Europrivacy Introduction – Your Gateway to Certified GDPR Compliance

00:00

the broadcast is now starting all

00:02

attendees are in listen only mode

00:22

ladies and gentlemen good afternoon and

00:25

welcome to this webinar on Europe

00:28

privacy introducing what could be your

00:31

gateway to certified gdpr compliance

00:36

my name is Alan Calder I'm your host

00:39

for this afternoon I'm the founder of

00:41

I.T governance which is the main company

00:43

in the ERC International

00:46

Group I've been involved in the cyber

00:49

security and privacy world for some 25

00:52

years I've written a number of books on

00:54

gdpr on cyber security

00:57

and of course it governance is a global

01:02

leader in the world of gdpr and

01:05

particularly through ISO 27001 we have

01:10

pushing 200 people in the business we've

01:13

been at it for about 20 years we've

01:15

served some 12 000 clients across five

01:17

continents and we recently became a an

01:20

official partner of Euro privacy and you

01:23

can read more about that on the Euro

01:26

privacy website

01:29

today's webinar really is going to be

01:31

focusing on Europe privacy you'll notice

01:34

that you are all on mute and that's

01:37

designed to ensure that there's no

01:38

background noise and so on but as I go

01:40

through the webinar

01:43

um I'm sure you'll find that there are

01:45

questions you want to ask please do use

01:46

the question function in your go to

01:49

webinar control panel that's the chunk

01:53

of functional text and icons that will

01:57

be set on your screen there's a question

02:00

line in there you can click on it you

02:02

can type questions into that question

02:04

box and when we come to the Q a section

02:06

which will be about 40 or 45 minutes

02:08

from now I will okay the questions I'll

02:11

read out whatever questions there are

02:13

and then assuming that I can I'll answer

02:15

the question for everybody so everybody

02:17

knows both the question and the answer

02:20

so that's the format for today

02:23

I.T governance as a business is a

02:27

company who which is built around the

02:29

logic that our expertise our expertise

02:32

in information security

02:34

in privacy and deployed in your business

02:37

should give you peace of mind that

02:40

enables you to focus on doing what you

02:42

do best in serving your clients we've

02:44

carried out more than 1300 organizations

02:47

working with clients to deal with either

02:49

twenty seven thousand one compliance

02:52

1600 cyber security and privacy projects

02:55

in one sort another more than seven

02:57

thousand cyber essential certifications

02:59

and we've helped uh some 1100 companies

03:03

on their broader governance risk

03:05

managements and compliance activity so

03:08

we have a huge amount of experience that

03:11

we can draw on to deliver services to

03:15

our clients and that of course form part

03:18

of the background and content of

03:21

the webinar today

03:24

so um what am I going to talk about and

03:27

look first of all give an introduction

03:28

to Euro privacy and what its role is in

03:31

achieving gdpr compliance we look at the

03:33

benefits and key principles of Europe

03:35

privacy certification we'll have a brief

03:38

look at how you can make gdpr compliance

03:41

start your gdpr compliance journey and

03:44

then some practical advice and solutions

03:45

to uh to get you going so let's start

03:49

with the origins of the Europe privacy

03:51

certification as you all know gdpr ukg

03:56

EU gdpr what's now known as EU gdpr has

04:01

been around since May 2018 it's been in

04:04

force effective since May 2018 but at

04:07

first became a law in May 2016 so it was

04:10

a two-year transition period and of

04:12

course one of the big questions that

04:14

existed right the way through the

04:16

transition period and businesses how do

04:18

we prove that we are gdpr compliant

04:20

we've done everything we think we should

04:22

do how do we prove that we're gen

04:24

genuinely compliance and that is a an

04:26

important question because you have

04:29

clients asking you that that's relevant

04:31

not only to just normal services that

04:34

you provide but particularly if you are

04:37

a data processor when of course the

04:40

controller who's providing the data

04:41

you're processing specifically needs to

04:43

know whether or not your gdpr compliant

04:45

it's also a useful aspect of dealing

04:48

with breaches and so on a supervisor

04:50

Authority will say and are you gdpr

04:52

compliance of course the moment you're

04:54

going to go say yes to the best of our

04:56

ability or the best of our knowledge of

04:58

the final Arbiter has typically been a

05:01

judge and a case being brought you

05:03

either win or lose Europe privacy

05:06

changes that substantially so it's a

05:08

significant step forward for all

05:10

organizations it's the first

05:12

certification mechanism

05:15

just by the European data protection

05:17

