Europrivacy Introduction – Your Gateway to Certified GDPR Compliance
Summary
TLDRAlan Calder, founder of IT Governance, introduces a webinar on EuroPrivacy certification as a gateway to GDPR compliance. He highlights the importance of GDPR, the role of EuroPrivacy certification in ensuring compliance, and offers practical advice on achieving certification. The webinar covers key principles, benefits, and practical steps towards GDPR compliance, with a Q&A session addressing various related queries.
Takeaways
- 😀 Alan Calder, the founder of I.T. Governance, hosted the webinar focusing on Europe's privacy and GDPR compliance.
- 📚 I.T. Governance is a global leader in GDPR and has served over 12,000 clients across five continents, emphasizing their experience in the field.
- 🌐 Europe Privacy Certification is the first certification mechanism recognized by the European Data Protection Board, demonstrating compliance with GDPR.
- 📜 The certification is valid for three years and covers all core areas of GDPR, including data processing, protection, and the rights of data subjects.
- 🔒 The certification is particularly relevant for organizations required to appoint a Data Protection Officer (DPO) and is recognized in all 27 EU member states.
- 🏢 Organizations seeking certification must meet core criteria, including lawful data processing, respecting individual rights, and ensuring data security.
- 🔑 Benefits of Europe Privacy Certification include demonstrating legal compliance, building trust with customers, and reducing the risk of non-compliance fines.
- 🛡️ GDPR and cybersecurity are closely linked, with GDPR emphasizing the need for robust security measures to protect personal data.
- 🔄 The certification process involves a gap analysis, updating data flow mapping, staff training, and ensuring processes are in line with GDPR principles.
- 🔑 Euro Privacy Certification complements other standards like ISO 27001, providing an additional layer of assurance for data protection and compliance.
- 💻 Tools like Cyber Comply can simplify GDPR compliance and are instrumental in achieving Europe Privacy Certification by automating various compliance processes.
Q & A
What is the main focus of the webinar presented by Alan Calder?
-The main focus of the webinar is Europe's privacy and the introduction to certified GDPR compliance, specifically discussing the Euro Privacy certification mechanism.
Who is the host of the webinar and what is his background?
-Alan Calder is the host of the webinar. He is the founder of I.T. Governance, part of the ERC International Group, and has been involved in cybersecurity and privacy for 25 years. He has written several books on GDPR and cybersecurity.
What is the significance of Euro Privacy certification in terms of GDPR compliance?
-Euro Privacy certification is significant as it is the first certification mechanism recognized by the European Data Protection Board, providing a way for organizations to demonstrate their GDPR compliance.
How does the Euro Privacy certification benefit organizations in terms of data protection?
-The Euro Privacy certification benefits organizations by demonstrating legal compliance, improving trust with customers and partners, reducing the risk of non-compliance fines, and providing a competitive advantage.
What are the core criteria that organizations need to meet to achieve Euro Privacy certification?
-The core criteria for Euro Privacy certification cover aspects of data processing and protection, including lawfulness of data processing, data subject rights, security of processing, data protection by design, and compliance with GDPR requirements.
What is the role of a Data Protection Officer (DPO) in the context of Euro Privacy certification?
-A DPO plays a crucial role in ensuring that an organization's data processing activities comply with GDPR and the requirements of Euro Privacy certification, especially since the certification is currently available only to organizations required to appoint a DPO.
How does Euro Privacy certification simplify the process of demonstrating GDPR compliance to stakeholders?
-Euro Privacy certification simplifies the demonstration of GDPR compliance by providing a single, recognized certificate that can be presented to stakeholders, clients, regulators, and partners, eliminating the need for complex explanations or assurances.
What is the relationship between ISO 27001 and Euro Privacy certification?
-ISO 27001 certification can serve as a fundamental building block for Euro Privacy certification, as it demonstrates a compliance data protection regime. Organizations with ISO 27001 certification can build upon this to achieve Euro Privacy certification.
How does the Euro Privacy certification help with international data transfers?
-Euro Privacy certification helps with international data transfers by ensuring that organizations have mechanisms in place to comply with GDPR requirements for transferring personal data to third countries or international organizations.
What steps should an organization take to start their GDPR compliance journey towards Euro Privacy certification?
-An organization should start with a gap analysis to identify the difference between their current GDPR compliance activities and the requirements of Euro Privacy certification. They should then create an implementation plan, update data flow mapping, ensure staff competence and awareness, modify processes as necessary, and carry out penetration testing.
What is the duration of a Euro Privacy certification and what happens during this period?
-A Euro Privacy certification is valid for three years, during which there are surveillance visits to ensure ongoing compliance. At the end of the three-year period, there is a recertification process.
Outlines
🌐 Introduction to GDPR Compliance Webinar
The webinar, hosted by Alan Calder, founder of I.T. Governance, commences with an introduction to the company's expertise in cybersecurity, privacy, and GDPR. Alan highlights I.T. Governance's global presence, client base, and partnership with Euro privacy. The session aims to guide attendees on GDPR compliance, emphasizing the importance of the mute function for a clear broadcast and the use of the webinar's question feature for future engagement.
