Quay Audit UK Limited

Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK

(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

Technical Standard – Data Protection

Citation: Technical Standard – Data

File No. : /Standards/GDP
Protection, GDP TS1001:2018

Author Quay Audit UK Limited

th
Date of issue 25 May 2018

Revision Original text Rev 0

The Regulation (EU) 2016-679 on the protection of individuals with

regard to the processing of personal data and on the free movement
Basis
of such data, adopted on April 27th, 2016 and published in the OJEU
on May 4th, 2016.

This document is not “owned”. Copyright does not exist. Free use is
Ownership
allowed and encouraged by the authors.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 1 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

Contents

1. Introduction

2. Terms and definitions

3. Organization and Structure

3.1 Leadership and commitment

3.2 Policy
3.3 Organizational roles, responsibilities and authorities
3.4 Objectives

4. Personal Data Risk Management

4.1 General
4.2 Data Protection Impact Assessment (DPIA)
4.3 Compliance obligations
4.4 Action plan
4.5 Managing Personal Data Breaches

5. Management System

5.1 Manual and procedures

5.2 Documented information
5.3 Performance evaluation
5.4 Internal audit
5.5 Management review
5.6 Nonconformity and corrective action
5.7 Complaints
5.8 Communication

6. Product and/or service control

6.1 Requirements for products and services

6.2 Design and development of products and/or services
6.3 Release of products and/or services

7. Operational control

7.1 Processing control

7.2 Control of subcontractors and service providers

8. Resources

8.1 Infrastructure
8.2 Personnel

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 2 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

1.0 Introduction
th
On 25 May 2018 the requirements of the General Data Protection Regulation (herein, “the Regulation”)
th
published in the Official Journal of the EU in 2016 came into effect, and from 25 May 2018 any
organisation operating within Member States of the EU is expected to be aware of, and to comply with the
requirements described.

The Regulation is intended to ensure that personal data held by any organisation is correctly and
uniformly used and that any personal data gathered is only stored with the consent of the individual
involved.

Organisations are expected to consider their activities in light of the Regulation and to openly inform
individuals that their data is being retained, held in confidence, protected and that every individual has the
opportunity to accept (opt-in rather than opt-out, which is the previous default) the storage of their data –a
significant change to the status quo prior to the adoption.

Compliance with regulation of this kind is mandatory; the EU has the ability to impose fines or other
punitive measures on organisations that do not comply. Prosecutions and punishments are to be
proportional, according to the level of disregard, the impact of a breach and the reaction proven. In order
to be an effective deterrent, fines imposed may be significant.

This Standard is written to inform the actions of any organisation wishing to comply with the Regulation
but it is the responsibility of every organisation to acquaint themselves with the Regulation and, if
necessary, to make provisions beyond those described herein. Compliance with a regulation cannot be
proven - only breaches of compliance can and therefore compliance with this Standard does not
constitute compliance with all aspects of the Regulation.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 3 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

2. Terms and definitions

For the purpose of this standard and to avoid copyright issues, general terms and definitions used herein
are as described in ISO 9000:2015. Specific terms relating to the subject matter are simply defined below.

Data protection management system Part of a management system used to manage all aspects of
stored personal data

Compliance obligations As described in the Regulation

Personal data (includes sensitive and high-risk data) Any information relating to an identifiable natural
person.

Processing Any operation or set of operations performed on personal data.

Data Protection Officer (DPO) The natural or legal person, public authority, agency or other body
which, alone or jointly with others, determine the purposes and means of processing of personal
data. A position with legal accountability.

Processor A natural or legal person, public authority, agency or other body processing personal
data on behalf of the DPO. Note that a Processor is not an information controller (eg a payroll clerk) for
whom the use of data is an intrinsic part of their job function.

Recipient A natural or legal person, public authority, agency or another body to which the personal
data are disclosed.

Consent of the data subject Any freely given, specific, informed and unambiguous indication of the
data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her.