board as a European data protection seal

05:20

article 42 of gdpr defined that seals

05:26

certificates could come into existence

05:29

that would demonstrate compliance with

05:32

the edpr or with particular skills

05:34

requirements the case may be and Europe

05:37

obviously therefore as a certificate as

05:39

a certification mechanism enables

05:41

organizations to demonstrate their data

05:43

processing activities comply with gdpr

05:46

and by extension because

05:49

extension is negotiated with

05:53

other countries with other relevant

05:55

National and international regulations

05:56

so you just think about what does that

05:59

shift mean if we can simply have a

06:01

certificate that says we're compliant

06:03

it's a huge simplification of a whole

06:07

calendars that exist talking to

06:10

clients talking to Regulators talking to

06:13

stakeholders and partners

06:15

your privacy was developed through the

06:17

European research Horizon program in

06:20

2020 co-funded by the European

06:24

commissioner by Switzerland approved in

06:27

October 2022 by the European data

06:29

protection board and it's managed by the

06:32

European Center for certification and

06:33

privacy based in Luxembourg it's

06:36

recognized in all 27 member states of

06:39

the European Union it's a pan-eu

06:42

certification and is applicable to both

06:45

data controllers and data processes

06:48

it's available only to organizations

06:50

that are required to appoint a DPO so at

06:54

this stage anyway one of the core

06:57

requirements before you can get

06:58

certified is are you required to have a

07:00

data Protection Officer so

07:03

uh so that's kind of relevant to

07:04

everybody

07:05

certification to be achieved

07:07

organizations have to meet

07:09

the core criteria the Euro privacy gdpr

07:13

core criteria they cover various aspects

07:16

of data processing and protection and

07:18

allow organizations to assess Reliance

07:20

compliance in respect of the lawfulness

07:23

of your data processing how you deal

07:26

with processing special data data

07:28

subjects rights and your compliance with

07:30

the requirements around

07:32

measifying and protecting the rights of

07:35

data subjects the response

07:37

responsibilities of data controllers the

07:40

responsibilities of data processors to

07:43

data controllers the security of

07:46

processing of data and how you deploy

07:48

data protection by Design the management

07:50

of data breaches deployments of dpias

07:54

where they're acquired how your DPO

07:56

operates and remembering dpas have to be

07:59

in the UK and the EU Independence of the

08:03

processing on which they comment and how

08:06

data is transferred personal data is

08:07

transferred to third countries or to

08:10

International organizations all the core

08:11

areas of gdpr are covered by Euro

08:15

privacy certification and a certificate

08:17

is valid for three years and the core

08:22

criteria are complemented by contextual

08:25

checks and controls around technology

08:26

and domain specific obligations and of

08:29

course Technical and organizational

08:31

measures checking controls to ensure

08:34

that they meet security requirements so

08:36

it's a fundamental do you or do you not

08:38

comply pdpr certification

08:43

International trademark has registered

08:45

obviously across the EU and a number of

08:46

other jurisdictions its recognition

08:49

extends Beyond EU borders means it's

08:52

relevant for organizations in the US or

08:55

the UK who are providing Services into

08:57

the European Union that are required to

08:59

have a DPO and the gdpr compliance if

09:03

you can buy it to the whole of your

09:05

operation certainly it can apply in the

09:07

context of the personal data you're

09:10

processing in scope for gdpr compliance

09:12

and it demonstrates that the

09:14

organization has a serious commitment to

09:17

high data protection standards and

09:19

compliance with gdpr on a global sale so

09:22

you can think of it as an international

09:23

trademark that generates gdpr compliance

09:26

or you can look at it simply as how do

09:28

we demonstrate to our EU customers that

09:32

we are gdpr compliant

09:35

you think about benefits obviously the

09:39

first major benefit is demonstrating

09:41

legal compliance and I can't I just

09:43

can't stress enough how useful it is to

09:46

be able to go no I don't have to uh

09:49

write a letter I just simply give you my

09:51

certificate number we are gdpr compliant

09:54

we're also UK gdpr compliant because the

09:58

extension negotiated with the UK we can

10:00

demonstrate that we comply with UK gdpr

10:02

which is currently only slightly

10:04

reference to EU gdpr or pivoter in

10:07

Canada as their case may be so it's a

10:09

it's a solid demonstration of compliance

10:13

with EU gdpr and a growing number of

10:16

other National or jurisdictional data

10:18

privacy regulations

10:21

should enable you to demonstrate to

10:24

customers that they can trust you so the