📜 The Emergence and Impact of Euro Privacy Certification
This paragraph delves into the inception of Euro privacy certification, established as a response to the need for demonstrable GDPR compliance. Euro privacy, recognized across the EU, offers a simplified approach to proving compliance, beneficial for interactions with clients, regulators, and stakeholders. The certification is applicable to organizations required to appoint a Data Protection Officer (DPO) and covers all aspects of GDPR, including data processing, security, and the rights of data subjects.
🛡️ Benefits and Principles of Euro Privacy Certification
The benefits of Euro privacy certification are underscored, including legal compliance demonstration, trust improvement with customers and partners, and a competitive advantage in the market. The certification also mitigates the risk of non-compliance fines and legal issues. Key principles include lawful data processing, upholding data subjects' rights, and ensuring data controller and processor responsibilities are met, alongside robust security measures and data protection by design.
🔄 Transitioning to Euro Privacy Certification
The process of transitioning to Euro privacy certification is outlined, beginning with a gap analysis to identify the difference between current GDPR compliance practices and the certification requirements. It emphasizes the importance of mapping data flows, ensuring staff competence and awareness, modifying processes, and conducting penetration tests to secure internet-facing technologies against external attacks.
🛠️ Tools and Strategies for GDPR Compliance
The paragraph introduces Cyber Comply as a tool to streamline GDPR compliance, offering modules for DPIAs, incident management, and mapping compliance to laws and regulations, integrated with an ISO 27001 management system. It discusses the need for automation in risk assessments and compliance documentation, as well as the importance of a robust platform for maintaining data consistency and security.
🤝 Support and Resources for Euro Privacy Certification
The final paragraph offers support and resources for organizations pursuing Euro privacy certification. It suggests consulting with experts for a gap analysis and implementation plan, mentions the availability of GDPR practitioner training, and highlights the in-house penetration testing team. The paragraph concludes with an invitation for further contact and assistance in achieving Euro privacy compliance.
📌 Q&A Session on Euro Privacy and GDPR Compliance
The Q&A segment addresses various questions about Euro privacy certification, including the difference between BCRs and certification, the possibility of self-certification, and the relationship between Euro privacy and other standards like ISO 27001 and ISO 27701. It also discusses the implications of using Gmail and AWS for data transfers and the application process for Euro privacy certification.
📚 Closing Remarks and Future Webinars
The closing paragraph thanks attendees for their participation and provides information about upcoming webinars that will delve deeper into specific aspects of Euro privacy compliance. It emphasizes the continued support available for those on their journey to certification and encourages the use of the provided services to ensure a safe, secure, and compliant business practice.
Mindmap
Keywords
💡GDPR Compliance
💡Alan Calder
💡I.T. Governance
💡Europe Privacy
💡ISO 27001
💡Data Protection Officer (DPO)
💡Data Flow Mapping
💡Data Protection Impact Assessment (DPIA)
💡Binding Corporate Rules (BCR)
💡Penetration Testing
💡Cyber Comply
Highlights
Introduction to Europe's privacy certification as a gateway to certified GDPR compliance.
Alan Calder, founder of I.T. Governance, hosts the webinar with 25 years of experience in cybersecurity and privacy.
I.T. Governance's partnership with Euro privacy and their role in GDPR and ISO 27001 compliance.
The importance of demonstrating GDPR compliance to clients, especially for data processors.
Euro privacy as the first certification mechanism by the European Data Protection Board.
Benefits of Euro privacy certification, including legal compliance and improved trust with customers.
Core criteria of Euro privacy certification and its coverage of all GDPR areas.
Certification's validity for three years with surveillance visits and recertification process.
The significance of data flow mapping for GDPR compliance and breach management.
How Euro privacy certification simplifies the demonstration of GDPR compliance.
The role of ISO 27001 in preparing for Euro privacy certification.
Steps to achieve Euro privacy certification, starting with a gap analysis.
Importance of staff training and awareness in GDPR and Euro privacy compliance.
CyberComply tool's role in automating GDPR compliance for Euro privacy certification.
How Euro privacy certification provides a competitive advantage and risk reduction.
The webinar's Q&A session addressing questions on BCRs, self-certification, and the application process.
Final thoughts on the value of Euro privacy certification for GDPR compliance.