Personal data breach A breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or
otherwise processed.

Supervisory authority An independent public authority which is established by a Member State

pursuant to the Regulation.

Accountability Permanent and dynamic process that consists both of an obligation to be

accountable with regard to compliance with statutory and regulatory requirements and of a
mechanism that is able to demonstrate the efficiency of measures taken and the effectiveness of
data protection.

Data Protection Impact Assessment A process which assists organizations in identifying,

assessing and minimizing the risks (related to the rights and freedoms to the data subjects) of
products or services and the actions to be carried out.

Data protection by design Business processes that make the protection of data into consideration as
an intrinsic part of their design. Protection compliance should be demonstrable and apply during the
whole life cycle of the system or process development.

Data protection by default Obligation to make sure that, by default, the functionalities of files and
applications ensure a high level of personal data protection. Personal information must only be kept
for the amount of time necessary to provide the product or service.

Binding Corporate Rules Personal data protection policies which are adhered to by a DPO or
processor.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 4 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

3. Organization and Structure

3.1 Leadership and commitment

Top management shall demonstrate commitment to the implementation of the requirements of

this standard and to processes which facilitate continual improvement.

Top management shall implement technical and organizational measures to ensure and
demonstrate that the processing of personal data complies with the principles relating t o t h e
processing of personal data. These measures must:
a) be linked to the purpose of the processing;
b) be taken at the time of design and at the time of processing throughout the lifecycle of
products or services.

These measures shall be evaluated at regular intervals and updated if necessary.

3.2 Policy

Top management shall establish, document, implement and maintain a policy which states its
commitment to deliver products and/or services in compliance with the Regulation, and its
accountability.

This policy shall include a commitment to;

a) the protection of personal data, including prevention of personal data breaches;
b) fulfil its compliance obligations;
c) implement technical and organizational measures within the organization to ensure
compliance with the Regulation.

3.2.2 Communicating the personal data policy

This policy shall be available, communicated, understood and applied within the organization and
available to relevant interested parties, as appropriate.

3.3 Organizational roles, responsibilities and authorities

3.3.1 Organization and responsibilities

The organization shall have a documented organizational structure to ensure products and/or
services compliance.

Top management shall ensure that the responsibilities and authorities related to personal data
management and processing are identified, assigned and understood.

It shall be clearly documented who deputizes in the absence of the responsible person.

3.3.2 Data Protection Officer/Controller(DPO)

A DPO may be appointed to ensure compliance of the management system and processes related
to personal data protection.

Where an organization can justify a decision to NOT appoint a DPO, the justification shall be
documented and included in the management system documentation. Such justification is allowable
if the organization does not hold data that relates to Public Authorities or may be considered as
special category data (sensitive), or may be considered “large” amounts of data.

Where no DPO is appointed there shall be no specific mention of a “Data Protection Officer” within
the organization’s management structure as this has legal implications according to the Regulation.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 5 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

If appointed, the DPO shall be designated on the basis of professional skills, experience and
knowledge of data protection law and practices and shall report to the highest level of the
organization. The organization shall ensure that the DPO is involved in all issues related to the
protection of personal data and shall allocate appropriate budget and resources.

The organization shall e n s u r e that t h e D P O can ex erc is e a l l tasks with necessary

independence and confidentiality. If DPO is res pons ible f or other tasks it shall not result in a
conflict of interest.

The DPO shall perform the following tasks:

a) inform and advise the organization and the employees who carry out personal data processing
of their obligations under the compliance obligations; ) monitor compliance of the organization with
the compliance obligations and internal policies and provisions including the assignment of
responsibilities, awareness-raising and training of staff involved in processing operations, and the
related audits; in particular the DPO shall organize the conduct of management reviews;
c) provide advice where requested with regard to the Data Protection Impact Assessment and
monitor its performance;
d) act as the contact point for the supervisory authority, cooperate with the supervisory authority on
issues relating to personal data, where appropriate.