10:25

improved trust uh the commitment that

10:28

you're making it's data protection

10:29

should really build trust with customers

10:31

partners with regular authorities with

10:33

stakeholders and should therefore give

10:35

you a competitive Advantage we're still

10:38

really at the early adopter very

10:40

beginning of the early adopter stage in

10:43

um

10:45

curve for Europe privacy and so the

10:48

first organizations will be able to say

10:50

you know we are so far ahead of our

10:52

competitors in terms of demonstrating

10:54

our commitment to protecting personal

10:56

data remembering the personal data

10:57

protection has become a much much bigger

10:59

issue for particularly consumers over

11:02

the last five or seven years

11:05

certification reduces the risk of

11:07

non-compliance fines reduces the risk of

11:11

legal issues related to the data

11:13

protection because

11:15

um you know that if you have a breach

11:18

and you know remember you're going to

11:19

have breaches whether you're

11:21

EU privacy certified or not what the

11:25

Civic enables to demonstrate and answer

11:26

the question of were your gdpr compliant

11:29

is yes we are we have external audits we

11:32

have a certificate we were compliance so

11:33

your risk of major exposure uh when you

11:37

have to report a breach to a supervised

11:39

Authority is by definition a

11:41

significantly reduced simply because you

11:43

can demonstrate beyond the doubt that

11:45

you are gdpr compliant

11:48

so the the if you like boiling that down

11:51

to uh some of the key principles

11:53

lawfulness of data processing

11:56

demonstrating as part of your auditing

11:58

the certification is carried out by an

12:01

independent third-party certification

12:02

orders so exactly the same logic as for

12:05

ISO 27001

12:07

um a certification body like BSI or dnv

12:10

one of those who have become an

12:12

accredited uh Euro privacy certification

12:15

body or do an audit and certify your

12:18

compliance with the standard a

12:20

consultancy body a partner like I.T

12:23

governance will provide services that

12:25

help you become compliant but we won't

12:27

do the certification audits so

12:30

lawfulness of data processing uh it's a

12:33

vehicle requirement so part of the

12:35

process of preparing for Euro privacy

12:38

certifications making sure that you're

12:40

very clear about lawfulness and

12:42

processing and that your processing is

12:43

all being carried out in compliance with

12:45

your legal obligations

12:48

I'm respecting and upholding rights of

12:50

individuals regarding personal data the

12:53

eight rights of data subjects around for

12:56

instance access rectification Erasure

12:58

and so on demonstrating that those are

13:01

all in place that you have mechanisms

13:04

that enable people to exercise those

13:07

rights to make it easy and

13:08

straightforward for them to do so and

13:10

that you're carrying out you can

13:12

demonstrate that you are

13:14

clearly delivering undefined data

13:18

controller responsibilities you're

13:20

managing personal data in line with the

13:23

requirements of the standard and that

13:26

will extend to areas in which you're a

13:28

joint controller with an organization or

13:31

there are two controllers processing

13:33

data simultaneously but be really clear

13:35

about the delineation of data controller

13:37

responsibilities and applying them and

13:39

being accountable for the the

13:42

application of the six data protection

13:44

principles

13:47

processor making sure that your

13:50

processing is in compliance to the gdpr

13:52

and that means handling data

13:54

specifically in compliance with the

13:56

documented requirements of the data

13:59

control level controllers for whom

14:00

you're doing the processing so the first

14:02

four major key principles of Europe

14:06

privacy certification

14:08

security of processing and data

14:10

protection by Design and default equally

14:13

important in gdpr is of course the

14:16

general data protection regulations that

14:18

is about protecting data and the

14:21

breaches that you have to report are

14:22

breaches because they compromise the

14:25

confidentiality Integrity or

14:27

availability of data in a way which

14:29

poses a risk to the rights and freedoms

14:31

of natural persons and so demonstrating

14:34

the implemented robust security measures

14:36

and data protection principles is

14:38

another key element of your gdpr

14:40

compliance we've for a long time said

14:42

privacy and cyber security on different

14:45

sides of the same coin and that's

14:47

exactly what gdpr says and that's

14:50

exactly what the European certification

14:52

recognizes and goes beyond just simply

14:54

saying you need to do data security it

14:58

says if you want an ISO 71 72 if you

15:00

have an ISO twenty seven thousand one

15:03

certificate that will serve to

15:04

demonstrate without you needing to do a

15:06