Transcripts
the broadcast is now starting all
attendees are in listen only mode
ladies and gentlemen good afternoon and
welcome to this webinar on Europe
privacy introducing what could be your
gateway to certified gdpr compliance
my name is Alan Calder I'm your host
for this afternoon I'm the founder of
I.T governance which is the main company
in the ERC International
Group I've been involved in the cyber
security and privacy world for some 25
years I've written a number of books on
gdpr on cyber security
and of course it governance is a global
leader in the world of gdpr and
particularly through ISO 27001 we have
pushing 200 people in the business we've
been at it for about 20 years we've
served some 12 000 clients across five
continents and we recently became a an
official partner of Euro privacy and you
can read more about that on the Euro
privacy website
today's webinar really is going to be
focusing on Europe privacy you'll notice
that you are all on mute and that's
designed to ensure that there's no
background noise and so on but as I go
through the webinar
um I'm sure you'll find that there are
questions you want to ask please do use
the question function in your go to
webinar control panel that's the chunk
of functional text and icons that will
be set on your screen there's a question
line in there you can click on it you
can type questions into that question
box and when we come to the Q a section
which will be about 40 or 45 minutes
from now I will okay the questions I'll
read out whatever questions there are
and then assuming that I can I'll answer
the question for everybody so everybody
knows both the question and the answer
so that's the format for today
I.T governance as a business is a
company who which is built around the
logic that our expertise our expertise
in information security
in privacy and deployed in your business
should give you peace of mind that
enables you to focus on doing what you
do best in serving your clients we've
carried out more than 1300 organizations
working with clients to deal with either
twenty seven thousand one compliance
1600 cyber security and privacy projects
in one sort another more than seven
thousand cyber essential certifications
and we've helped uh some 1100 companies
on their broader governance risk
managements and compliance activity so
we have a huge amount of experience that
we can draw on to deliver services to
our clients and that of course form part
of the background and content of
the webinar today
so um what am I going to talk about and
look first of all give an introduction
to Euro privacy and what its role is in
achieving gdpr compliance we look at the
benefits and key principles of Europe
privacy certification we'll have a brief
look at how you can make gdpr compliance
start your gdpr compliance journey and
then some practical advice and solutions
to uh to get you going so let's start
with the origins of the Europe privacy
certification as you all know gdpr ukg
EU gdpr what's now known as EU gdpr has
been around since May 2018 it's been in
force effective since May 2018 but at
first became a law in May 2016 so it was
a two-year transition period and of
course one of the big questions that
existed right the way through the
transition period and businesses how do
we prove that we are gdpr compliant
we've done everything we think we should
do how do we prove that we're gen
genuinely compliance and that is a an
important question because you have
clients asking you that that's relevant
not only to just normal services that
you provide but particularly if you are
a data processor when of course the
controller who's providing the data
you're processing specifically needs to
know whether or not your gdpr compliant
it's also a useful aspect of dealing
with breaches and so on a supervisor
Authority will say and are you gdpr
compliance of course the moment you're
going to go say yes to the best of our
ability or the best of our knowledge of
the final Arbiter has typically been a
judge and a case being brought you
either win or lose Europe privacy
changes that substantially so it's a
significant step forward for all
organizations it's the first
certification mechanism
just by the European data protection
board as a European data protection seal
article 42 of gdpr defined that seals
certificates could come into existence
that would demonstrate compliance with
the edpr or with particular skills
requirements the case may be and Europe
obviously therefore as a certificate as
a certification mechanism enables
organizations to demonstrate their data
processing activities comply with gdpr
and by extension because
extension is negotiated with
other countries with other relevant
National and international regulations
so you just think about what does that
shift mean if we can simply have a
certificate that says we're compliant
it's a huge simplification of a whole
calendars that exist talking to
clients talking to Regulators talking to
stakeholders and partners
your privacy was developed through the
European research Horizon program in
2020 co-funded by the European
commissioner by Switzerland approved in
October 2022 by the European data
protection board and it's managed by the
European Center for certification and
privacy based in Luxembourg it's
recognized in all 27 member states of
the European Union it's a pan-eu
certification and is applicable to both
data controllers and data processes
it's available only to organizations
that are required to appoint a DPO so at
this stage anyway one of the core
requirements before you can get
certified is are you required to have a
data Protection Officer so
uh so that's kind of relevant to
everybody
certification to be achieved
organizations have to meet
the core criteria the Euro privacy gdpr
core criteria they cover various aspects
of data processing and protection and
allow organizations to assess Reliance
compliance in respect of the lawfulness
of your data processing how you deal
with processing special data data
subjects rights and your compliance with
the requirements around
measifying and protecting the rights of
data subjects the response
responsibilities of data controllers the
responsibilities of data processors to
data controllers the security of
processing of data and how you deploy
data protection by Design the management
of data breaches deployments of dpias
where they're acquired how your DPO
operates and remembering dpas have to be
in the UK and the EU Independence of the
processing on which they comment and how
data is transferred personal data is
transferred to third countries or to
International organizations all the core
areas of gdpr are covered by Euro
privacy certification and a certificate
is valid for three years and the core
criteria are complemented by contextual
checks and controls around technology
and domain specific obligations and of
course Technical and organizational
measures checking controls to ensure
that they meet security requirements so
it's a fundamental do you or do you not
comply pdpr certification
International trademark has registered
obviously across the EU and a number of
other jurisdictions its recognition
