations to identify, assess and minimise privacy risks when processing data.  Carrying out a PIA helps an organisation to comply with the ‘accountability’ principle of the GDPR.

When should a PIA be conducted?

“PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.”

The GDPR states that PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.  The GDPR identifies specific high-risk activities in Article 35:

• ‘A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.’
• ‘Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.’
• ‘Systematic monitoring of a publicly accessible area on a large scale’.

The best time to conduct a PIA is at the very start of a project, so that its findings can be incorporated into the design of the processing operation.

Does your organisation need advice to meet GDPR requirements?

“…specialists can customise PIAs to suit your organisation’s needs.”

IT specialists and consultants can support you in meeting the GDPR’s ‘privacy by design’ and ‘privacy by default’ requirements as well as in conducting PIAs.  For example, by using software assisted processes specialists can customise PIAs to suit your organisation’s needs.  Benefits might include:

• highly efficient PIA processes supported by specialist software
• customised, automised reports which give a clear overview of processes, risks and progress
• real-time track records of the actions taken to minimise risks
• evidence of the accountability required by the GDPR.
• baseline criteria to benchmark operations from an employee or client perspective.

What’s not to like?

By making ‘Privacy by Design’ and ‘Privacy by Default’ mandatory, the GDPR gives greater privacy protection to data subjects.  By meeting legal obligations, organisations build trust in their clients – and that’s fundamental to business success!

Is your organisation GDPR ready? Visit www.ndcmanagement.co.uk/GDPR-support to find out how NDC Global Auditors can help you prepare.

NDC Global Auditors Brings Training Services to Wiltshire

It’s been a busy and exciting start to the year for us here at NDC Global Auditors. In February, we moved from our Swindon offices to Trowbridge, where we have set up a Wiltshire Training Academy. Businesses across Wiltshire can now access a wide range of open access training courses that will help them to stay legally compliant.

Helping You to Achieve ISO and GDPR Compliance

Businesses are increasingly under pressure to demonstrate legal compliance in areas such as quality, information security, environmental management, and health and safety. Achieving ISO certification allows businesses to demonstrate best practice and strive for continual improvement. More and more organisations are recognising this, and the need to put systems and training in place to protect their business. In response to this growing need, NDC has expanded its service offering to help businesses achieve their goals across all core areas of legal compliance.

What’s New?

Open Access Courses

In addition to our on-site consultancy and training services, we now offer a full range of open access training courses at our Wiltshire Training Academy, and at the Pilgrims Academy in Redhill, Surrey.

Our courses cover all aspects of compliance in relation to:

• Information security
• Health, Safety, Fire and First Aid
• Environmental Management
• ISO Standards

You can find our full range of training services on our website.

Information Security and GDPR Services

With the GDPR on the horizon, and the increasing sophistication of cyber-crime technology, information security is a growing concern for businesses of all types and sizes. To help our clients protect this aspect of their business, we have expanded our services to include ISO 27001 Information Security Management, and in particular, support for the new GDPR.

For more information on our consultancy and training services, please email info@ndcmanagement.co.uk or call us on 0333 939 8797.

Do the Control of Asbestos Regulations 2012 Affect My Business?

Asbestos awareness is vital.  According to the Health and Safety Executive (HSE), asbestos kills around 5000 workers each year – more than the number of people killed on roads.  When employers fail to comply with the Control of Asbestos Regulations 2012 it can be life-threatening, resulting in prosecution and potentially catastrophic fines.

Why is asbestos dangerous?

If materials containing asbestos are disturbed, then toxic fibres are released into the air.  These fibres don’t have an immediate affect but can cause fatal conditions like asbestosis, which is a lung disease, and asbestos-related lung cancers.  These diseases are not often diagnosed until it’s too late.  Protect yourself and your workers by building asbestos awareness.  You don’t necessarily need to remove asbestos.  You do, however, need to identify and manage asbestos so that it never presents a health hazard.

Am I responsible for the asbestos in my building?

Under the regulations, if you own your premises, then you are responsible.  If you are a tenant, then you might still be accountable.  Under your tenancy agreement, if you are responsible for alterations, repairs and maintenance then you are also responsible for asbestos control.  If you share maintenance duties with the owner or other occupiers of the building, then you are jointly accountable.

What happens if my employees encounter asbestos while working on or off site?