whole bunch more in the certification

15:08

orders that you have a compliance data

15:12

protection regime so um there's a

15:15

logical step from ISO 27001

15:18

certification which in the scope you

15:22

would logically include personal data

15:24

and that would build into the next step

15:27

of getting your overall processing

15:30

personal data certified of your privacy

15:33

certification as a 27 000 is a major

15:35

building block um of that

15:38

how you manage data breaches so instant

15:40

response uh um and being able to track

15:42

if gdpr requires you to track what you

15:44

do with incident response so using an

15:46

incident response tool that um Audits

15:49

and keeps information around how you

15:50

handle uh incident incidents is another

15:53

key building block of

15:56

um

15:57

your privacy compliance data protection

15:59

impact assessments remember doing a dpia

16:01

isn't always necessary but identifying

16:04

whether or not you needed one is always

16:06

necessary when there is a significant

16:09

change in the way in which you process

16:11

data for the deployment of a significant

16:14

new piece of personal data processing

16:18

software so a dpia process that may or

16:22

may not lead to carrying out a dpia

16:24

appointments of a DPO where that is a

16:27

where that is mandated and managing

16:29

transfers of personal data in compliance

16:31

with with Euro with gdpr and that

16:35

particularly applies to third countries

16:38

like the United States and for the EU

16:41

all of the countries who are currently

16:44

recognized as having adequate data

16:46

protection regimes

16:48

and of course what happens beyond that

16:50

and the recent data transfer mechanism

16:53

the theor of privacy that the EDP be

16:56

assigned off on and the European Council

16:58

has signed off on the labels transfer of

17:00

data between the EU the UK Switzerland

17:03

and the us legally is currently a key

17:07

component of

17:09

managing International transfer as a

17:12

person like remember International

17:13

transfers of personal data can include

17:15

the transfer of information like cookies

17:18

data assuming that you're still using

17:20

cookies that can include the transfer of

17:23

personal data because you're using a an

17:27

email

17:29

provider who is based in the United

17:31

States so so all of those components

17:34

have to be addressed so key building

17:36

blocks of Europe privacy certification

17:38

are things you should be doing anyway uh

17:40

what Europe privacy as a standard does

17:41

is encourage you to put all of those

17:44

things together and make sure you're

17:45

doing them consistently and consistently

17:47

well and I'll come back to the logic of

17:49

doing that on a platform which enables

17:52

you to link the identification of risks

17:55

to the protection of personal data

17:58

through to how you manage data breaches

18:01

to dpias to transfers of personal

18:04

relation to be able to handle all of

18:05

those in a platform environment which

18:07

means that you've got consistency of

18:09

data a consistency of data processing

18:11

that a

18:13

an external auditor can review and can

18:15

see how robustly you handle is a key way

18:18

to build a long-term Euro privacy

18:21

certification remember it's a three-year

18:22

certificate you have surveillance visits

18:24

through the three-year period a

18:26

recertification at the end of the

18:28

three-year period and being able to

18:30

demonstrate that you can do all of that

18:32

is part of how you get certification so

18:35

key building blocks of

18:37

Euro privacy certification

18:40

your privacy as a certificate should

18:42

align absolutely with your current gdpr

18:45

compliance activity that seems pretty

18:47

logical to me Euro privacy is a

18:50

structured approach to how you go about

18:52

complying with gdpr so um you know while

18:55

you might think of gdpower starting with

18:57

article one and working all your way

18:59

through to the bit just before it tells

19:01

supervising authorities and the edpb how

19:04

to behave that's what you've got to do

19:06

but what your ability does is if you

19:08

like gives you a really structured way

19:10

to think about

19:11

gdpr compliance what the building blocks

19:14

are and how you go about doing that

19:17

so it encourages of course it's a

19:19

management system continuous Improvement

19:22

certification carriages continuous

19:24

Improvement in data protection practices

19:26

and that's not just because gdpr

19:28

regulations evolve but because the

19:32

requirements of gdpr is that you deploy

19:34

uh

19:36

functionality or technology that is

19:39

state of the art to manage risks to

19:43

write some freedoms of data subjects and

19:45

and that means you've got to continue

19:46

evolving your management system you've

19:48

got to continue learning from incidents

19:51

you've got to continue deploying the

19:52

learnings into making your processes

19:54

