EU General Data Protection

Regulation (GDPR)
Achieving compliance
GDPR – enhancing data protection
and privacy

The new EU General Data Protection Regulation (GDPR) will apply across
all EU member states, with the official date for enforcement set for 25 May
2018. This reform has significant implications for business, not only for
those based in the EU, but for all organizations operating within the
EU market.

The new EU reform regulation aims to:

• Reinforce the rights of the individual – privacy by • Ensure consistent enforcement of these rules
design and by default • Set global data protection standards
• Strengthen the EU internal market through new, • Safeguard a golden standard for data protection
clear, and robust rules for the free movement of data across all industries

Call: +44 345 222 1711 Email: [email protected] Visit: bsigroup.com

GDPR - Key information
1. Introduction of significant fines 3. The concept of consent has been revised to 5. Portability of data 7. Appointment of a Data Protection Officer (DPO)
• Tier One: Up to €10 million or up to 2% of annual ensure transparency The regulations propose the right that data subjects Organizations will now be required to appoint a DPO.
worldwide turnover of the parent company, the Data subjects must be fully and specifically informed will be able to transfer their personal data in a The DPO must be independent and will report to the
higher amount at the point of collection on all purposes for which commonly-used electronic format from one data regulator and not the board of directors
• Tier Two: Up to €20 million or up to 4% of annual data is used. Data subjects may now also remove controller to another without hindrance from the
worldwide turnover of the parent company, the their consent at any time, and for any reason. original controller
higher amount
4. Mandatory notification of a data breach 6. Privacy by design
2. The right to erasure Organizations will now be required to report a data This is one of the fundamental ideas of the new
When an individual no longer wishes for their data to breach to their Supervisory Authority and to affected regulation and one that aims to change the overall
be processed and there are no legitimate grounds for data subjects, within 72 hours of becoming aware of attitude and organizational planning towards Data
retaining it, the data must be deleted. The onus will Protection. Article 23 stipulates that Data Protection
the breach
now be on data controllers to prove that they need to should be designed into the development of
keep the data, not on the data subject (the individual). business processes

Achieving EU GDPR compliance Did you know? BSI now have a standard (BS 10012)
helping organizations demonstrate effective management
of personal information, covering GDPR requirements.
We have a range of services that can help you work towards GDPR compliance and continue to For more information visit bsigroup.com
improve over time.

Understanding Implementation Improvement

Board and executive level awareness workshops

1  1 Outsourced Data Protection Officer (DPO) services 1 Data Protection partner programme service
2 Data asset workflow and mapping 2 Privacy compliance framework development for ad hoc assistance
3 Gap analysis Data protection and privacy implementation support
3  2 Compliance expertise reviews
4 Legal and regulatory requirements assessments 4  rivacy by design support - privacy impact
P 3 Compliance and assurance assessments
assessments (PIAs) and change management support • Privacy compliance audits
5 Data protection risk assessments
5  upport services to implement, operate, and improve
S • Internal audits
6 Training and awareness for staff
“safe and secure principles” such as: GDPR
• Independent third party audits
• Penetration testing • Preparation for supervisory authority audits
compliance
• Encryption usage review
• Attendance during supervisory authority audits
• Incident management and breach support
• External audits for data transfers outside EU
• Security controls
• Certifications – e.g. PCI-DSS
• Subject access requests including eDiscovery
services

No matter where you are in meeting GDPR requirements, we can enable you achieve compliance at each stage of the journey

Call: +44 345 222 1711 Email: [email protected] Visit: bsigroup.com

Data protection training courses
We provide a range of training courses in privacy and data protection. They focus on giving you the
knowledge and skills to confidently build and manage data protection and privacy for your organization.

Certified EU General Data Certified Information Privacy

Protection Regulation (GDPR) Professional/Europe (CIPP/E)
foundation Two day course
One day course The CIPP/E covers the fundamental pan European
In this one day course, our expert tutor will explain and national data protection laws. It is the most
the requirements of the General Data Protection recognized credential of its kind in the data
Regulation (GDPR), to help you understand how it protection and privacy field.
could apply to your organization and the benefits
The course examines industry best practices in
of adopting it.
privacy compliance concepts of data protection and
This is a foundation, non-technical course for both trans-border data flows. The CIPP/E covers critical
technical and general management interested in topics like the EU-U.S. Privacy Shield and the GDPR.
learning about GDPR and compliance around the
How does CIPP/E help with GDPR requirements:
new regulation
Achieving the CIPP/E demonstrates you have the
How does EU GDPR foundation course help: comprehensive GDPR knowledge and understanding
You will gain knowledge on how to adhere to the new to ensure compliance and data protection success.
regulation and kick-start compliance with a variety of
activities, such as personal data scoping exercise and
gap analysis, a privacy impact and risk assessment, or
a full data protection audit.

Certified Information Privacy Certified Information Privacy

Manager (CIPM) Technologist (CIPT)
Two day course Two day course
The CIPM certification is the "how-to" in privacy CIPT certifies delegates in the knowledge of privacy
operations. A CIPM is able to structure an and data protection related issues, in the context
organizations’ privacy team effectively. It equips you of design and implementation of information and
with the ability to develop, implement, and measure a communication technologies. It looks at the privacy
privacy program framework while utilizing the privacy considerations for IT systems and applications.
operational lifecycle: access, protect, sustain, and It examines industry standard guidelines for the
respond. collection, use, retention, and destruction of data.

How does CIPM help with GDPR requirements: CIPT provides a solid foundational level in data
protection and privacy laws, concepts and
A CIPP/E combined with a CIPM means that you are
regulations, while giving delegates the knowledge to
uniquely equipped to fulfill the requirements of a
create the information privacy infrastructure.
Data Protection Officer.
How does CIPT help with GDPR requirements:
CIPT will enable you to build your organization’s
privacy and data protection infrastructure, ensuring
‘privacy by design’ a key GDPR value.

Call: +44 345 222 1711 Email: [email protected] Visit: bsigroup.com

Cybersecurity and Information
Resilience services
Our Cybersecurity and Information Resilience services enable organizations to secure information from
cyber-threats, strengthening their information governance and in turn assuring resilience, mitigating
risk whilst safeguarding them against vulnerabilities in their critical infrastructure.
We can help organizations solve their information challenges through a combination of:

Consulting Training
Cybersecurity and information Specialist training to support
resilience strategy, security personal development
testing, and specialist support

Research Technical solutions

Commercial research and Managed cloud solutions to
horizon scanning projects support your organization

Our expertise is supported by:

Como entidad de certificación acreditada, BSI Assurance no puede ofrecer certificación a

clientes que hayan recibido consultoría por otra parte del grupo BSI y para el mismo sistema de
gestión. Del mismo modo, tampoco ofrecemos consultoría a aquellos clientes que están
© BSI Group BSI/UK/1047/CIR/0317/EN/BLD

buscando certificarse en el mismo sistema de gestión.

Find out more

Call: +44 345 222 1711
Email: [email protected]
Visit: bsigroup.com