Employees need to be made aware that they should stop work immediately if they suspect asbestos is present.  Asbestos work can only be carried out by a non-licensed contractor where appropriate information, instruction and training have been given.  Under the Control of Asbestos Regulations 2012 the majority of employers working with asbestos need a license.  Employers have a legal duty to provide instruction and training to employees who are likely to come across asbestos.

What happens when the Control of Asbestos Regulations 2012 are breached?

In August this year a Wigan building contractor was fined nearly £8,000 for breaching regulations.  His work resulted in asbestos contamination of somebody’s home.  The owners couldn’t enter their house for a week while a £12,000 clean-up operation was carried out.  HSE Inspector David Norton said: ‘This incident could so easily have been avoided by simply carrying out correct control measures and safe working practices. Companies and individuals should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the required standards’.

Understand your legal duties by reading the regulations on the HSE website.

How do I detect asbestos?

Asbestos can be found in any building built before 2000.  If in doubt, always assume the building contains asbestos.  The HSE website contains several images to help you to detect the substance.  However, it’s difficult to identify because it’s often mixed in with other materials.  You can pay an external asbestos licensed contractor to carry out a search.

How can I raise my employees’ awareness about working safely with asbestos?

NDC Global Auditors offers a half-day Asbestos Awareness course which will help you and your employees to detect asbestos, stay safe and stay legal.  Our course can be delivered on-site to your team, or your employees can attend an open access course at our Wiltshire or Surrey-based training centres.

Benefits of NDC’s Asbestos Awareness course:

As well as learning the dangers of asbestos, you will discover how to identify the different types and locations of asbestos in the workplace and on customers’ sites.  The course thoroughly covers:

• The types of materials that can contain asbestos
• The legal duty to manage asbestos
• Safe work practices
• Control limits
• Accidental release and decontamination procedures
• The uses and limitations of respiratory protective equipment and personal protection equipment

Why is asbestos awareness training essential?

To avoid disturbing asbestos, you must be able to spot it.  Well-informed employers understand how to reduce or eliminate the risks to their employees’ health and to stay inside the law.  Employees who are asbestos aware will be able to assess the risks on an ongoing basis, knowing when to protect themselves and how they would deal with contamination.

For further information on our Asbestos Awareness Course, visit our website or get in touch to book your place.

How Will the GDPR Affect Children’s Data Processing?

“The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’…”

The GDPR will bring in special protection for children’s personal data, particularly where it is used for information services such as online shopping, live or on-demand streaming services and for social networking.  The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’, explaining that this is because children ‘may be less aware of the risks, consequences and safeguards’ of handing over their personal data.  The regulation says that this is particularly the case when services are offered directly to a child and when their personal data is used for marketing and creating online profiles. If your company processes children’s personal data, here are the changes that will affect you:

Age of consent

“…the person with parental responsibility must give their consent for a child under 16 to share their personal data.”

Under the current Data Protection Act, a child of any age can give their personal data away online without parental consent.  This will change under the GDPR, which defines the age of consent as 16.  The GDPR states that the person with parental responsibility must give their consent for a child under 16 to share their personal data.  Data controllers are required to make ‘reasonable efforts’ to verify parental consent.

NOTE: Recital 38 states that parental consent is not required for counselling services offered directly to a child.

Member states may choose to change the age of consent from 16.  The UK government is planning to lower the age of consent to 13.  This won’t have too much impact on children’s social networking because children under 13 are already excluded from social networking sites such as Facebook and Snapchat.  However, under the new regulation organisations are likely to have to verify the ages of their subscribers, which they don’t have to do presently.  For services aimed at under-13s, organisations will have to prove that they have received parental authorisations.

Privacy notices

“Privacy notices for children must be…concise, transparent and in plain language.”

Privacy notices for children must be as transparent as those written for adults – the GDPR’s Article 12 says the information provided to data subjects must be concise, transparent and in plain language. Just like adults, children must know the identity of the data controller and how their personal data will be processed. They must also be made aware that they can withdraw their consent to data processing at any time (see the previous blog post ‘What will consent mean under the GDPR?’ for more information).  When writing privacy notices aimed at children, data controllers must take account of the specific age group of their audience so that they write in clear language that the child can easily understand.

Can you justify processing children’s data under GDPR rules?

“…the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.”

GDPR Article 6 (1) (f) says that the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.  Data controllers must make sure they have documentation to show that they have carefully considered this.  When we look at the GDPR definitions of ‘legitimate interests’, we can see that processing children’s data is unlikely to be necessary for most of these purposes.