work better so that you don't have a

19:56

repeat what

19:57

Regulators supervising authorities hate

20:00

to see as the fact that you have this

20:02

data breach and you have the same data

20:03

breach and then you have the same data

20:05

breach at time and time again you should

20:06

be learning from them you know the the

20:09

UK Ico just in the last four or five

20:12

weeks observed that in the last five

20:15

years the most commonly reported data

20:17

breaches and this use of carbon copy in

20:19

an email where a list of email addresses

20:22

that should go into the BCC field in the

20:25

email yet mistakenly

20:27

plug it into the CC field which means

20:30

that everybody else can see who got an

20:31

email which could be a breach of gdpr

20:35

because it might involve the email might

20:38

include sensitive information for

20:39

instance which will tell everybody else

20:41

on the list that everybody else on the

20:44

list is

20:45

whatever it is has a particular illness

20:47

so misuse of carbon copy is a common

20:50

thing if it happens once you should be

20:53

working out how to improve on the

20:55

activity inside the organization so it

20:57

doesn't happen again

20:58

regularly compliance much simpler

21:01

customer checks way simpler it's makes

21:06

your life much easier from a global

21:08

business point of view when you've got

21:10

to fill in those increasingly long rfps

21:16

are you gdpr complaint you should just

21:18

be able to go here's my Euro privacy

21:20

certificate yes we are gdpr compliant

21:22

I'm not going to answer the questions

21:24

because by definition we are compliant

21:26

so it should be operationally as well as

21:29

legally and practically a genuine

21:33

Improvement and simplification of your

21:35

working life

21:38

how do you go about

21:40

tackling your privacy how do you start

21:43

the journey from your current state of

21:46

gdpower compliance to Euro currency

21:49

certification

21:50

and it's logically a strategic approach

21:53

you want to align what you currently do

21:56

in terms of gdpr compliance with the

21:59

requirements of the Euro privacy

22:01

standards so

22:03

um as I said Europe privacy provides a

22:06

strategic approach so look the framework

22:08

look at the blocks the building blocks

22:10

and look at what you currently do in

22:12

terms of gdpr to make sure that what you

22:15

are doing meets the requirements of each

22:17

of those blocks rather than trying to

22:19

work your way through all of the Clauses

22:21

one by one you can just simply go block

22:23

by block how do we comply with what gdpr

22:25

requires

22:27

foreign

22:30

principles where they are specific

22:32

principles into your documentation into

22:35

your existing data processing procedures

22:37

so that you can demonstrate that your

22:40

gdpr compliance is

22:42

within the Euro privacy framework so

22:45

these specific building blocks the

22:46

principles all want to be clearly

22:49

identified in the documentation in your

22:51

staff awareness training and so on so

22:52

that everybody understands that you're

22:55

not just gdpr compliant you are you're a

22:57

privacy compliant you have a Euro

22:59

privacy compliance certificate

23:01

and see the key steps that you take is

23:04

number one is the gap analysis uh lo and

23:07

behold virtually every regulatory or

23:09

framework compliance project we'll start

23:11

with a gap analysis because of course

23:13

you're already doing a number of things

23:14

that you should be doing and what you

23:16

want to find out is the gap between what

23:18

you are doing and what you should be

23:19

doing and so a gap analysis either using

23:23

a tool or with a an external consultant

23:26

Society governance or somebody like that

23:28

who knows their way around the standard

23:29

will be able to look at what you

23:31

currently do look at the requirements of

23:33

the standard and tell you what the Gap

23:34

is between

23:36

as is and to be and give you a map

23:39

towards cheating that so that's the uh

23:42

the starting point it enables you then

23:44

to put together a a plan that outlines

23:48

the steps the resources the timelines

23:49

required to integrate the Euro privacy

23:52

principles

23:53

some of your gdpr compliance activity it

23:56

might have fallen off over the course

23:58

the last four or five years because you

24:00

know life

24:01

um and and that

24:03

means you can identify the extent to

24:06

which you're ready to meet the core

24:07

criteria and be assessed for compliance

24:12

one of the key elements of uh Europe

24:15

privacy and this is it's in the standard

24:18

is that you are able to demonstrate that

24:21

you've mapped data flows and mapping

24:22

data flows is a requirement because it's

24:24

how you can demonstrate that uh you know

24:28

where your data is going when you have a

24:30

data breach you need to be able to

24:32

identify what steps you need to take to

24:34

deal with the data breach you need to be