extends Beyond EU borders means it's
relevant for organizations in the US or
the UK who are providing Services into
the European Union that are required to
have a DPO and the gdpr compliance if
you can buy it to the whole of your
operation certainly it can apply in the
context of the personal data you're
processing in scope for gdpr compliance
and it demonstrates that the
organization has a serious commitment to
high data protection standards and
compliance with gdpr on a global sale so
you can think of it as an international
trademark that generates gdpr compliance
or you can look at it simply as how do
we demonstrate to our EU customers that
we are gdpr compliant
you think about benefits obviously the
first major benefit is demonstrating
legal compliance and I can't I just
can't stress enough how useful it is to
be able to go no I don't have to uh
write a letter I just simply give you my
certificate number we are gdpr compliant
we're also UK gdpr compliant because the
extension negotiated with the UK we can
demonstrate that we comply with UK gdpr
which is currently only slightly
reference to EU gdpr or pivoter in
Canada as their case may be so it's a
it's a solid demonstration of compliance
with EU gdpr and a growing number of
other National or jurisdictional data
privacy regulations
should enable you to demonstrate to
customers that they can trust you so the
improved trust uh the commitment that
you're making it's data protection
should really build trust with customers
partners with regular authorities with
stakeholders and should therefore give
you a competitive Advantage we're still
really at the early adopter very
beginning of the early adopter stage in
um
curve for Europe privacy and so the
first organizations will be able to say
you know we are so far ahead of our
competitors in terms of demonstrating
our commitment to protecting personal
data remembering the personal data
protection has become a much much bigger
issue for particularly consumers over
the last five or seven years
certification reduces the risk of
non-compliance fines reduces the risk of
legal issues related to the data
protection because
um you know that if you have a breach
and you know remember you're going to
have breaches whether you're
EU privacy certified or not what the
Civic enables to demonstrate and answer
the question of were your gdpr compliant
is yes we are we have external audits we
have a certificate we were compliance so
your risk of major exposure uh when you
have to report a breach to a supervised
Authority is by definition a
significantly reduced simply because you
can demonstrate beyond the doubt that
you are gdpr compliant
so the the if you like boiling that down
to uh some of the key principles
lawfulness of data processing
demonstrating as part of your auditing
the certification is carried out by an
independent third-party certification
orders so exactly the same logic as for
ISO 27001
um a certification body like BSI or dnv
one of those who have become an
accredited uh Euro privacy certification
body or do an audit and certify your
compliance with the standard a
consultancy body a partner like I.T
governance will provide services that
help you become compliant but we won't
do the certification audits so
lawfulness of data processing uh it's a
vehicle requirement so part of the
process of preparing for Euro privacy
certifications making sure that you're
very clear about lawfulness and
processing and that your processing is
all being carried out in compliance with
your legal obligations
I'm respecting and upholding rights of
individuals regarding personal data the
eight rights of data subjects around for
instance access rectification Erasure
and so on demonstrating that those are
all in place that you have mechanisms
that enable people to exercise those
rights to make it easy and
straightforward for them to do so and
that you're carrying out you can
demonstrate that you are
clearly delivering undefined data
controller responsibilities you're
managing personal data in line with the
requirements of the standard and that
will extend to areas in which you're a
joint controller with an organization or
there are two controllers processing
data simultaneously but be really clear
about the delineation of data controller
responsibilities and applying them and
being accountable for the the
application of the six data protection
principles
processor making sure that your
processing is in compliance to the gdpr
and that means handling data
specifically in compliance with the
documented requirements of the data
control level controllers for whom
you're doing the processing so the first
four major key principles of Europe
privacy certification
security of processing and data
protection by Design and default equally
important in gdpr is of course the
general data protection regulations that
is about protecting data and the
breaches that you have to report are
breaches because they compromise the
confidentiality Integrity or
availability of data in a way which
poses a risk to the rights and freedoms
of natural persons and so demonstrating
the implemented robust security measures
and data protection principles is
another key element of your gdpr
compliance we've for a long time said
privacy and cyber security on different
sides of the same coin and that's
exactly what gdpr says and that's
exactly what the European certification
recognizes and goes beyond just simply
saying you need to do data security it
says if you want an ISO 71 72 if you
have an ISO twenty seven thousand one
certificate that will serve to
demonstrate without you needing to do a
whole bunch more in the certification
orders that you have a compliance data
protection regime so um there's a
logical step from ISO 27001
certification which in the scope you
would logically include personal data
and that would build into the next step
of getting your overall processing
personal data certified of your privacy
certification as a 27 000 is a major
building block um of that
how you manage data breaches so instant
response uh um and being able to track
if gdpr requires you to track what you
do with incident response so using an
incident response tool that um Audits
and keeps information around how you
handle uh incident incidents is another
key building block of
um
your privacy compliance data protection
impact assessments remember doing a dpia
isn't always necessary but identifying
whether or not you needed one is always
necessary when there is a significant
change in the way in which you process
data for the deployment of a significant
new piece of personal data processing
software so a dpia process that may or
may not lead to carrying out a dpia
appointments of a DPO where that is a
where that is mandated and managing
transfers of personal data in compliance
with with Euro with gdpr and that
particularly applies to third countries
like the United States and for the EU
all of the countries who are currently
recognized as having adequate data
protection regimes
and of course what happens beyond that
and the recent data transfer mechanism
the theor of privacy that the EDP be
assigned off on and the European Council