Legitimate interests include:

• processing for direct marketing purposes or preventing fraud – Recital 47
• transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee – Recital 48
• processing to the extent strictly necessary for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems – Recital 49
• reporting possible criminal acts or threats to public security to a competent authority – Recital 50.

Codes of conduct

“It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.”

GDPR Article 40 requires member states to create their own codes of conduct. This includes safeguarding children’s data, specifically the way in which consent is gained and documented.  It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.

How can my organisation plan for changes?

Start by ensuring that:

• you watch for the publication of codes of conduct that might impact your data processing
• you implement appropriate parental consent mechanisms, including verification processes
• where you offer services directly to a child, the notices are written in child-friendly language
• any reliance on ‘legitimate interests’ to process children’s data is supported by carefully documented evidence to show that the child’s interests don’t override those of your organisation

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0333 939 8797 or email us at info@ndcmanagement.co.uk.   

What Will ‘Consent’ Mean Under the GDPR?

“Under the GDPR the definition of consent is clearer and more rigorous…”

The current Data Protection Act (DPA) and the GDPR both state that every organisation that processes personal data must have a legal basis for doing so; ‘consent’ is just one choice. If consent is your chosen legal basis then you need to be aware of differences between the current DPA and the GDPR.  Under the GDPR the definition of consent is clearer and more rigorous in order to ensure a consistent approach across the EEA.

The definition of consent in Article 4 (11) of the GDPR is: ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’  Let’s look at some of the words and phrases in detail:

Freely given

“…data subjects must provide consent of their own free will and must never be misled…”

Current Data Protection guidance states that data subjects must provide consent of their own free will and must never be misled or somehow negatively impacted by refusing consent. The GDPR formalises this, stating the consent is not deemed as freely given when:

• ‘the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment’ (Recital 42).
• ‘there is a clear imbalance between the data subject and the controller’ (Recital 43). This especially applies when the data controller is a public authority with power over the data subject.

Recital 43 says that consent is not deemed to be freely given if the provision of a service is conditional to the data subject agreeing to have their data processed in ways that are not necessary to that service. The reason is that the data subject has no choice but to agree to this unnecessary processing.  Recital 43 also says that consent is not freely given if separate consents are not obtained for different data processing operations.  ‘Bundled’ consents are usually invalid.

Specific

“A general consent to unspecified processing operations will normally be invalid.”

Consent must be specifically obtained from the data subject for each and every personal data processing operation. A general consent to unspecified processing operations will normally be invalid.  There are exceptions to this such as when data processing is for scientific research.

Informed

“…data subjects must be informed of their right to withdraw consent …”

The GDPR states that:

• ‘the data subject should be aware at least of the identity of the controller and the intended purposes of the processing’ – Recital 42.
• ‘data subjects must be informed of their right to withdraw consent at any time prior to giving consent’ – Article 7 (3)

Unambiguous…clear, affirmative action

“…pre-ticked boxes and silence do not constitute consent.”

Under the current DPA, consent must be unambiguous. The GDPR takes this further.  Consent requires a clear affirmative action – pre-ticked boxes and silence do not constitute consent.  Clear affirmative action could be obtained in writing which includes electronic forms, or it can be oral.  Obviously oral consent makes it more difficult to prove that consent has been obtained.  Online forms should be written in plain language so that there is no question that the data subject understands what they are agreeing to.  Where consent is included in terms and conditions then it must be presented so that it stands out from the rest of the document.

The right to withdraw

“Organisations must make it easy to withdraw consent…”

GDPR Article 7 (3) says that data subjects must be able to withdraw their consent at any time. They must be informed about their right to do that at the time of granting consent.  Organisations must make it easy to withdraw consent, therefore if your company relies on consent as their legal basis you need to make sure that this won’t pose considerable challenges.

‘Explicit’ consent

“…explicit or express consent is given in writing with a handwritten signature.”

Where the GDPR sets out the legal requirements for sensitive data it uses the term ‘explicit consent’ rather than just ‘consent’. Sensitive personal data is information about a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or criminal offences. The GDPR doesn’t define the difference between ‘explicit consent’ and ‘consent’. Therefore you could take the advice of the Article 29 Working Party in Opinion 15/2011 who consider that: ‘…explicit or express consent is given in writing with a handwritten signature.  For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data’.

How can my organisation prepare for changes to consent?

