EU GDPR and EU ePrivacy Regulation Compliance Improvement and Certification

EU GDPR and EU ePrivacy Regulation Compliance Improvement and Certification


Introduction

Following the implementation of the “Personal Data Protection Act” in worldwide, the EU-US Privacy Shield Framework between the United States and the European Union, the EU General Data Protection Regulations (EU GDPR) were enforced by the European Union by May 25, 2018, it requires the organizations to protect the personal data.

Therefore, the organization must establish a systematic management mechanism (for example, the BS 10012:2017, PIMS, personal data management system, or ISO/IEC 27701:2019, PIMS, Privacy Information Management System) to comply with the regulation, and the data protection principles required by GDPR article 5, for example, the appointment of dedicated personnel responsible for personal data inventory, education, and training, communication, notification, data protection, and control measures (for example, integration with ISO 27001 information security management and ISO 22301 business continuity management).

To demonstrate compliance, the organization shall take the following regulation into consideration: 

  • REGULATION (EU) 2016/679 - EU GDPR (General Data Protection Regulation)
  • DIRECTIVE (EU) 2016/680 - criminal offenses or the execution of criminal penalties
  • Regulation on "Privacy" and "Electronic Communications 


Who should apply?

This is intended for those organizations that been requested to comply with EU GDPR.

  • Personal data controller and processor;
  • IT or web-based services, IT Products developer, manufacturer;
  • "Smart"-based service provider;
  • Service/supply chain/outsource provider. 


Service objectives

  • Demonstrate that personal data processes comply with EU GDPR's personal data processing principles; 
  • Demonstrate that technically comply with EU GDPR's requirements, i.e. encryption, access control. 


Service benefits

  • Demonstrate the EU GDPR compliance by Trusted Site Privacy Certification by TUViT.
  • Improve the overall understanding of EU GDPR and data protection compliance requirements.
  • Identify the opportunity for improvements in personal data protection in the organization.


Service outline

Stage 1, EU GDPR compliance preliminary assessment (also known as "Project Scoping") 

Description
 Purpose:Assess the feasibility and preliminary scope for EU GDPR certification
Time and resource estimate: 3 ~ 5 days;
Activities:

  • Evaluation of personal data processing principles compliance, i.e. Chapter 2 GDPR;
  • Evaluation of processes related to data subject's right, i.e. Chapter 3 GDPR;
  • Evaluation of personal data controller and processor's responsibilities, i.e. Chapter 4, GDPR
  • Evaluate the service and personal data processing processes on legal aspects;
  • Evaluate the ICT systems, services, products on technical aspects, i.e. Art. 32 GDPR, Art. 25 GDPR (Privacy by Design or by Default);

 Deliverables:

  • EU GDPR compliance assessment report


 Stage 2, EU GDPR compliance advisory and improvement

Description
 Purpose:Improve the identified deficiency
Time and resource estimate: 1 ~ 3 months;
Activities:

  • Supporting and preparing for EU GDPR legal and technical assessment 
  • Supporting for Data Protection or Privacy Impact Assessment (PIA) according to Art. 35 GDPR;
  • Supporting and Advisory for preparation of new documentation or policies in context to the GDPR (e.g. Data Protection Policy)
  • (Option) Supporting on EU GDPR compliance document preparation, i.e. Data Protection Management System (according to ISO/IEC 27001, ISO/IEC 27701, BS 10012);

 Deliverables:

  • Professional services; 
  • Documentations; 


 Stage 3, EU GDPR compliance re-assessment

Description
 Purpose:Verification and validate the EU GDPR compliance improvements
Time and resource estimate:  3 ~ 5 days; 
Activities:

  • Data protection audits include a technical and/or IT Security part in relation to Art. 32 GDPR or Art. 25 GDPR (Privacy by Design or by Default). Possible to cover the legal, technical and cybersecurity.
  • TUViT Trust Site Privacy - EU GDPR Compliance Assessments;
  • (Option) Supplier audit for controlling the Data Processor according to Art. 28 GDPR (processor agreement)
  • (Option) Audit for video surveillance (e.g. GDPR Compliance Control for Hotel Groups or others)
  • (Option) Website Audit (legal and maybe technical according to the GDPR)

 Deliverables:

  • TUViT Trust Site Privacy assessment report


Stage 4, EU GDPR compliance certification (option) 

Description
 Purpose:Demonstrate of EU GDPR compliance
Time and resource estimate:  1 month
Activities:

  • Closeout the findings by document review the objective evidence and/or additional on-site assessment;
  • Apply for theTUViT Trust Site Privacy certification; 
  • TUViT Trust Site Privacy certification report

 Deliverables:

  • TUViT Trust Site Privacy certificate 


Organizational information

  • The time and resources depend on the complexity of the personal data processing process and/or product. 
  • The client should prepare the following documents for service discussion
    1. Product or Services catalog, user manual, used cases/scenarios; 
    2. Security functionality, architecture, and specification;  
    3. Security technologies adapted, i.e. 
      • Cryptographic algorithms; 
      • Security/session KEYs management;
      • Supporting software, hardware, and firmware. 
  • This service is in collaboration with TUViT, Germany
  • [ Service contact e-mail 

Last modified: Thursday, 1 October 2020, 4:42 PM