EGSCERT Roadmap to Compliance for General Data Protection
Owner and Data Controller
The GDPR (General Data Protection Regulation), which entered into force in April 2016 following its publication in the Official Journal of the European Union, is applicable from May 2018 and is mandatory in all its elements and directly applicable in each of the Member States. A major component of the GDPR relates to being transparent and providing accessible information to individuals about the collection and use of their personal data.
Regulatory focus
The regulation establishes rules concerning the protection of physical people with regard to the treatment of personal data, as well as rules concerning the free movement of such data.
Protects the rights and the fundamental freedoms of the physical people, in particular the right to the protection of personal data.
Lawful Basis
Under the GDPR, all companies and organizations must have a lawful basis for all processing and storage of personal data. Some companies or organizations might qualify for an exemption or derogation (another fancy way to say exemption). Without one, or a lawful basis, processing or storing personal data is considered “prima facie unlawful.”
2. What is Personal Data?
– Any information relating to an identified or identifiable natural person (‘data subject’);
– An identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
Looks, appearance and behaviour, including eye colour, weight and character traits.
Workplace data and information about education, including salary, tax information and student numbers.
Private and subjective data, including religion, political opinions and geo-tracking data.
Health, sickness and genetics, including medical history, genetic data and information about sick leave.
– Examples – Names, Address, NI numbers, E-mail addresses, IP Addresses, CCTV images
3. Definition of certification scope
Certification audit performed. This will evaluate the implementation of the technical standard, including the effectiveness of the organization’s procedures.
– A certificate valid for 3 years is issued upon satisfactory result
– Surveillance audits to verify that the procedures continue to fulfil the requirements of the standard and monitor the continual improvement
– Re-certification after 3 years to confirm the continued conformance and effectiveness of the procedures as a whole
4. EGSCERT Roadmap for General Data Protection
4-1) How EGSCERT collects and uses personal data. It applies to the following:
– Potential and certified clients of EGSCERT for the engagement of any types of certification services;
– Delegates attending EGSCERT training courses;
– Subcontractors (trainers, auditors, technical experts and/ or report reviewers) to be engaged/engaged by EGSCERT, and
– Other stakeholders/ interested parties for any further business dealings.
Who is data protection certification for?
Organizations with employees are directly affected by the GDPR requirements for record keeping, but all organizations processing the personal data of “natural persons” resident in the EU for professional or commercial reasons are considered “controllers” or “processors” (who may manage data on behalf
of the controllers) fall within the scope of the regulation. The processing of any data relating to an EU citizen “data subject” is within scope, regardless of where the processing organization is incorporated, registered or listed.
The data lifecycle approach to the regulation means data protection is no longer a problem for the IT or marketing department, but one requiring a holistic approach across the organization.
REGULATION (EU) 2016/679
As envisaged in GDPR article 42
There are some exceptions for public bodies processing data in order to enforce public security or the prevention, investigation, detection or prosecution of criminal offences
4-2) Types of Data collected
EGSCERT collects personal data directly from agency when receiving the information ask for the EGSCERT services or approached by employee or representative of EGSCERT . This is usually done through EGSCERT enquiries mailbox, intra net, face to face, telecommunication (skype) and/or email with EGSCERT employee or with EGSCERT representative.
Data to be collected may include but not limited to the following:
– Full name, age, job title, phone number, email address, residential address, office address, identification number, passport number;
– CV