24:36

clear about where data is Flowing beyond

24:39

the European Union or Beyond a country

24:41

which hasn't recognized as adequate data

24:44

protection regime because you need to

24:45

have in place additional protections to

24:49

ensure the lawfulness of that processing

24:52

there's also an article 30 requirement

24:54

that your data flow mapping is clear

24:57

about what data you are processing and

25:00

and so

25:01

and many organizations don't actually do

25:03

this very well so gdpr compliance looks

25:06

for you to do that it could be a major

25:08

area that you've got to focus on early

25:09

on and your data flows may have changed

25:12

since you became vdpr compliant and so

25:15

using typically a data flow mapping tool

25:18

uh is a way that you can not only map

25:20

what you're currently doing but creates

25:22

a robust basis for maintaining and

25:25

updating that as time goes on because

25:27

you know you change flows as

25:30

as life happens you find better ways to

25:32

do things so you need to be able to

25:33

update data flow in a robust environment

25:37

so Gap analysis A compliance or an

25:41

implementation plan which would start

25:43

probably with data flow mapping or

25:45

updating your data flow mapping how

25:47

ready are you for a gdpr Euro privacy

25:51

compliance assessment

25:55

competence and staff awareness both

25:57

critical areas you need to have people

25:59

who are managing gdpr who are competent

26:01

to do that so A gdpr practitioner

26:04

certification

26:05

a Euro privacy awareness and making sure

26:09

that your staff training and awareness

26:10

includes gdpr and any of the specific

26:13

Euro privacy principles so you need to

26:16

build that out make sure that you can

26:18

demonstrate that your staff or aware

26:21

because you know simple things like

26:24

um uh data subjects access requests

26:28

could be passed as you know to any

26:30

member of staff so training staff to

26:32

recognize their obligations uh to know

26:34

how to deal with data protection uh

26:37

requirements as a key part of gdpr

26:39

compliance and therefore of Europe

26:40

privacy uh certification

26:43

so you modify your processes you might

26:46

not need to do anything dramatic it

26:48

might just be minor changes in in

26:50

documentation or in activity to make

26:51

sure the key principles particularly

26:54

around data security measures if you

26:56

don't have ISO 27001 implementing either

27:00

implementing ISO 27001 as part of your

27:02

Euro privacy strategy or working on how

27:05

you're going to demonstrate that you

27:07

have in place data protection by Design

27:08

and by default

27:11

I have clarity about how you've run

27:13

about compliance make sure that in your

27:16

Incident Management for instance you've

27:17

got a process in place not simply to

27:19

manage incidents but to track how you do

27:21

manage the incident because you're going

27:23

to have to report on that to uh to a

27:26

supervising Authority if you have an

27:27

incident how you've gone about it how

27:29

you've met the requirements for

27:30

determining whether it's a serious

27:33

breach or not that you've done what you

27:35

need to do in the time scales uh

27:37

delivered and finally you need to carry

27:40

out penetration testing so it's

27:44

the pro state-of-the-art mechanisms to

27:46

protect data is in gdpr Euro privacy is

27:48

explicit you need to penetration tests

27:51

you need to do penetration tests on your

27:53

internet facing

27:55

um

27:58

Technologies and infrastructure to make

28:00

sure that they are secure against

28:02

external attack and penetration so

28:06

all of those steps carry them out

28:09

Europe privacy certification is likely

28:11

unless you're already well prepared to

28:13

be something which takes a number of

28:15

months to get to the benefits are

28:17

worthwhile because of you know we said

28:19

them all at the beginning because of

28:20

being able to demonstrate compliance

28:21

because of being compliant because of

28:24

what it helps you win in the way of

28:25

competitive advantage and dispel in the

28:28

way of risk exposure and cost but it's a

28:31

series of blocks steps that you need to

28:33

take

28:35

I mentioned cyber comply it's a tool

28:38

which is from from our point of view

28:41

almost essential to build gdpr

28:44

compliance it combines a gdpr set of

28:48

modules that do dpias that um uh

28:52

can can handle Incident Management that

28:55

enable you to map compliance to laws and

28:58

regulations with an ISO 27001 management

29:01

system which can deal with information

29:03

security so it's an integrated set of

29:06

services there's a huge roadmap of

29:09

development going on with cyber comply

29:11

that will bring a whole series of

29:13

documentation automation around

29:15

documents into the system but it's

29:19

gives you a seamless automation for gdpr

29:22

compliance which is really going to be

29:26