The organization shall communicate the c o n t a c t d e t a i l s o f the D PO to Supervisory Authorities

and other stakeholders whenever required.

3.4 Objectives

The organization shall set objectives to maintain and improve the compliance and performance of
products and/or services, in accordance with this Standard. These objectives shall be
documented, measureable, communicated to relevant functions and levels, monitored and
updated as appropriate.

Objectives shall be established taking into account the organization’s Data Protection Impact
Assessment and associated compliance obligations.

4. Personal Data Risk Management

4.1 General

The organization shall i m p l e m e n t an effective plan considering the risks a n d requirements

related to personal data protection.

4.2 Data Protection Impact Assessment (DPIA)

The organization shall determine which activities, products and services that may affect the
confidentiality and integrity of personal data and potential situations of personal data breaches
considering a life cycle perspective.

When determining such aspects, the organization shall take into account:
a) a systematic description of the processing operations and the purposes of the processing;
b) an assessment of the necessity and proportionality of the processing operations in relation
to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects;
d) the risk category of personal data;
e) abnormal conditions and reasonably foreseeable situations that may lead to personal data
breaches;
f) the measures to address risks, including safeguards, security measures and mechanisms
to ensure the protection of personal data and to demonstrate regulatory compliance taking
into account the rights and legitimate interests of data subjects and other persons concerned;
g) any change, including planned or new developments, and new or modified activities, products
and services.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 6 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

The DPIA shall be developed and managed through a multi-disciplinary approach that i n c l u d e s
marketing, commercial, operations, engineering, information technology a n d security,
quality/technical and other relevant functions. The D P I A shall be documented including potential
s i t u a t i o n s of personal data breaches.

The organization shall communicate the output of the DPIA to the relevant levels and functions of
the organization, as appropriate.

4.3 Compliance obligations

The organization shall determine all compliance obligations related to personal data including:
a) Regulatory requirements;
b) Imposed codes of conduct or binding corporate rules;
c) Specific customer requirements related to personal data protection.

The organization shall take these compliance obligations i nt o account when establishing,
implementing, maintaining and continually improving its management system and maintain
documented information of its compliance obligations.

4.4 Action plan

The organization shall plan actions to address its:

a) outcomes of DPIA;
b) compliance obligations.

When planning these actions, the organization shall:

• consider the technological possibilities and its financial, operational and business requirements;
• evaluate the effectiveness of these actions by choosing technical measures adapted to the risks
identified;
• guarantee the establishment of processes to ensure the effectiveness of the actions
implemented.

4.5 Managing Personal Data Breaches

The organization shall e s t a b l i s h , implement and m aintain t h e processes needed to

prepare for and respond to potential personal data breach situations. The organization shall:
a) prepare to respond by planning actions to prevent or mitigate personal data breaches and their
consequences, appropriately to the magnitude of breaches and their potential impact;
b) respond to actual data breach situations;
c) periodically test the planned response actions, where practicable;
d) periodically review and revise the processes and planned response actions, in particular after
the occurrence of personal data breach situations or tests;
e) provide relevant information and training related to personal data breach preparedness and
respond, as appropriate, to relevant interested parties, including persons working under its
control.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural
persons, the organization shall communicate the personal data breach to the data subject without
undue delay. In addition, in case of a personal data breach, the organization shall, without
undue delay, notify the Supervisory Authority about the personal data breach, unless the personal
data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The communication to the data subject and/or to the Supervisory Authority shall meet the
requirements expressed in the Regulation.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 7 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

5. Management System

5.1 Manual and procedures

The organization shall e s t a b l i s h , implement, maintain a n d continually i m p r o v e a management

system in accordance with the following elements of this standard, which ensure correct
implementation and maintenance of personal data related processes. The management system
shall be appropriate to the type, range and volume of products and/or services.

This management system shall support its business processes, and their interactions, ensuring
that the personal data are collected, processed and stored or archived in a compliant manner
including appropriate security of the personal data, protection against unauthorized or
unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organizational measures.