If you are relying on consent as the basis for lawful processing make sure that:

• consent doesn’t rely on silence or pre-ticked boxes
• consent is specific to each type of processing that you carry out
• consent isn’t embedded within other documents like your terms and conditions, but stands out
• the supply of your service isn’t on the condition of data subjects supplying consent for processing activities that are not necessary to your service
• data subjects are clearly informed that they can withdraw consent at any time
• methods for withdrawing consent are easy to use
• separate consents are obtained for each processing operation
• consent is not the legal basis for processing personal data when there is an imbalance between the data subject and data controller.

Final point: make sure that you are aware of all types of legal basis for processing data. Under the GDPR, using ‘consent’ as your legal basis for processing personal data is not always the easiest or best option.

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0844 826 6006 or email us at info@ndcmanagement.co.uk.   

5 Benefits of Task-based Risk Assessment

Risk assessment is a fundamental health and safety requirement in any type of organisation. When it comes to the manufacturing and engineering industries though, the value of task-based risk assessment goes beyond meeting legal requirements and keeping workers safe. Here are five reasons to include task-based risk assessment in your organisation’s core training programme.

1. It’s good practice

Task-based risk assessment forces the assessor to understand each step involved in a work-based task or process, and to examine all aspects of the activity being assessed, such as:

• the task itself
• the environment in which it takes place
• the people that the task affects
• the maintenance requirements of the equipment and plant involved.

This systematic exploration of an activity is both proactive and thorough. It give the assessor an understanding of the risks involved in any given task, and of how wider organisational systems and processes impact on that task.

2. It’s inclusive

It’s impossible to conduct task-based risk assessment without directly involving the employees that carry out the task in question. This brings a number of benefits:

a) Tests if your policies and processes translate directly in practice. Assessing a task allows you to see exactly how it is carried out on the ground. Employees that perform the task can give valuable insight into why written procedures might not be practical or safe in reality. Where unsafe working practices have become the norm, the assessor has the opportunity to discuss with workers which alterative safe methods could work in practice.

b) Encourages employee buy-in. When employees feel consulted, they generally feel more motivated to engage. Staff that have contributed to a risk assessment process are far more likely to adhere to the assessments recommendations.

c) Encourages a positive reporting culture. Employees are morel likely to report potential risks if their observations are acted upon, and they feel that they are contributing to wider organisational goals.

3. It highlights quality and operational issues

Because task-based risk assessment looks into whole processes, it can identify wider quality and operational issues within your organisation. Involving your quality or continuous improvement managers in the task-based risk assessment process can help to meet wider strategic aims and improve communication across functions.

4. It reduces costs

Once embedded within your organisation, task-based risk assessment, and an associated training programme, can help reduce health and safety costs by:

• proactively identifying and preventing risks
• improving working practices
• reducing insurance premiums and litigation fines — providing evidence of your task-based risk assessment training programme and practices can increase eligibility for premium discounts and leaner fines in the event of a compensation claim.

 

5. It drives continuous improvement

Task-based risk assessment requires that you review risk whenever there is a significant change to the task (equipment, personnel, environment, materials used, etc.). This approach to risk management demonstrates a commitment to continuous improvement in your health and safety practices. This is not only good practice in itself, but also meets the criteria for standards such as OHSAS18001, the new ISO45001, and ISO9001: 2015.

Are you ready to train your team?

NDC is the only provider of the IOSH approved Task-based Risk Assessment training course. Our 5-day course offers the knowledge, skills and practical application of task-based risk assessments for:

• general risks
• CoSHH
• display screen equipment (DSE)
• manual handling operations
• work at height.

We deliver the course on your premises so that delegates have the opportunity to practice risk assessment techniques in their working environment. This is an assessed course — successful delegates receive an IOSH-approved Task-based Risk Assessment certificate upon completion. All course participants receive a workbook to help them put their learning into practice after the course.

For further information or to book a course, contact us on 0844 826 6006 or info@ndcmanagement.co.uk.

What Are the Benefits of ISO 27001 for My Organisation?

ISO 27001 is the internationally recognised standard for controlling risks to your information security management system (ISMS). ISO 27001 sets out standardised requirements which help you to implement, operate, maintain and improve your ISMS. If you become ISO 27001 certified you prove to clients and other stakeholders that you are a responsible organisation that takes every possible measure to manage information security risks.

What are the risks to information security?