has signed off on the labels transfer of
data between the EU the UK Switzerland
and the us legally is currently a key
component of
managing International transfer as a
person like remember International
transfers of personal data can include
the transfer of information like cookies
data assuming that you're still using
cookies that can include the transfer of
personal data because you're using a an
provider who is based in the United
States so so all of those components
have to be addressed so key building
blocks of Europe privacy certification
are things you should be doing anyway uh
what Europe privacy as a standard does
is encourage you to put all of those
things together and make sure you're
doing them consistently and consistently
well and I'll come back to the logic of
doing that on a platform which enables
you to link the identification of risks
to the protection of personal data
through to how you manage data breaches
to dpias to transfers of personal
relation to be able to handle all of
those in a platform environment which
means that you've got consistency of
data a consistency of data processing
that a
an external auditor can review and can
see how robustly you handle is a key way
to build a long-term Euro privacy
certification remember it's a three-year
certificate you have surveillance visits
through the three-year period a
recertification at the end of the
three-year period and being able to
demonstrate that you can do all of that
is part of how you get certification so
key building blocks of
Euro privacy certification
your privacy as a certificate should
align absolutely with your current gdpr
compliance activity that seems pretty
logical to me Euro privacy is a
structured approach to how you go about
complying with gdpr so um you know while
you might think of gdpower starting with
article one and working all your way
through to the bit just before it tells
supervising authorities and the edpb how
to behave that's what you've got to do
but what your ability does is if you
like gives you a really structured way
to think about
gdpr compliance what the building blocks
are and how you go about doing that
so it encourages of course it's a
management system continuous Improvement
certification carriages continuous
Improvement in data protection practices
and that's not just because gdpr
regulations evolve but because the
requirements of gdpr is that you deploy
uh
functionality or technology that is
state of the art to manage risks to
write some freedoms of data subjects and
and that means you've got to continue
evolving your management system you've
got to continue learning from incidents
you've got to continue deploying the
learnings into making your processes
work better so that you don't have a
repeat what
Regulators supervising authorities hate
to see as the fact that you have this
data breach and you have the same data
breach and then you have the same data
breach at time and time again you should
be learning from them you know the the
UK Ico just in the last four or five
weeks observed that in the last five
years the most commonly reported data
breaches and this use of carbon copy in
an email where a list of email addresses
that should go into the BCC field in the
email yet mistakenly
plug it into the CC field which means
that everybody else can see who got an
email which could be a breach of gdpr
because it might involve the email might
include sensitive information for
instance which will tell everybody else
on the list that everybody else on the
list is
whatever it is has a particular illness
so misuse of carbon copy is a common
thing if it happens once you should be
working out how to improve on the
activity inside the organization so it
doesn't happen again
regularly compliance much simpler
customer checks way simpler it's makes
your life much easier from a global
business point of view when you've got
to fill in those increasingly long rfps
are you gdpr complaint you should just
be able to go here's my Euro privacy
certificate yes we are gdpr compliant
I'm not going to answer the questions
because by definition we are compliant
so it should be operationally as well as
legally and practically a genuine
Improvement and simplification of your
working life
how do you go about
tackling your privacy how do you start
the journey from your current state of
gdpower compliance to Euro currency
certification
and it's logically a strategic approach
you want to align what you currently do
in terms of gdpr compliance with the
requirements of the Euro privacy
standards so
um as I said Europe privacy provides a
strategic approach so look the framework
look at the blocks the building blocks
and look at what you currently do in
terms of gdpr to make sure that what you
are doing meets the requirements of each
of those blocks rather than trying to
work your way through all of the Clauses
one by one you can just simply go block
by block how do we comply with what gdpr
requires
foreign
principles where they are specific
principles into your documentation into
your existing data processing procedures
so that you can demonstrate that your
gdpr compliance is
within the Euro privacy framework so
these specific building blocks the
principles all want to be clearly
identified in the documentation in your
staff awareness training and so on so
that everybody understands that you're
not just gdpr compliant you are you're a
privacy compliant you have a Euro
privacy compliance certificate
and see the key steps that you take is
number one is the gap analysis uh lo and
behold virtually every regulatory or
framework compliance project we'll start
with a gap analysis because of course
you're already doing a number of things
that you should be doing and what you
want to find out is the gap between what
you are doing and what you should be
doing and so a gap analysis either using
a tool or with a an external consultant
Society governance or somebody like that
who knows their way around the standard
will be able to look at what you
currently do look at the requirements of
the standard and tell you what the Gap
is between
as is and to be and give you a map
towards cheating that so that's the uh
the starting point it enables you then
to put together a a plan that outlines
the steps the resources the timelines
required to integrate the Euro privacy
principles
some of your gdpr compliance activity it
might have fallen off over the course
the last four or five years because you
know life
um and and that
means you can identify the extent to
which you're ready to meet the core
criteria and be assessed for compliance
one of the key elements of uh Europe
privacy and this is it's in the standard
is that you are able to demonstrate that
you've mapped data flows and mapping
data flows is a requirement because it's
how you can demonstrate that uh you know
where your data is going when you have a
data breach you need to be able to
identify what steps you need to take to
deal with the data breach you need to be
clear about where data is Flowing beyond
the European Union or Beyond a country
which hasn't recognized as adequate data
protection regime because you need to