The management system shall be such as to enable the organization to:

a) ensure that personal data processing complies with the applicable compliance requirements
either contractual or regulatory;
b) ensure that its responsibilities are properly discharged in accordance with the Regulation;
c) monitor the compliance with, and adequacy of, the documented procedures of the system.

5.2 Documented information

The organization’s management system shall include documented information related to

processing and to personal data protection processes.

The organization shall h a v e a procedure to manage documented information, i n c l u d i n g

appropriate:
• identification, description, review and approval;
• distribution, access and use;
• storage and preservation;
• control of changes;
• retention and disposal.

The organization shall maintain records to demonstrate the effective control of products and/or
services compliance. Records shall be legible, maintained in good condition and retrievable.
Records shall be retained for a defined period with consideration given to any legal or
customer requirements.

5.3 Performance evaluation

The organization shall determine:

a) what needs to be controlled and monitored, and when;
b) the methods for monitoring, measurement, analysis and evaluation;
c) the performance criteria and appropriate indicators.

In addition, the organization shall establish, implement and maintain the processes needed to
evaluate fulfilment of its compliance obligations. In particular, the organization shall:

a) determine the frequency that compliance will be evaluated;

b) evaluate compliance and take action if needed;
c) determine the risks of personal data breaches and noncompliance occurrences and the
effectiveness of noncompliance detection processes and measures;
d) maintain knowledge and understanding of its compliance status;
e) communicate relevant performance information both internally and externally.

The organization shall retain documented information as evidence of the monitoring and compliance
of its operations.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 8 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

5.4 Internal audit

The organization shall conduct internal audits at least annually covering all requirements of this
standard to provide information on whether:
• it conforms to the requirements of this Standard;
• it is effectively implemented and maintained.

The scope and frequency of the audits shall take into consideration the risks to personal data
processes and activities and previous audit performance.

Internal audits shall be carried out by appropriately trained, competent auditors. Impartiality of
auditors shall be ensured.

Audit reports shall d e t a i l a n y significant d e v i a t i o n f r o m r e q u i r em en t s of this s t a n d a r d .

In particular, audit reports shall identify issues related to technology or processes which could
affect the compliance obligations.

5.5 Management review

Management reviews attended by top management shall be performed at appropriate planned

intervals, annually as a minimum, to review the performance against the standard and objectives.
The management review shall include the following topics:
• status of previous management review action plans;
• results of internal and external audits and system effectiveness reviews;
• customer satisfaction and feedback from interested parties including complaints;
• incidents, breaches, nonconformities and associated corrective actions;
• the effectiveness of actions taken to address the DPIA;
• monitoring and surveillance results;
• performance of suppliers and service providers;
• any change related to the DPIA;
• any change in compliance obligations.

The outputs of the management review shall include:

• opportunities for improvement;
• an action plan including resource needs;
• improvement actions, if needed, when data protection objectives have not been achieved;
• any implication for the strategic direction of the organization.

Records of the management reviews shall be documented and used to revise the objectives.
Conclusion of management reviews and associated action plans shall be effectively communicated
to appropriate staff, and implemented.

5.6 Nonconformity and corrective action

The organization shall determine opportunities for improvement and implement necessary actions
to meet compliance obligations and prevent recurrence.

When a non-conformity occurs, the organization shall:

a) take action to address the immediate issue;
b) evaluate actions through the identification of a root cause of a nonconformity to prevent
recurrence elsewhere;
c) implement the action plan, verify that the corrections have been effectively implemented.

The organization shall retain documented information as evidence of the nature of the
nonconformities and the related corrective actions

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 9 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

5.7 Complaints

The organization shall ensure that complaints from customers and interested parties are
effectively handled. The organization shall make their process to handle complaints, transparent
and publically available.

Upon receipt of the complaint, the organization shall:

a) acknowledge the complaint to the complainant;
b) gather and verify all necessary information to evaluate and validate the complaint and make a
decision on the complaint;
c) formally communicate the decision on the complaint to the complainant;
d) ensure that any appropriate corrective and preventive actions are taken.

