Hi Murray
Yes – current accreditations (that I’m aware of) to tend to be more function-focussed than organisationally all-encompassing: ISO 27001 can offer reliable assurance
that an organisation’s IT security is likely to tick DPA compliance boxes, but it’s not really equipped to pass judgement on organisational compliance areas like the integration of DPA compliance into everyday business processes, or managing the matching of
training to staff needs and turnover. That’s the sort of work I’d expect to see in DPA / GDPR certification schemes allowed for in the Recital (http://www.privacy-regulation.eu/en/r81.htm).
Unfortunately, that seems to be rather theoretical at present, as the ICO’s current published position appears to include no great hurry to accredit certification
bodies of carry out her own certifications (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/certification/
)
Regards,
Owen
Owen Thomas
Deputy Data Protection Officer
Data Protection Office
Strategy, Performance and Transformation Directorate
Sunderland City Council
0191 5611263
From: M Bryant [mailto:[log in to unmask]]
Sent: 05 September 2018 10:49
To: Owen Thomas
Cc: [log in to unmask]
Subject: Re: [data-protection] "Allowing for " auditing a processor
***This message originates from outside your organisation. Do not provide login or password details. Do not click on links or attachments unless you are sure of their authenticity. If in doubt, email ‘[log in to unmask]’
or call 561 5000 ***
Hi Thomas,
Can you elaborate?
I am always concerned that these accreditations are often only on one part of the company. They are also a point in time snapshot so will need to be kept up to date. I normally consider it a red flag when a
company announced they are 100% GDPR compliant.
Thanks,
--
Murray Bryant
mapsterling.com/privacy
Confidentiality: this email and its attachments may contain confidential and privileged information. If you are not the intended recipient, please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted. For information about how we collect, use, share and retain your personal data, visit: https://www.sunderland.gov.uk/data-protection. Any email including its content may be monitored and used by the Council for reasons of security and for monitoring internal compliance with policy. Email may also be disclosed in response to a request for information, unless exempt under access to information legislation. Please be aware that you have a responsibility to ensure that email you write or forward is within the bounds of the law. The Council cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks. |