have in place additional protections to
ensure the lawfulness of that processing
there's also an article 30 requirement
that your data flow mapping is clear
about what data you are processing and
and so
and many organizations don't actually do
this very well so gdpr compliance looks
for you to do that it could be a major
area that you've got to focus on early
on and your data flows may have changed
since you became vdpr compliant and so
using typically a data flow mapping tool
uh is a way that you can not only map
what you're currently doing but creates
a robust basis for maintaining and
updating that as time goes on because
you know you change flows as
as life happens you find better ways to
do things so you need to be able to
update data flow in a robust environment
so Gap analysis A compliance or an
implementation plan which would start
probably with data flow mapping or
updating your data flow mapping how
ready are you for a gdpr Euro privacy
compliance assessment
competence and staff awareness both
critical areas you need to have people
who are managing gdpr who are competent
to do that so A gdpr practitioner
certification
a Euro privacy awareness and making sure
that your staff training and awareness
includes gdpr and any of the specific
Euro privacy principles so you need to
build that out make sure that you can
demonstrate that your staff or aware
because you know simple things like
um uh data subjects access requests
could be passed as you know to any
member of staff so training staff to
recognize their obligations uh to know
how to deal with data protection uh
requirements as a key part of gdpr
compliance and therefore of Europe
privacy uh certification
so you modify your processes you might
not need to do anything dramatic it
might just be minor changes in in
documentation or in activity to make
sure the key principles particularly
around data security measures if you
don't have ISO 27001 implementing either
implementing ISO 27001 as part of your
Euro privacy strategy or working on how
you're going to demonstrate that you
have in place data protection by Design
and by default
I have clarity about how you've run
about compliance make sure that in your
Incident Management for instance you've
got a process in place not simply to
manage incidents but to track how you do
manage the incident because you're going
to have to report on that to uh to a
supervising Authority if you have an
incident how you've gone about it how
you've met the requirements for
determining whether it's a serious
breach or not that you've done what you
need to do in the time scales uh
delivered and finally you need to carry
out penetration testing so it's
the pro state-of-the-art mechanisms to
protect data is in gdpr Euro privacy is
explicit you need to penetration tests
you need to do penetration tests on your
internet facing
um
Technologies and infrastructure to make
sure that they are secure against
external attack and penetration so
all of those steps carry them out
Europe privacy certification is likely
unless you're already well prepared to
be something which takes a number of
months to get to the benefits are
worthwhile because of you know we said
them all at the beginning because of
being able to demonstrate compliance
because of being compliant because of
what it helps you win in the way of
competitive advantage and dispel in the
way of risk exposure and cost but it's a
series of blocks steps that you need to
take
I mentioned cyber comply it's a tool
which is from from our point of view
almost essential to build gdpr
compliance it combines a gdpr set of
modules that do dpias that um uh
can can handle Incident Management that
enable you to map compliance to laws and
regulations with an ISO 27001 management
system which can deal with information
security so it's an integrated set of
services there's a huge roadmap of
development going on with cyber comply
that will bring a whole series of
documentation automation around
documents into the system but it's
gives you a seamless automation for gdpr
compliance which is really going to be
we think increasingly basic to making
your privacy certification really work
you want to be able to automate risk
assessments you want to be able to
automate the reviews and updates of risk
assessments and ISO compliance
documentation your typical compliance
team one or two people having to manage
gdpr cyber security compliance with more
and more certifications and regulations
coming along it just gets to be
impossible to do on aspensary
spreadsheets are simply not robust and
they're very dependent on the individual
so as long as the individual never
leaves or Goes Sick
um it probably might be okay you need a
platform that never goes on leave or is
sick you need cost effects of
Maintenance you need complete
integration needs updates for gdpr
regulations being fed through and you
need to be able to navigate the
complexities of gdpr compliance with
some kind of ease
uh you need a dashboard that tells you
what's going on all of those things you
can get with cyber comply so do go and
have a look at Cyber comply you can link
through you can arrange to be given a
demonstration of the platform
um it's obviously a something you can
you can access and use on ongoing basis
but do have a look at Cyber compliant
we'll make uh Euro privacy and gdpr
certification massively simpler and more
robust
apart from cyber comply there are a
number of obvious ways that you can
address getting up to scratch for Euro
privacy apart from a gap analysis just
talk to us email us following this
webinar we can arrange to talk to you
about a consultant who can come and do a
gap analysis for you and put together an
implementation plan but more
particularly implementational
consultancy but how do we do it what do
you need to do we're not in the our
Europe currency partner but we have a
number of our Sultans who have been
signed off by
the Europe privacy team as competent to
deliver Euro privacy compliance we can
do penetration tests we've got in-house
penetration testing team that can
deliver a Euro privacy related
penetration test to meet their standards
we of course can do
um
what ifs we can do gdpr practitioner
training the whole panoply of everything
that you need to get yourself gdpr and
Europe privacy compliance we can help so
do either when you get the slides after
the webinar and and we will be circling
the slides to everybody within a day or
so you can click through or do simply
just
email us afterwards or call us
afterwards and say you'd like to speak
to somebody about how you can be helped
at tackle your approaching be the first
in your sectoral region to become Euro
privacy compliant
that brings me to the end of what I had
planned to cover in this really meant to
be an introductory session on Euro
privacy we have a number of other
webinars planned to go into more detail
about particular aspects of Europe
privacy compliance so that we can help
those organizations who are addressing
it on their own
do that uh
um just simply to keep you clear about
how things are moving ahead you can
obviously find out more about your