5.8 Communication

5.8.1 General

When establishing its communication processes, the organization shall:

a) take into account its compliance obligations);
b) ensure that information communicated related to personal data protection is consistent with the
requirements of this standard, and is reliable.

The organization shall retain documented information as evidence of its communications, as

appropriate.

5.8.2 Internal communication

The organization shall:

a) internally communicate information relevant to the data protection management system among
the various levels and functions of the organization, including changes to the management
system, as appropriate;
b) ensure its communication processes enable(s) persons doing work under the organization’s
control to contribute to continual improvement.

The company shall ensure that any customer-specific policies or requirements, codes of conduct,
binding corporate rules, methods of working etc. are understood, implemented and clearly
communicated to relevant staff and, where appropriate, suppliers and service providers.

5.8.3 External communication

The organization shall externally communicate information relevant to personal data protection, as
established by the organization’s communication processes and as required by its compliance
obligations. In particular, DPOs shall take appropriate measures to provide any information to data
subjects related to the rights and freedoms of natural persons, according to the R egulation.

6. Product and/or service control

6.1 Requirements for products and services

The organization shall ensure that the requirements for products and/or services are defined
including:
a) compliance obligations and customer requirements related to personal data protection;
b) internal requirements considered necessary by the organization or imposed by codes of
conduct or binding corporate rules.

The organization shall conduct a review of its ability to meet the requirements for products and/or
services to be offered to customers. The organization shall retain documented information, as
applicable, on the results of this review. This review shall be updated in case of any change of
requirements for the products and/or services.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 10 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

6.2 Design and development of products and/or services

The organization shall establish, implement and maintain a design and development process which
ensures continuous compliance related to personal data protection all along the life cycle of
products and/or services including end-of-life treatment and final disposal of its products and/or
services.

The organization shall implement appropriate technical and organizational measures for ensuring
that:
• requirements for products and services are taken into consideration for design and
development;
• outcomes of the related DPIA and, in particular, consequences of failure due to the nature of the
products and services;
• by default, only personal data which are necessary for each specific purpose of the processing
are processed. That obligation applies to the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility;
• the request for consent shall be presented in a manner which is clearly distinguishable from the
other matters, in an intelligible and easily accessible form, using clear and plain language;
• processing complies with the interests or fundamental rights and freedoms of the data subject or
any natural person, and, in particular, for vulnerable persons, including children.

The organization shall control the design and development process to ensure that the resulting
products and services meet the requirements for the specified application or intended use.
Design and development of products or services shall be only validated after a review of
appropriate closure of non-compliances related to personal data protection.

The organization shall retain documented information related to design and development activities.

6.3 Release of products and/or services

Where products and/or services require positive release, procedures shall be in place to ensure
that release does not occur until all release requirements have been completed and release
authorized.

The organization shall maintain records of processing activities under its responsibility. That record
shall contain the following information:
a) the purposes and categories of the processing;
b) a description of the categories of data subjects and of the categories of personal data;
c) the categories of recipients;
d) where applicable, transfers of personal data to a third country or an international organization;
e) where possible, the envisaged time limits for erasure of the different categories of data.

The organization shall make the records available to the supervisory authority on request.

7. Operational control

The organization shall develop and implement documented procedures and/or work instructions
that describe operations relevant to the Regulation.

7.1 Processing control

Taking into account the nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the organization shall
implement appropriate technical and organizational measures to control the processing and to be
able to demonstrate that processing is performed in compliance with applicable compliance
obligations.

Procedures and/or work instructions shall be available and specify how personal data are
processed in compliance the Regulation.

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 11 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

Consistent with a life- cycle perspective, the organization shall maintain documented information to
demonstrate t h a t the processes have been carried out as planned and the compliance of
products and/or services to their requirements.

