The date that the General Data Protection Regulation (GDPR) is coming into effect is approaching soon. This new law affects almost all companies, but it can have a bigger effect on certified companies. Regardless of the certificate the company holds, all ISO certificates have the fundamental rule:
“The organization needs to demonstrate that they meet the legal requirements.”
This small but fundamental rule means that the certificates are only valid when an organization operates according to the law. Now we know that laws can be fluid and also contradicting depending on regions and countries, but we won’t go into this now. It is fair to say that all companies need to operate according to the GDPR. In this blogpost we provide some easy tips on how this can impact your management system. In the end a lot of companies treat compliance to laws in the same region as compliance to international standards.
There is a lot of data going through the company. In order to understand which data is stored where, classifying the data helps a lot. A good point to start with is classifying the data owners in line with the stakeholders identified in the stakeholder analysis. Most data can be classified into three categories: customers, employees and suppliers. When the type of stakeholder is known, it is important to classify the kind of data, such as: personal data, company data, payment data, etc. These classifications are highly dependent on the type of service or product you deliver. It is important to know where the data is stored. In order to have this overview you should map out all the products/services you have that hold any kind of data. Some topics we use for such a register are:
- Company name
- Contact person
- Purpose of data
- Type of Stakeholder
- Type of Data
- Contact details
- Payment details
- Personal details
- Duration of saving
- Agreement (PDF of contract)
On top of the register there are some processes that need to be added. People now have more rights, and in order to observe that it is important to document how you support these rights. Two important points here are:
- How is the organization going to make sure that people have the right to be forgotten? In essence, how are you going to delete all their data across all databases?
- How will the organization support a request from a customer to get an overview of all the information the organization holds of that person?
These are just two important questions, but it shows that clearly defined processes should be in place and therefore must be added in some way to the management system.
The organization can be quite significant. You need to assess whether a data protection officer is required. The three main assessment points are:
- Public authorities or bodies, except for courts acting in their judicial capacity.
- Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale’.
- Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin; political opinions; religious or philosophical beliefs and other such information.
- Companies who process, on a large scale, personal data relating to criminal convictions and offences.
In case you are required to appoint a data protection officer it is good to include this in the management system, just like your prevention officer is part of the management system.
The last important part of the GDPR is that the organization has a clear policy on how to handle data and how to protect it. This policy should be readily available and easy accessible for stakeholders.
Impact on Management System
With the requirement to work according to the law and regulations, the GDPR has a clear impact on most management systems around the world. Due to the overlap in a lot of best practices within international standards, we recommend to make the GDPR an inclusive part of your management system, and not to treat it as a separate part.
If you want to know how you can structure a lot of the GDPR related activities within an integrated management system, just contact us.