We passed our latest spot inspection from our accreditors with a merit on Tuesday. As it should be, but in light of a recent tightening of EU regulations, it’s more important than ever for all of us data controllers to be ADISA certified.
The original EU Data Protection Directive 95/46/EC was passed in 1995.
A new, updated version, EU General Data Protection Regulation (EU GDPR) 2016, became EU law on 25th May 2016 and member states have to incorporate it into their own legislation by 25th May 2018. But is everyone ready?
Obviously, Brexit can’t be ignored when talking about EU regulation.
Steve Mellings, MD of ADISA and author of a new white paper on the changes, explains: “The UK will still be a member of the EU in May 2018. As such, it is believed that the EU GDPR will be a key document in the development of the UK’s own data protection law, with some already referring to UK GDPR.”
Where Data Protection is concerned it is clear that the UK will need to adopt comparable and equivalent legislation to the new in order to be able to exchange data with EU Member States or to qualify for a UK / EU Privacy Shield.
In addition, those companies who already process EU citizen data are obligated to comply with this legislation. The exiting UK Information Commissioner, Chris Graham, said that it would be prudent for organisations to prepare to meet the EU GDPR regardless of the UK’s position within the EU.
It’s important to understand that there are two parties involved in data protection – your data processor (such as Blackmore Ricotech), and the data controller – you and every other business or institution with data worth protecting. The new directive outlines stricter guidelines for the relationship between the two and can be summarized under five headings.
1. The data controller should only use processors who…
• Provide sufficient guarantees, in terms of expert knowledge and ability to deliver the service.
• Adhere to an approved code of conduct.
• Adhere to an approved certification mechanism.
• Operate under the terms of a contract.
• The controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks.
• The controller should be responsible for carrying out a data protection impact assessment for data processing operations.
• The controller prior to processing shall carry out a data protection impact assessment for processing likely to result in high risk.
• The assessment shall include measures to evaluate risk and what mechanisms have been put in place to mitigate that risk.
3. Standard of processor
• The controller shall use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures.
• The processor shall not engage another processor without prior specific or general written authorisation of the controller.
• Makes available to the controller all necessary information to demonstrate compliance with obligations laid out in their article and to allow for and contribute to audits, including inspections.
• The processor shall immediately inform the controller if an instruction infringes this Regulation.
• The controller and processor shall implement appropriate technical and organisational measures to ensure a level of security to include a processor for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing.
• The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
• The notification should include as much information regarding the incident as possible including measures taken or proposed to mitigate its possible adverse effects.
• Certification shall be voluntary and via a process which is transparent.
• Processors which submit its processing certification shall provide the certification body with all information and access to conduct the certification process.
• Certification bodies shall be accredited to ISO 17065.
• Certification bodies shall be able to demonstration their independence and expertise in relation to the subject matter.
• Certification bodies will have established procedures for the issuing, periodic review and withdrawal of data protection certifications.
• Certification bodies shall have established procedures to handle compliance and infringements of the certification or the manner in which the processor is operating under certification
These new laws bring with them new consequences. The maximum fine for contravention has been increased to €20,000,000 or up to 4% of global turnover. There is also a requirement for mandatory breach notification within 72 hours.
ADISA suspects 85% of all current collections would be unlawful under the new directive, but fear not. Steve explains how ADISA and the companies they certify, are keeping on top of these new regulations:
“ADISA certified companies operate to a rigorous published standards and more to the point, undergo continuous auditing to ensure compliance. The Standard was revised in December 2015 in preparation for the new EU GDPR and throughout the implementation of this law across Europe, ADISA and our members will be working hard to ensure that this is one group which operates to the law and helps their customers comply with law.”
So, in or out, stick with Blackmore Ricotech.
If you’d like to discuss the ramifications of the new directive and how it might affect your business, give us a call.
Huge thanks to Steve Mellings at ADISA for allowing us to reproduce elements of his report.
To find out how BLACKMORE RICOTECH can manage your secure IT disposal, get in touch. Call 0800 880 3678 today
If you would like to be kept up to date with changes to Data Protection or WEEE legislation, together with other important information that could affect your business, why not subscribe to our newsletter service? Rest assured, we will not share your information with anyone else and you can unsubscribe at any time. To stay informed, simply enter your email address and click the SUBSCRIBE button.