Professional Documents
Culture Documents
Standard GDP TS1001 2018
Standard GDP TS1001 2018
th
Date of issue 25 May 2018
This document is not “owned”. Copyright does not exist. Free use is
Ownership
allowed and encouraged by the authors.
Contents
1. Introduction
4.1 General
4.2 Data Protection Impact Assessment (DPIA)
4.3 Compliance obligations
4.4 Action plan
4.5 Managing Personal Data Breaches
5. Management System
7. Operational control
8. Resources
8.1 Infrastructure
8.2 Personnel
1.0 Introduction
th
On 25 May 2018 the requirements of the General Data Protection Regulation (herein, “the Regulation”)
th
published in the Official Journal of the EU in 2016 came into effect, and from 25 May 2018 any
organisation operating within Member States of the EU is expected to be aware of, and to comply with the
requirements described.
The Regulation is intended to ensure that personal data held by any organisation is correctly and
uniformly used and that any personal data gathered is only stored with the consent of the individual
involved.
Organisations are expected to consider their activities in light of the Regulation and to openly inform
individuals that their data is being retained, held in confidence, protected and that every individual has the
opportunity to accept (opt-in rather than opt-out, which is the previous default) the storage of their data –a
significant change to the status quo prior to the adoption.
Compliance with regulation of this kind is mandatory; the EU has the ability to impose fines or other
punitive measures on organisations that do not comply. Prosecutions and punishments are to be
proportional, according to the level of disregard, the impact of a breach and the reaction proven. In order
to be an effective deterrent, fines imposed may be significant.
This Standard is written to inform the actions of any organisation wishing to comply with the Regulation
but it is the responsibility of every organisation to acquaint themselves with the Regulation and, if
necessary, to make provisions beyond those described herein. Compliance with a regulation cannot be
proven - only breaches of compliance can and therefore compliance with this Standard does not
constitute compliance with all aspects of the Regulation.
For the purpose of this standard and to avoid copyright issues, general terms and definitions used herein
are as described in ISO 9000:2015. Specific terms relating to the subject matter are simply defined below.
Data protection management system Part of a management system used to manage all aspects of
stored personal data
Personal data (includes sensitive and high-risk data) Any information relating to an identifiable natural
person.
Data Protection Officer (DPO) The natural or legal person, public authority, agency or other body
which, alone or jointly with others, determine the purposes and means of processing of personal
data. A position with legal accountability.
Processor A natural or legal person, public authority, agency or other body processing personal
data on behalf of the DPO. Note that a Processor is not an information controller (eg a payroll clerk) for
whom the use of data is an intrinsic part of their job function.
Recipient A natural or legal person, public authority, agency or another body to which the personal
data are disclosed.
Consent of the data subject Any freely given, specific, informed and unambiguous indication of the
data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her.
Personal data breach A breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or
otherwise processed.
Data protection by design Business processes that make the protection of data into consideration as
an intrinsic part of their design. Protection compliance should be demonstrable and apply during the
whole life cycle of the system or process development.
Data protection by default Obligation to make sure that, by default, the functionalities of files and
applications ensure a high level of personal data protection. Personal information must only be kept
for the amount of time necessary to provide the product or service.
Binding Corporate Rules Personal data protection policies which are adhered to by a DPO or
processor.
Top management shall implement technical and organizational measures to ensure and
demonstrate that the processing of personal data complies with the principles relating t o t h e
processing of personal data. These measures must:
a) be linked to the purpose of the processing;
b) be taken at the time of design and at the time of processing throughout the lifecycle of
products or services.
3.2 Policy
Top management shall establish, document, implement and maintain a policy which states its
commitment to deliver products and/or services in compliance with the Regulation, and its
accountability.
This policy shall be available, communicated, understood and applied within the organization and
available to relevant interested parties, as appropriate.
The organization shall have a documented organizational structure to ensure products and/or
services compliance.
Top management shall ensure that the responsibilities and authorities related to personal data
management and processing are identified, assigned and understood.
It shall be clearly documented who deputizes in the absence of the responsible person.
A DPO may be appointed to ensure compliance of the management system and processes related
to personal data protection.
Where an organization can justify a decision to NOT appoint a DPO, the justification shall be
documented and included in the management system documentation. Such justification is allowable
if the organization does not hold data that relates to Public Authorities or may be considered as
special category data (sensitive), or may be considered “large” amounts of data.
Where no DPO is appointed there shall be no specific mention of a “Data Protection Officer” within
the organization’s management structure as this has legal implications according to the Regulation.
