Menu
The European Union has enforced the introduction of the General Data Protection Regulation (GDPR) from May 2018. The data protection collected for a variety of reasons is becoming the ultimate objective of organization and involved individuals, as the business grows, it drives up the total amount of collected personal data. As a result, there is an urgent need for organizations to enhanced their information security systems to manage the collection of data, based on the framework of the General Data Protection Regulation (GDPR).
The goal of the GDPR audit assessment is to evaluate and measure the compliance of your organization towards GDPR requirements. A GDPR audit assessment provides an estimate evaluation of the ongoing process in your organization regarding risks and benefits which need to be considered to achieve compliance with the GDPR.
E4 has extensive experience in the information security with qualified auditors knowing privacy requirements of GDPR and ISO 27001, and data privacy makes our GDPR audit assessment the most enhanced and comprehensive service.
Therefore, the purpose of the GDPR audit assessment is to assist your organization in identifying the areas of improvement and evaluating your organization’s commitment to GDPR requirements. The audit assessment duration will be determined based on the size of your organization, scope, and business & process complexity.
We believe that GDPR audit assessment is an essential step at this stage of your organization growth in regards to the more critical transparency and information of your clients about the concept of data protection and individual privacy rights.
GDPR Compliance Assessment is a third-party audit performed by an approved E4 auditor who, upon verification that an organization complies with the requirements of General Data Protection Regulation and a certification body will issue a GDPR attestation.
This attestation is then maintained through regularly scheduled annual surveillance audits by a certification body, with re-assessment of the General Data Protection Regulation performed on a triennial basis.
Note: The certification body nor E4 accept any liability that may arise as a result of any security breach or vulnerability in your system that may impact the compliance to the GDPR requirements after the audit assessment.
Any compliance or certification Audit can become a costly proposition if you hire auditors from overseas, for example, being one of many other reasons. When you want the best and experienced auditors to look no further, appoint E4 auditors we are local.
• IAS accredits certification bodies. (IAS is the global accredited certification body for persons, management systems, and products on a wide range of international standards.)
• All our certification bodies are a worldwide provider of Certification Services, Audit, examination, and training.
General Data Protection Regulation is the new European Union Regulation which is intended to strengthen and unify personal data protection for all individuals within the European Union (EU).
The Regulation was approved and adopted in April 2016 and will be enforceable starting 25th May 2018.
GDPR applies to all organizations that process personal data of European Union (EU)’s citizens. It also applies to organizations outside the EU that offer goods or services to individuals in the EU.
UK companies that offer goods and services to EU residents, and as such own personal information of the EU citizens, will still be affected by the Regulation, regardless of the decision of the UK to remain in the union or not.
Organizations that fail to comply with the regulation can be fined up to €10m or 2% of global annual turnover, whichever is greater.
For more severe infringements, fines can be up to €20m or 4% of global annual turnover, whichever is greater.
Article 5 of the EU GDPR states that personal data must be:
Processed lawfully, fairly and in a transparent manner; Collected only for specified, explicit and legitimate purposes; Adequate, relevant and limited to what is necessary; Accurate and kept up to date; Held just for the absolute time essential and no longer; Processed in a manner that ensures appropriate security of the personal data.
It is a position of being a data privacy expert who works independently to ensure that an entity is obeying to the procedures and policies of the GDPR.
A Data Protection Officer (DPO) is appointed when: processing is carried out by a public authority; processing of data requires consistent and systematic monitoring;
The core activities consist of processing large amounts and sensitive data or particular categories of data. However, any organization can appoint a DPO to help them comply with the obligations under the GDPR.
Step 1: First you have to determine whether your company is subject to the regulation. Even if you are not located in EU, you will be subject to this Regulation if you are processing EU residents’ data due to: Offering goods or services (whether free of charge or not) to individuals in the EU; or Monitoring their behavior as far as their action takes place within the EU.
Step 2: After you determine that you are subject to the Regulation, you must assess whether you have to appoint a DPO by applying the criteria in question
The DPO will:
1. Inform and
2. advise the organization on the GDPR and
3. other EU or local data protection provisions
4. Monitor compliance with the Regulation, with other EU or local data protection provisions and with the data protection policies of the organization,
5. including the assignment of responsibilities, awareness-raising activities and training of your staff involved in the processing operations, and the related audits;
6. Provide advice where required on data protection impact assessment, and monitor its performance;
7. Cooperate with the supervisory authority, and act as the organization’s contact point on issues related to the processing of personal data, including the prior consultation;
8. Respond to individuals whose data is processed (employees, clients and similar) on all the concerns they may have regarding the processing data, and the exercise of their rights under the Regulation.
It is not necessary to have an ‘in-house’ DPO. You can also employ and appoint an external DPO who will work by a service contract. E.g., E4 security professionals can be hired as a DPO on contract bases.
You must: Support your DPO by providing resources necessary to carry out his/her tasks; Ensure that your DPO is
committed to addressing all issues related to the protection of personal data; Make his/her contact details available to the supervisory authority and the public.
Individuals are entitled to 8 major rights under GDPR:
The right to be informed – Organizations must be fully transparent in how they use the individual’s data.
The right of access – Individuals will have the right to know precisely what information is held about them and how it is processed.
The right of rectification – Individuals will be allowed to correct personal data if it is inaccurate or incomplete.
The right to erasure – Also known as ‘the right to be forgotten,’ enables an individual to request deletion or removal of their data without the need for a specific reason as to why they wish to have their personal data erased.
The right to restrict processing – Refers to an individual’s right to block or stop processing of their personal data.
The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
The right to object – In certain circumstances, individuals have entitled the right to object the usage of their personal data for certain purposes. This includes the usage of personal data for marketing, scientific and historical research, or for the performance of a task in the public interest.
Rights of automated decision making and profiling – GDPR ensures the existence of particular safeguards that provide individuals with the right to determine for themselves when, how and what type of information they want to communicate to others.
As such EU law grants individuals, the right not to be subject to automated decision making, which may produce legal effects for them.
“Processor – refers to a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.”
“Controller – refers to a natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of processing personal data.”
The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed, whereas, a data processor is anyone who processes personal data on behalf of the data controller
(excluding the data controller’s own employees).
Privacy by design is about ensuring that you protect the rights of data subjects when you develop your applications, websites, or other technology-related services.
It is also about creating a culture of respecting privacy in organizations. To do this, the GDPR requires you to think carefully about data privacy at the earliest stages of your project.
Data Privacy Impact Assessments should be conducted to identify potential risks that may affect an individual’s privacy rights.
Don’t miss our future updates! Get Subscribed Today!