privacy gdpr compliance or anything else
by going on to one of our websites UK EU
or United States lots of ways you can
contact us and that brings us through to
Q and A so
um let me just turn to that if you do
have questions just repeating what I
said earlier in your go-to webinar
um
in your case we have in our dashboard
there is a q a uh function and you can
simply go into that you can type into it
any questions which you have what I will
do is I
go through the questions I will answer
them uh I'll read the question out I'll
answer the question and and hopefully
that will give you the answer that
you're looking for
so
um
what's the difference between BCR and
certification if a company has BCR is
certification recommended as well well
um if you have binding corporate rules
bcrs binding corporate rules those are
recognized by the uh super supervisor
Authority you've designed them
specifically to meet the requirements of
your own organization and they
demonstrate to the supervising Authority
that you have a mechanism for managing
uh your gdpr compliance but binding
corporate rules is not necessarily the
same as being able to demonstrate to uh
uh stakeholders customers that your gdpr
compliance uh Euro privacy certificate
should be on the basis of having VCRs in
place assuming your bcrs are
comprehensive
um should be relatively easy to get but
you're a privacy certification in our
view anyway uh gives you a big step
forward because it is an external
validation an external demonstration by
a third-party certification body that
your gdpr compliant that your binding
corporate rules are gdpr compliant that
you've done everything required it's a
stakeholder customer demonstration so
while you've always got to validate it
for yourself that would be our view of P
Euro privacy compliance I would build it
on the top of binding corporate rules
if adpr is not required for company can
the company perform a self-certification
that demonstrates compliance well um
there's nothing ever stopping an
organization doing a self-certification
but here at previously at the moment
doesn't provide a framework by which
your self-certification can be
recognized we we hope that that will
happen fairly quickly
that there are a number of organizations
who require DPO and their data
processing obligations are likely
therefore to be more significant than
organizations that don't require a DPO
which is for us logically why
the initial stages anyway the
certification focus on DPO um yes you
know as with ISO 27001 you can say that
you are compliant with Euro privacy it's
worthwhile doing there are benefits at
the point when hopefully the Euro
privacy Mark gets extended to all other
organizations it'd be very easy then for
you to make the step on from where you
are to formal certification
what's the difference between BCR and
certification of the company I think
I've just answered that
uh just answer that yes we'll just
replace the need for a company to put in
place sccs and bcrs well not necessarily
because international data transfers is
one of the areas that Europe privacy
certification looks at so
um if you think about
the issue of sccs or bcrs from the point
of view of a third party say a data
subject looking at your organization
not clear whether you process data where
you process data you are supposed to be
clear that data is processed outside
the European Union or the UK as the case
may be and the basis on which that's
lawful and if it's being processed in a
country that for which there is not an
adequacy finding there has to be in
place either for an international
organization BCR or binding corporate
rules or standard contract clause and
standard contract Clauses are exactly
that they come from the edpv or
the supervisor Authority and their
standard causes that you have to adopt
and comply with
data subject doesn't know whether you've
got theirs or not it's not a badge you
can put on your website or on your
letterhead saying you know we have
standard contract Clauses doesn't mean
very much to a
to a data subject or to a key customer
of yours a European certificate does in
exactly the same way as an ISO 27001
certificate is something you can put on
your website you can put on your
letterhead you can put on your business
cards it's a an externally third-party
validated
um certificate of compliance covering a
broad range of issues that Simply Having
secs done so um secs and or BCR was not
and or secs or BCR those are if they're
legally industry they're legally
necessary you're a privacy certification
is something which sits on top of that
and tells the outside world that you've
done those things absolutely correctly
um
does it governance cover training
implemental auditor for the
certification at the moment we cover uh
training for gdpr practitioner and for
uh um for lead audits we are trying to
arrange to become a recognized trainer
for practitioner for implementer and
auditor for Euro privacy because it's a
logical extension to the range of areas
that we already offer training in and we
hope to have good news on that front
relatively
Sue
thanks for the session how important
would you say it is for an organizations
Right iso 27 30 27 000 certified Square
for Europe privacy certification as well
um and that depends on how important
personal data processing is to your
organization I would hope that in Euros
27001 certification you've already got
personal data in the scope for the
standard and you've therefore already
got gdpr recognized as being under
Clause 4.1
um the when which you go about
recognizing the requirements of
interested parties around
security of data processing if you've
already done that if personal data
processing is already in there well
um Euro privacy is a Step Beyond
ISO twenty seven thousand ISO 27001
focuses primarily on the security of the
processing your privacy says okay you're
doing that are you also doing it
lawfully are you also doing the
processing completely in line with the
requirements of
um of gdpr so if you've got ISO 27001
and you want to convince customers
either corporate or directly corporate
and indirectly individuals or directly
personal data subjects then Europe
privacy is the step one Beyond it if you
think of iso 27 701 which is a personal
information management
be part of the scope of your 27001
certification if you've got 27 701 in
your um ISO 27 000 but I almost
certainly say new pins I do Euro privacy
because it should be a cinch it should
be very easy to get to but Euro privacy
benefits Focus uh Beyond ISO 27001 on
telling data subjects that you are
processing data both securely and
lawfully you pay the necessary and
required attention to the rights of data
subjects
is this something to look at if our
organization is purely UK based
um so so the answer is that your privacy
already has secured a extension to cover
UK gdpr
um if you want to be able to demonstrate
that your UK gdpr compliant Euro privacy
is a certification that enables you to
do that it's the same set of
requirements UK gdpr at the moment is
not fundamentally different from EU gdpr
the differences are in scope of data
processing in definition of
international borders and so on but
