Hi Murray

 

Yes – current accreditations (that I’m aware of) to tend to be more function-focussed than organisationally all-encompassing: ISO 27001 can offer reliable assurance that an organisation’s IT security is likely to tick DPA compliance boxes, but it’s not really equipped to pass judgement on organisational compliance areas like the integration of DPA compliance into everyday business processes, or managing the matching of training to staff needs and turnover.  That’s the sort of work I’d expect to see in DPA / GDPR certification schemes allowed for in the Recital (http://www.privacy-regulation.eu/en/r81.htm).

 

Unfortunately, that seems to be rather theoretical at present, as the ICO’s current published position appears to include no great hurry to accredit certification bodies of carry out her own certifications (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/certification/ )

 

Regards,

 

Owen

 

Owen Thomas

Deputy Data Protection Officer

Data Protection Office

Strategy, Performance and Transformation Directorate

Sunderland City Council

0191 5611263

 

From: M Bryant [mailto:[log in to unmask]]
Sent: 05 September 2018 10:49
To: Owen Thomas
Cc: [log in to unmask]
Subject: Re: [data-protection] "Allowing for " auditing a processor

 

***This message originates from outside your organisation. Do not provide login or password details. Do not click on links or attachments unless you are sure of their authenticity. If in doubt, email ‘[log in to unmask]’ or call 561 5000 ***

Hi Thomas, 

 

Can you elaborate? 

 

I am always concerned that these accreditations are often only on one part of the company. They are also a point in time snapshot so will need to be kept up to date. I normally consider it a red flag when a company announced they are 100% GDPR compliant. 

Thanks, 


-- 

Murray Bryant


mapsterling.com/privacy

 

 

   

Confidentiality: this email and its attachments may contain confidential and privileged information. If you are not the intended recipient, please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.

For information about how we collect, use, share and retain your personal data, visit: https://www.sunderland.gov.uk/data-protection. Any email including its content may be monitored and used by the Council for reasons of security and for monitoring internal compliance with policy. Email may also be disclosed in response to a request for information, unless exempt under access to information legislation. Please be aware that you have a responsibility to ensure that email you write or forward is within the bounds of the law.

The Council cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.

 

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)