Potential security threats include:

• cyber crime
• fire/damage
• loss
• misuse
• personal data breaches
• terrorism
• theft
• vandalism
• viral attack

How can ISO 27001 certification help my organisation to manage these threats?

“…keeping the UK safe from cyber-attacks is now as important as fighting terrorism.”

A water-tight information security management system is vital for the survival of any organisation. Gaining ISO 27001 certification involves putting in place the technical and operational requirements necessary to manage and protect all your valuable data from security threats. An ISO 27001 certified ISMS provides an effective framework for identifying risks and threats as well as establishing appropriate controls for eliminating or minimising these threats.

Every information security management system must effectively control who has access to information at any given time. ISO 27001 provides a framework to make sure authorised users can get access to information whilst at the same time preventing unauthorised users from accessing data. If a data breach was to occur, this framework would enhance your organisation’s recovery operations.

By implementing ISO 27001 you are sending a clear message to everybody in your organisation that information security is your top priority. Increasing awareness in this way helps to set a security mind-set throughout your company, reducing the likelihood of employee related breaches.

What are the other benefits of ISO 27001 certification?

Protect your reputation

In a BBC news report dated 9^th October, 2017 the head of the intelligence monitoring service GCHQ said: ‘…keeping the UK safe from cyber-attacks is now as important as fighting terrorism’. There’s no doubt that cyber-attacks are becoming more frequent and stronger by the day, causing financial and reputational damage to organisations everywhere. Therefore it’s more important than ever to meet ISO 27001 standards.

More customers!

ISO 27001 builds trust. Your clients, employees and stakeholders have the right to expect that their private information is protected. ISO 27001 standards are a blue-print for the policies and procedures that help to set everybody’s minds at rest. Not only will you keep your existing clients happy but you could also have a business advantage over competitors who are not ISO 27001 accredited.

Avoid fines

Under the GDPR, which comes into force in May, fines for data breaches can be up to 20 million euros or 4% of annual turnover – whichever is higher.   ISO 27001 is the accepted global standard for information security management systems ensuring that you are compliant with the new regulation, avoiding costly financial penalties. The standard selects the right and proportionate security controls for your ISMS so that you meet all legal requirements including GDPR, the NIS Directive and UK cyber security laws.

Responsibility

When a business grows very quickly in a short space of time there can be confusion about who is responsible for which information assets. ISO 27001 helps businesses to organise this aspect by clearly setting out all the information risk responsibilities.

Fewer audits

ISO 27001 certification is accepted proof of effective security. Therefore, the standard saves you time and money by reducing the number of external customer audit days that you need.

Independent advice

As part of your ISO 27001 certification, an external auditor will undertake regular reviews of your ISMS to ensure that there is continual improvement and that everything is working correctly. Therefore you will always feel confident that your ISMS provides the security necessary to protect your organisation’s data.

Is ISO 27001 appropriate for my type of business?

“The standard is especially suitable for organisations that process large quantities of personal or sensitive data…”

Yes. ISO 27001 certification is suitable for organisations of every size, across every sector. The standard is especially suitable for organisations that process large quantities of personal or sensitive data such as public and IT sectors, health bodies, and financial and banking organisations. It’s also the recognised standard for organisations that manage high volumes of data or manage information on behalf of other companies.

Can ISO 27001 be integrated with other management systems?

“Integrating your management systems brings substantial business benefits…”

ISO 27001 can be fully integrated with other ISO management systems, such as ISO 9001 quality management system, OHSAS 18001/ISO 45001 and ISO 14001 environmental management system. Integrating your management systems brings substantial business benefits, such as:

• increased organisational efficiency and effectiveness
• reduced costs
• reduced disruption due to fewer external audits
• demonstrates your commitment to performance, employee and customer satisfaction, and continuous improvement.

What are the steps to ISO 27001 certification?

ISO 27001 involves the following steps:

1. A gap analysis to find out how your existing information security management system compares to the ISO 27001 standard.
2. A formal assessment. Your external auditor will review which controls and procedures have been established following the gap analysis, pointing out any further gaps that need addressing.
3. Your auditor will assess the implementation of the procedures and controls that you’ve established to make sure they work effectively enough to meet ISO 27001 certification standards.
4. You receive an ISO 27001 certificate which is valid for three years. Your auditor visits regularly to ensure that you remain compliant with legislation and that your information security management system continually improves, adding value to your business. 

How can NDC help you to achieve ISO 27001 certification?