we think increasingly basic to making

29:29

your privacy certification really work

29:31

you want to be able to automate risk

29:33

assessments you want to be able to

29:34

automate the reviews and updates of risk

29:36

assessments and ISO compliance

29:38

documentation your typical compliance

29:40

team one or two people having to manage

29:42

gdpr cyber security compliance with more

29:45

and more certifications and regulations

29:47

coming along it just gets to be

29:49

impossible to do on aspensary

29:51

spreadsheets are simply not robust and

29:53

they're very dependent on the individual

29:55

so as long as the individual never

29:56

leaves or Goes Sick

29:58

um it probably might be okay you need a

30:00

platform that never goes on leave or is

30:02

sick you need cost effects of

30:05

Maintenance you need complete

30:07

integration needs updates for gdpr

30:10

regulations being fed through and you

30:12

need to be able to navigate the

30:14

complexities of gdpr compliance with

30:17

some kind of ease

30:20

uh you need a dashboard that tells you

30:23

what's going on all of those things you

30:25

can get with cyber comply so do go and

30:28

have a look at Cyber comply you can link

30:30

through you can arrange to be given a

30:34

demonstration of the platform

30:35

um it's obviously a something you can

30:37

you can access and use on ongoing basis

30:40

but do have a look at Cyber compliant

30:42

we'll make uh Euro privacy and gdpr

30:44

certification massively simpler and more

30:47

robust

30:50

apart from cyber comply there are a

30:52

number of obvious ways that you can

30:54

address getting up to scratch for Euro

30:57

privacy apart from a gap analysis just

31:00

talk to us email us following this

31:03

webinar we can arrange to talk to you

31:05

about a consultant who can come and do a

31:08

gap analysis for you and put together an

31:10

implementation plan but more

31:12

particularly implementational

31:13

consultancy but how do we do it what do

31:16

you need to do we're not in the our

31:17

Europe currency partner but we have a

31:19

number of our Sultans who have been

31:21

signed off by

31:23

the Europe privacy team as competent to

31:26

deliver Euro privacy compliance we can

31:30

do penetration tests we've got in-house

31:31

penetration testing team that can

31:33

deliver a Euro privacy related

31:35

penetration test to meet their standards

31:38

we of course can do

31:41

um

31:43

what ifs we can do gdpr practitioner

31:45

training the whole panoply of everything

31:48

that you need to get yourself gdpr and

31:50

Europe privacy compliance we can help so

31:53

do either when you get the slides after

31:56

the webinar and and we will be circling

31:58

the slides to everybody within a day or

32:00

so you can click through or do simply

32:02

just

32:04

email us afterwards or call us

32:06

afterwards and say you'd like to speak

32:07

to somebody about how you can be helped

32:10

at tackle your approaching be the first

32:12

in your sectoral region to become Euro

32:15

privacy compliant

32:17

that brings me to the end of what I had

32:20

planned to cover in this really meant to

32:23

be an introductory session on Euro

32:25

privacy we have a number of other

32:27

webinars planned to go into more detail

32:30

about particular aspects of Europe

32:32

privacy compliance so that we can help

32:34

those organizations who are addressing

32:36

it on their own

32:37

do that uh

32:40

um just simply to keep you clear about

32:41

how things are moving ahead you can

32:43

obviously find out more about your

32:46

privacy gdpr compliance or anything else

32:48

by going on to one of our websites UK EU

32:51

or United States lots of ways you can

32:54

contact us and that brings us through to

32:58

Q and A so

33:01

um let me just turn to that if you do

33:03

have questions just repeating what I

33:05

said earlier in your go-to webinar

33:08

um

33:10

in your case we have in our dashboard

33:11

there is a q a uh function and you can

33:15

simply go into that you can type into it

33:17

any questions which you have what I will

33:20

do is I

33:22

go through the questions I will answer

33:23

them uh I'll read the question out I'll

33:26

answer the question and and hopefully

33:28

that will give you the answer that

33:30

you're looking for

33:32

so

33:33

um

33:35

what's the difference between BCR and

33:38

certification if a company has BCR is

33:42

certification recommended as well well

33:45

um if you have binding corporate rules

33:48

bcrs binding corporate rules those are

33:51

recognized by the uh super supervisor

33:55

Authority you've designed them

33:56

specifically to meet the requirements of

33:58

your own organization and they

34:02

demonstrate to the supervising Authority

34:04

that you have a mechanism for managing

34:06

uh your gdpr compliance but binding

34:10

corporate rules is not necessarily the

34:11

same as being able to demonstrate to uh

34:15

uh stakeholders customers that your gdpr

34:19