If appointed, the DPO shall be designated on the basis of professional skills, experience and
knowledge of data protection law and practices and shall report to the highest level of the
organization. The organization shall ensure that the DPO is involved in all issues related to the
protection of personal data and shall allocate appropriate budget and resources.
3.4 Objectives
The organization shall set objectives to maintain and improve the compliance and performance of
products and/or services, in accordance with this Standard. These objectives shall be
documented, measureable, communicated to relevant functions and levels, monitored and
updated as appropriate.
Objectives shall be established taking into account the organization’s Data Protection Impact
Assessment and associated compliance obligations.
4.1 General
The organization shall determine which activities, products and services that may affect the
confidentiality and integrity of personal data and potential situations of personal data breaches
considering a life cycle perspective.
When determining such aspects, the organization shall take into account:
a) a systematic description of the processing operations and the purposes of the processing;
b) an assessment of the necessity and proportionality of the processing operations in relation
to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects;
d) the risk category of personal data;
e) abnormal conditions and reasonably foreseeable situations that may lead to personal data
breaches;
f) the measures to address risks, including safeguards, security measures and mechanisms
to ensure the protection of personal data and to demonstrate regulatory compliance taking
into account the rights and legitimate interests of data subjects and other persons concerned;
g) any change, including planned or new developments, and new or modified activities, products
and services.
The DPIA shall be developed and managed through a multi-disciplinary approach that i n c l u d e s
marketing, commercial, operations, engineering, information technology a n d security,
quality/technical and other relevant functions. The D P I A shall be documented including potential
s i t u a t i o n s of personal data breaches.
The organization shall communicate the output of the DPIA to the relevant levels and functions of
the organization, as appropriate.
The organization shall determine all compliance obligations related to personal data including:
a) Regulatory requirements;
b) Imposed codes of conduct or binding corporate rules;
c) Specific customer requirements related to personal data protection.
The organization shall take these compliance obligations i nt o account when establishing,
implementing, maintaining and continually improving its management system and maintain
documented information of its compliance obligations.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural
persons, the organization shall communicate the personal data breach to the data subject without
undue delay. In addition, in case of a personal data breach, the organization shall, without
undue delay, notify the Supervisory Authority about the personal data breach, unless the personal
data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The communication to the data subject and/or to the Supervisory Authority shall meet the
requirements expressed in the Regulation.
5. Management System
This management system shall support its business processes, and their interactions, ensuring
that the personal data are collected, processed and stored or archived in a compliant manner
including appropriate security of the personal data, protection against unauthorized or
unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organizational measures.
The organization shall maintain records to demonstrate the effective control of products and/or
services compliance. Records shall be legible, maintained in good condition and retrievable.
Records shall be retained for a defined period with consideration given to any legal or
customer requirements.
In addition, the organization shall establish, implement and maintain the processes needed to
evaluate fulfilment of its compliance obligations. In particular, the organization shall:
The organization shall retain documented information as evidence of the monitoring and compliance
of its operations.
The organization shall conduct internal audits at least annually covering all requirements of this
standard to provide information on whether:
• it conforms to the requirements of this Standard;
• it is effectively implemented and maintained.
The scope and frequency of the audits shall take into consideration the risks to personal data
processes and activities and previous audit performance.
Internal audits shall be carried out by appropriately trained, competent auditors. Impartiality of
auditors shall be ensured.
Records of the management reviews shall be documented and used to revise the objectives.
Conclusion of management reviews and associated action plans shall be effectively communicated
to appropriate staff, and implemented.
The organization shall determine opportunities for improvement and implement necessary actions
to meet compliance obligations and prevent recurrence.
The organization shall retain documented information as evidence of the nature of the
nonconformities and the related corrective actions
5.7 Complaints
The organization shall ensure that complaints from customers and interested parties are
effectively handled. The organization shall make their process to handle complaints, transparent
and publically available.
5.8 Communication
5.8.1 General
The company shall ensure that any customer-specific policies or requirements, codes of conduct,
binding corporate rules, methods of working etc. are understood, implemented and clearly
communicated to relevant staff and, where appropriate, suppliers and service providers.
The organization shall externally communicate information relevant to personal data protection, as
established by the organization’s communication processes and as required by its compliance
obligations. In particular, DPOs shall take appropriate measures to provide any information to data
subjects related to the rights and freedoms of natural persons, according to the R egulation.
The organization shall ensure that the requirements for products and/or services are defined
including:
a) compliance obligations and customer requirements related to personal data protection;
b) internal requirements considered necessary by the organization or imposed by codes of
conduct or binding corporate rules.