NDC Global Auditors’ team of qualified lead assessors have extensive experience in auditing to ISO standards in a number of industry sectors and their supply chains. Our ISO 27001 lead assessors can support your company at every step of the implementation process and provide follow-up consultancy support to facilitate continual improvement.

Our services include:

Consultancy and training

• gap analysis and action-planning
• Switch on/switch off consultancy support throughout the implementation process
• training for every step of the certification process:
  • ISO 27001 Introduction
  • ISO 27001 Implementation
  • ISO 27001 Internal Auditor
• developing effective policies, audit checklists and protocols
• third-party assessment
• follow-up consultancy support to facilitate continual improvement.
• Support to integrate ISO 27001 with other ISO standards such as ISO 9001, OHSAS 18001/ISO 45001 and ISO 14001.

Technology to support ISO 27001

Our partners at Soitron UK can also support you to build the IT infrastructure to facilitate ISO 27001 and GDPR compliance. Their technical experts can test your existing system for weaknesses and support you to develop IT and cyber security systems that are robust and compliant.

Contact us to discuss how we can support your organisation to implement ISO 27001.

How Will the Rules for Subject Access Requests (SARs) Change Under the GDPR?

The rules for making a subject access request (SAR) under the GDPR will be similar to the Data Protection Act 1998. However, there are key differences.   With less than six months until the GDPR comes into force, it’s time to make sure you can meet new requirements to be legally compliant.

What is a subject access request (SAR)?

A SAR is the right of an individual to request any personal data you hold about them. The reason that the GDPR and the Data Protection Act 1998 (DPA) provide this right is so individuals can verify that their personal data is being processed lawfully.  SARs must be made in writing. Individuals can ask:

• why their data is being processed
• what categories of personal data are held about them
• who has received or will receive their personal data
• where the data came from if they did not give it to you.

How will GDPR changes to subject access requests affect my organisation?

Fees

At the moment you can charge an administration fee for SARs. Under the GDPR you cannot charge unless the subject access request is ‘manifestly unfounded or excessive’.  However, you will have to be able to prove that the request is ‘manifestly unfounded or excessive’.  As the guidance isn’t specific, that’s difficult.  The GDPR states that you can charge a ‘reasonable fee’ for multiple requests – again the guidance isn’t specific, so approach with caution.

Response Time

The GDPR allows you just one month to respond to subject access requests instead of forty days under the DPA. This deadline can be extended by a further two months for a complicated or large request.  The data subject must be notified of any deadline extension within one month of receipt of the SAR and they must be given an explanation of the decision.  You will need to make sure that your organisation has procedures in place to cope with this reduced timescale.

Electronic Access

If an individual makes a SAR electronically then you must provide information in a commonly-used electronic format unless they request otherwise.   Before sending out electronic information you must verify the individual’s identity.  As you only have one month to respond to SARs you need to make sure that if requests are emailed to a particular staff member, then these are actioned when that staff member is absent.

Content of Response

When you respond to SARs you should tell the individual what personal information is held about them, the purpose for which it is held and what processing is being carried out. You might also need to provide additional information such as your data retention period.

Right to Withhold

The GDPR and current DPA hold the same position here. Under the DPA organisations can withhold information if it regards the prevention, detection or investigation of a crime; national security or the armed forces; the assessment or collection of tax; and judicial or ministerial appointments.  The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.  In future our government may introduce further exemptions to SARs relating to public security, so we will have to watch this space.

How can my organisation prepare for changes to SARs?

1. 1. Create a subject access request template. That way, individuals will always provide the information you need to respond consistently and efficiently to SARs.
   2. Write and implement policies and procedures for handling SARs, making sure that the new shorter response times are incorporated.
   3. Make sure that your staff are trained to handle SARs so that they can identify them when they come in and respond correctly.

 

Final point: The key change most likely to affect your organisation is reduced response time.  As the GDPR only allows you one month to respond to subject access requests you might consider implementing a ‘data subject access portal’.  This will enable individuals to access their personal data promptly, remotely and easily ensuring that subject access requests are GDPR compliant.

How can NDC help?

Working in partnership with IT and cyber security specialists at Soitron UK, our information security lead auditors can:

• design a subject access request template that meets GDPR requirements and works in practice within your organisation
• design policies and procedures that handle SARs in line with GDPR requirements, including meeting the shorter response times
• train your staff to identify and handle SARs swiftly and correctly
• develop your IT systems to facilitate SARs processing and all other GDPR requirements.