compliance uh Euro privacy certificate

34:22

should be on the basis of having VCRs in

34:25

place assuming your bcrs are

34:26

comprehensive

34:28

um should be relatively easy to get but

34:30

you're a privacy certification in our

34:32

view anyway uh gives you a big step

34:35

forward because it is an external

34:37

validation an external demonstration by

34:40

a third-party certification body that

34:42

your gdpr compliant that your binding

34:45

corporate rules are gdpr compliant that

34:47

you've done everything required it's a

34:50

stakeholder customer demonstration so

34:52

while you've always got to validate it

34:54

for yourself that would be our view of P

34:58

Euro privacy compliance I would build it

35:01

on the top of binding corporate rules

35:03

if adpr is not required for company can

35:05

the company perform a self-certification

35:07

that demonstrates compliance well um

35:10

there's nothing ever stopping an

35:12

organization doing a self-certification

35:13

but here at previously at the moment

35:15

doesn't provide a framework by which

35:17

your self-certification can be

35:19

recognized we we hope that that will

35:22

happen fairly quickly

35:24

that there are a number of organizations

35:26

who require DPO and their data

35:29

processing obligations are likely

35:31

therefore to be more significant than

35:34

organizations that don't require a DPO

35:36

which is for us logically why

35:39

the initial stages anyway the

35:41

certification focus on DPO um yes you

35:43

know as with ISO 27001 you can say that

35:47

you are compliant with Euro privacy it's

35:48

worthwhile doing there are benefits at

35:51

the point when hopefully the Euro

35:53

privacy Mark gets extended to all other

35:56

organizations it'd be very easy then for

35:58

you to make the step on from where you

36:00

are to formal certification

36:04

what's the difference between BCR and

36:05

certification of the company I think

36:07

I've just answered that

36:09

uh just answer that yes we'll just

36:11

replace the need for a company to put in

36:13

place sccs and bcrs well not necessarily

36:17

because international data transfers is

36:20

one of the areas that Europe privacy

36:23

certification looks at so

36:25

um if you think about

36:27

the issue of sccs or bcrs from the point

36:30

of view of a third party say a data

36:34

subject looking at your organization

36:36

not clear whether you process data where

36:39

you process data you are supposed to be

36:41

clear that data is processed outside

36:45

the European Union or the UK as the case

36:48

may be and the basis on which that's

36:49

lawful and if it's being processed in a

36:53

country that for which there is not an

36:55

adequacy finding there has to be in

36:57

place either for an international

36:59

organization BCR or binding corporate

37:01

rules or standard contract clause and

37:04

standard contract Clauses are exactly

37:06

that they come from the edpv or

37:10

the supervisor Authority and their

37:12

standard causes that you have to adopt

37:14

and comply with

37:16

data subject doesn't know whether you've

37:18

got theirs or not it's not a badge you

37:19

can put on your website or on your

37:21

letterhead saying you know we have

37:22

standard contract Clauses doesn't mean

37:24

very much to a

37:27

to a data subject or to a key customer

37:30

of yours a European certificate does in

37:33

exactly the same way as an ISO 27001

37:35

certificate is something you can put on

37:37

your website you can put on your

37:39

letterhead you can put on your business

37:40

cards it's a an externally third-party

37:43

validated

37:45

um certificate of compliance covering a

37:48

broad range of issues that Simply Having

37:49

secs done so um secs and or BCR was not

37:54

and or secs or BCR those are if they're

37:58

legally industry they're legally

37:59

necessary you're a privacy certification

38:01

is something which sits on top of that

38:03

and tells the outside world that you've

38:05

done those things absolutely correctly

38:09

um

38:10

does it governance cover training

38:12

implemental auditor for the

38:14

certification at the moment we cover uh

38:17

training for gdpr practitioner and for

38:20

uh um for lead audits we are trying to

38:23

arrange to become a recognized trainer

38:25

for practitioner for implementer and

38:28

auditor for Euro privacy because it's a

38:31

logical extension to the range of areas

38:34

that we already offer training in and we

38:36

hope to have good news on that front

38:37

relatively

38:38

Sue

38:40

thanks for the session how important

38:43

would you say it is for an organizations

38:45

Right iso 27 30 27 000 certified Square

38:48

for Europe privacy certification as well

38:52

um and that depends on how important

38:54

personal data processing is to your

38:56

organization I would hope that in Euros

38:59

27001 certification you've already got

39:02

personal data in the scope for the

39:04

standard and you've therefore already