otherwise it's essentially the same law
so
here at privacy because it has an
extension to cover the UK is a very
sensible thing for UK organizations to
do that wants to be able to demonstrate
to its customers that it's gdpr
compliant
um
would using Gmail and AWS constitute
data transfer if no data is accessed in
the USA you have mentioned using emails
earlier we treat data flowing via US
servers you can't treat data flowing via
US servers as datron Transit I'm afraid
because the gdpr specifically says that
data that is processed outside of the EU
can only be done so lawfully if it's
being processed in the country for which
there is a
um is he finding from the European
commission or for which there is for
which you have standard contract Clauses
in place or which if you're an
international organization you have
binding corporate rules in place all of
those having done a risk assessment to
ensure that the processing of data in
the third country is going to be done at
a level of security similar to what you
get in the European Union and up until
very recently with the failure of the EU
U.S pregnancy Shield that did not
include the US and processing data with
AWS or female with with any processor
that is processing data in the US
there's no such thing as in transit in
transit is processing it falls with the
definition of processing would have been
illegal
recently agreed data protection
framework between the EU and the U.S
legal it's worth doing it's worth
getting on top of as quickly as you can
the edpb is recognized that the European
commission has recognized it
noib and Max schrems has promised to
tackle its European court of justice on
account of uh the the U.S store
enables the state to access personal
data in a way that isn't allowed in the
European Union but for the time being
it's legal it might be legal for several
years so
um you can do it but you need to be very
clear that that's legal based on which
you're processing data in the US I hope
that's
not too worrying answer for you at the
moment
how does this fit with ISO 27701
um I I already answered that but I'll
just cover it again ISO 27 701 is a ISO
standard for a personal information
management system you can be certified
against it only if it is within the
scope of your existing ISO 27001
certificate so you'll get a 27001
compliance figure that includes the
statement that you have um ISO 27 701 in
place you've been audited for compliance
with that standard
um it's a personal information
management system it will cover pretty
much everything that your privacy covers
it's designed to be a generic personal
information management system but again
if you're thinking about how do I
convince stakeholders how do I convince
um customers particularly personal uh
personal
individuals that I'm dealing with that
we are
pdpr compliance your privacy is a Step
Beyond that should be very easy for you
to get a Euro privacy certificate on the
basis of a 27 0001 27 701 combined
certificate because you shouldn't be if
anything pretty well there
um there might need to be a little bit
more very specific work done around
making sure that your lawfulness and
data processing that the way in which
you meet the requirements around human
rights the way in which we deal with
data processes or very specifically gdpr
compliance but you should be pretty well
there
is do keep the questions coming
um
is this something uh indeed eating how
does this fit with isotrades and so when
I want to dealt with is the
certification only for gdpr for
international organizations in respect
several data
um laws how will it help when having to
justify compliance with other laws so
the answer is you need to find
the certification is your privacy
certification the Euro privacy body
recognizes that organizations
increasingly have to comply with more
than one set of regulations so they are
negotiating with other countries for
recognition uh certificates so that the
European certificate can be extended to
cover compliance with those countries
and that includes right now for instance
the UK I believe it includes Canada's
pivoter um so you just want to check
with us or with Bureau privacy team
they're able to tell you which other
countries are currently covered by the
Europe privacy certificate but the
single European certificate as long as
you're clear about what you want to have
in scope you should be able to extend to
cover a growing number of countries so
it should become over time the single
most straightforward way of
demonstrating compliance with all of the
things with which you have to comply and
even if Europe privacy doesn't today
meet demonstrate in able to demonstrate
compliance and everything you have to do
I would still do it if you have to have
say EU gdpr compliance because it gives
you the framework that you can then
simply continue extending from a
certification point of view as other
countries come within the Ambit of the
EP certificate
finally
does how does ISO 27000 2022 change
comparing to ISO 27001
2013. and the good news for you in
answer that question is that we've done
a whole series of webinars on exactly
that on the differences between ISO
twenty seven thousand one 2013 and ISO
27001 2022 on how to go about making the
transition you can access all of those
they are on our website if you can't
easily swap them please do email us and
we'll send you a link directly that
enables you to go and have a look at
those those webinars on on the
transition
and ladies and gentlemen that kind of
looks as though we're getting to the end
of uh questions on uh this
what is the application process and how
is costing assessed a good a good
question the there are two steps one is
you need to make sure that you're ready
for certification so uh you do that by
talking to us you email us we'll talk to
you we'll we'll give you a scope we'll
work out what it is you need to do we'll
give you a price for certification you
go to a
you're a privacy accredited
certification body uh you've gone to
Euro privacy website uh and you'll be
able to see which certification bodies
are accredited to do certifications and
the process of getting a price of doing
that is exactly the same as getting a
price for an iso twenty seven thousand
one certification uh you you team you
talk about scope you get a price you get
a competing price but that's it's
exactly as you get an ISO 27 109001
certificate
um is the scheme accredited if the
website says it's aligned then it's
aligned it's not accredited I think is
is the answer to that question
and ladies and gentlemen I think my
voice is going to pack up on us so I
would like to thank you all for having
been on this webinar uh today if it's
been useful
data as I said we'll be sending the
information out to everybody
um uh so you'll be able to access it
separately
um but there will be another series of
webinars as I said please do come on
enjoy those find them useful and if we
can help you on your Euro privacy
Journey uh please take full advantage of
our services in the EU the UK and the us
to help you do that thank you all I hope
you have a safe secure and compliant
rest of September bye
5.0 / 5 (0 votes)