Contact us for further information on how our consultancy and training services can support your business to prepare for GDPR.

How does the GDPR change the lawful basis for processing personal data?

Under the current Data Protection Act 1998 (DPA) any organisation that processes personal data and sensitive personal data must have a legal basis for doing so. The GDPR, which comes into force in May 2018, is more rigorous in maintaining this position.  Changes affected by the GDPR will have clear, practical implications in a way that the current DPA does not.  Individuals’ rights will differ depending upon the lawful basis for processing their data. 

The GDPR legal basis for processing personal data

If your organisation wants to process personal data then it must satisfy at least one of the following conditions:

1. Consent

The data subject has explicitly consented to the processing of their personal data.

2. Contractual

It is necessary to process personal data prior to entering into a contract with the data subject.

3. Legal obligations

Processing is necessary to comply with a legal obligation.

4. Vital interests

This applies when the data subject is not physically or mentally capable of giving consent but processing is necessary to protect the vital interests of the data subject or another person. For example, when an individuals’ medical history is disclosed to a hospital following a serious accident.

5. Public interest

It is in the interests of public safety to carry out the processing of this personal data.

6. Legitimate interests

It’s necessary to process the personal data for the legitimate interests of the organisation or a third party, except when this negatively affects the interests, rights or freedoms of the data subject.

What are ‘legitimate interests’?

The following GDPR recitals give examples of ‘legitimate interests’ for processing personal data:

Recital 47: processing for direct marketing purposes or preventing fraud. However, Recital 47 states that data controllers must consider whether their legitimate interests are outweighed by the interests and fundamental rights of data subjects.

Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes including client and employee data.

Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications.

Recital 50: reporting possible criminal acts or threats to public security to a competent authority.

What GDPR conditions must organisations meet to process sensitive personal data?

The GDPR states that sensitive personal data relates to an individual’s:

• race, ethnic origin, political opinions, or religious beliefs
• trade union membership
• physical or mental health
• sexual life
• criminal background – offences committed or allegedly committed.

It’s mandatory under the GDPR for organisations to satisfy at least one of the following requirements in order to process sensitive personal data:

1. Explicit consent

The data subject has given explicit consent for their sensitive personal data to be processed.

2. Employment, social security and social protection laws

Processing is necessary to meet employment, social security and social protection laws or ‘a collective agreement providing for appropriate safeguards for the fundamental rights and interests of the data subject’.

3. Vital interests

This only applies when a data subject isn’t physically or mentally able to give consent but processing is a matter of life or death for them or for somebody else.

4. Not for profit (NFP)

When processing is carried out by an NFP for political, philosophical, religious or trade union reasons providing that this information is not shared with any third parties without the data subject’s consent.

5. Public

Where the data subject has ‘manifestly’ shared their sensitive information publically under their own initiative.

6. Legal obligations

Processing is necessary for legal matters.

7. Public tasks

Processing is necessary in the interests of public health and safety.

8. Medical reasons

Processing for ‘the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law…’

9. Research, archiving and statistical purposes

Processing is necessary for the public interest or for scientific, historical or research purposes providing the aims are proportionate to the fundamental rights and interests of the data subject. The data subject’s rights must be respected and safeguarded.

What satisfies ‘consent’ under the GDPR?

The GDPR defines consent as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. Silence, pre-ticked boxes or inactivity do not constitute consent.

How can my organisation prepare for changes to the lawful basis for processing personal data?

1. Start by assessing what lawful grounds you currently rely upon for processing personal data and sensitive personal data. Will these grounds still remain valid under the GDPR? What action do you need to take to be GDPR compliant?
2. If you rely on ‘consent’ as your lawful basis but this is no longer adequate under the GDPR, update your policies, procedures and privacy notices to reflect this.
3. Make your staff aware of which legal basis’ your organisation relies upon for processing personal data.

Most importantly, make sure you identify and document your lawful basis for processing personal data and sensitive personal data so that you comply with the GDPR.

How can NDC help?

Our information security consultants can provide on/off consultancy and training that will support you to:

1. conduct a gap analysis of your existing systems and processes for processing personal data and sensitive personal data
2. update your policies, procedures, privacy notes and audit checklists to comply with GDPR
3. raise awareness of GDPR requirements and benefits within your organisation.

Contact us for further information on how our consultancy and training services can support your business.