7.2 Control of subcontractors and service providers

The organization shall ensure that outsourced processes are controlled or influenced in
accordance with the Regulation. The type and extent of control or influence to be applied to the
processes shall be defined.

In particular:
• the organization shall only use suppliers providing sufficient guarantees to implement
appropriate technical and organizational measures in such a manner that processing will meet
the compliance obligations and ensure the protection of the rights of the data subject;
• p r o c e s s i n g b y a n external provider may be governed by a contract, if commercially viable to
do so, that sets out the subject-matter and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of data subjects and the obligations and
rights of the organization.

That contract shall stipulate, in particular, that the external provider:

(a) processes the personal data only on documented instructions from the organization, including
with regard to transfers of personal data to a third country or an international organization;
(b) ensures that persons authorized to process the personal data have committed themselves to
confidentiality;
(c) at the choice of the organization, deletes or returns all the personal data to the organization
after the end of the provision of services relating to processing;
(d) makes available to the organization all information necessary to demonstrate compliance with
the compliance obligations and contribute to audits, including inspections, conducted by the
organization or another auditor mandated by the organization;
(e) shall not engage another supplier without prior specific or general written authorization of the
organization;
(f) shall notify the organization without undue delay after becoming aware of a personal data
breach.

A DPO or processor may transfer personal data to a third p a r t y or an international organization

only if the transfer is compliant with one of the provisions expressed in the Regulation.

8. Resources

The organization shall determine and provide resources needed for the implementation of
technical and organizational measures to ensure compliance with personal data protection
requirements.

8.1 Infrastructure

The organization shall implement technical and organizational measures which are designed to
implement data-protection principles in an effective manner and to integrate the necessary
safeguards into the processing as appropriate considering the type and nature of processing
and the outcomes of the DPIA.
In particular, such measures shall ensure that by default personal data are not made accessible to
an indefinite number of natural persons without the individual’s intervention.

The organization shall implement appropriate processes for regularly testing, assessing and
evaluating the effectiveness of technical and organizational measures for ensuring the security of
the processing.

Where proportionate in relation to processing activities, the measures referred to above shall
include the implementation of appropriate data protection policies by the organization. These

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 12 of 13

 Quay Audit UK Limited
Grove House, 8, St. Julian’s Friars, Shrewsbury, Shropshire, SY1 1XL, UK
(44) 1743 351677. post@quayaudit.co.uk. www.quayaudit.co.uk

measures shall specify appropriate security controls along the different phases of data collection,
storage, handling and transfer.

The organization shall implement procedures which ensure that access by personnel to
personal information is restricted to the personnel who need to have such access.

Particular attention should be paid to storage of personal data on portable devices or equipment.

8.2 Personnel

8.2.1 Competence

The organization shall:

a) determine the necessary competence of person(s) performing work that affects personal data
protection and its ability to fulfil its compliance obligations;
b) ensure that these person(s) are competent on the basis of appropriate education, training or
experience;
c) determine training needs associated with the DPIA.
d).maintain the competences of its personnel involved in personal data protection considering
changes in technologies and practices;
e) and where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken.

In particular, the person(s) in charge of the implementation of management systems within the
organization shall have r e c e i v e d s p e c i f i c t r a i n i n g r e l a t i n g t o data protection law.

Records of all training shall be available. This shall include as a minimum:

a) the name of the trainee and confirmation of attendance;
b) the date and duration of the training;
c) the title or course contents, as appropriate;
d) the training provider.

8.2.2 Awareness

The organization shall ensure that all relevant personnel are aware of the:
a) personal data protection policies;
b) actual or potential personal data breaches associated with their work;
c) implications of not conforming with the management system, including not fulfilling the
organization’s compliance obligations.

8.2.3 Knowledge management

The organization shall ensure that the development of information and communication
technologies and related evolution of commercial practices are f oll o wed up, and taken into
account as appropriate.
END

May 2018 Technical Standard – Data Protection, GDP TS1001:2018 Page 13 of 13