The organization shall conduct a review of its ability to meet the requirements for products and/or
services to be offered to customers. The organization shall retain documented information, as
applicable, on the results of this review. This review shall be updated in case of any change of
requirements for the products and/or services.
The organization shall establish, implement and maintain a design and development process which
ensures continuous compliance related to personal data protection all along the life cycle of
products and/or services including end-of-life treatment and final disposal of its products and/or
services.
The organization shall implement appropriate technical and organizational measures for ensuring
that:
• requirements for products and services are taken into consideration for design and
development;
• outcomes of the related DPIA and, in particular, consequences of failure due to the nature of the
products and services;
• by default, only personal data which are necessary for each specific purpose of the processing
are processed. That obligation applies to the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility;
• the request for consent shall be presented in a manner which is clearly distinguishable from the
other matters, in an intelligible and easily accessible form, using clear and plain language;
• processing complies with the interests or fundamental rights and freedoms of the data subject or
any natural person, and, in particular, for vulnerable persons, including children.
The organization shall control the design and development process to ensure that the resulting
products and services meet the requirements for the specified application or intended use.
Design and development of products or services shall be only validated after a review of
appropriate closure of non-compliances related to personal data protection.
The organization shall retain documented information related to design and development activities.
Where products and/or services require positive release, procedures shall be in place to ensure
that release does not occur until all release requirements have been completed and release
authorized.
The organization shall maintain records of processing activities under its responsibility. That record
shall contain the following information:
a) the purposes and categories of the processing;
b) a description of the categories of data subjects and of the categories of personal data;
c) the categories of recipients;
d) where applicable, transfers of personal data to a third country or an international organization;
e) where possible, the envisaged time limits for erasure of the different categories of data.
The organization shall make the records available to the supervisory authority on request.
7. Operational control
The organization shall develop and implement documented procedures and/or work instructions
that describe operations relevant to the Regulation.
Taking into account the nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the organization shall
implement appropriate technical and organizational measures to control the processing and to be
able to demonstrate that processing is performed in compliance with applicable compliance
obligations.
Procedures and/or work instructions shall be available and specify how personal data are
processed in compliance the Regulation.
Consistent with a life- cycle perspective, the organization shall maintain documented information to
demonstrate t h a t the processes have been carried out as planned and the compliance of
products and/or services to their requirements.
The organization shall ensure that outsourced processes are controlled or influenced in
accordance with the Regulation. The type and extent of control or influence to be applied to the
processes shall be defined.
In particular:
• the organization shall only use suppliers providing sufficient guarantees to implement
appropriate technical and organizational measures in such a manner that processing will meet
the compliance obligations and ensure the protection of the rights of the data subject;
• p r o c e s s i n g b y a n external provider may be governed by a contract, if commercially viable to
do so, that sets out the subject-matter and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of data subjects and the obligations and
rights of the organization.
8. Resources
The organization shall determine and provide resources needed for the implementation of
technical and organizational measures to ensure compliance with personal data protection
requirements.
8.1 Infrastructure
The organization shall implement technical and organizational measures which are designed to
implement data-protection principles in an effective manner and to integrate the necessary
safeguards into the processing as appropriate considering the type and nature of processing
and the outcomes of the DPIA.
In particular, such measures shall ensure that by default personal data are not made accessible to
an indefinite number of natural persons without the individual’s intervention.
The organization shall implement appropriate processes for regularly testing, assessing and
evaluating the effectiveness of technical and organizational measures for ensuring the security of
the processing.
Where proportionate in relation to processing activities, the measures referred to above shall
include the implementation of appropriate data protection policies by the organization. These
measures shall specify appropriate security controls along the different phases of data collection,
storage, handling and transfer.
The organization shall implement procedures which ensure that access by personnel to
personal information is restricted to the personnel who need to have such access.
Particular attention should be paid to storage of personal data on portable devices or equipment.
8.2 Personnel
8.2.1 Competence
In particular, the person(s) in charge of the implementation of management systems within the
organization shall have r e c e i v e d s p e c i f i c t r a i n i n g r e l a t i n g t o data protection law.
8.2.2 Awareness
The organization shall ensure that all relevant personnel are aware of the:
a) personal data protection policies;
b) actual or potential personal data breaches associated with their work;
c) implications of not conforming with the management system, including not fulfilling the
organization’s compliance obligations.
The organization shall ensure that the development of information and communication
technologies and related evolution of commercial practices are f oll o wed up, and taken into
account as appropriate.
END