The last thing you want to do in this climate is to neglect your responsibilities when it comes to GDPR. Read our interview where Gemma Creagh from Careers Unlimited chats with our expert Tutor Gerry Higgins about the importance of data protection, and where it can all go wrong.
With extensive experience of implementing quality, environmental, health and safety, energy and information security management systems and advising companies on how to integrate them, Gerry adopts a very practical approach to designing, implementing and maintaining management systems and brings this expertise to SQT Training‘s ISO 27001:2017 Internal Auditor Training programme.
Can you tell me about your own professional background? What got you into this field?
I started my career as an engineer but fairly quickly I got into management systems such as ISO 9001, the quality management system standard and ISO 14001, the environmental management system standard. I then got involved in OSHAS 18001, the health and safety management system, which is in the process of being replaced by ISO 45001, the health and safety management systems standard. Following this, I got interested in ISO 27001, the information security management system standard. Antaris implemented the standard in 2008 because we felt that some of our clients were looking for assurance on the management of client confidential documentation.
We’ve all heard the basics of GDPR; what are the biggest mistakes companies can make?
Under the GDPR companies are responsible for the data they collect, including if they transfer this to third parties to be processed. Companies need to ask themselves the five ‘W’s of data:
What could those mistakes potentially cost an SME? Any examples?
The GDPR introduces new data protection requirements such as requiring businesses to implement strict technical and organisational security measures, including pseudonymisation and data encryption. The SME needs to identify what personal data it holds. If the SME had a data breach it could potentially be prosecuted.
When it comes to ensuring GDPR compliance, what are the main differences (and possible pitfalls) for a smaller company compared to a larger one?
The SME may not have the resources or expertise to understand the requirements of the GDPR. Sometimes it’s necessary to keep data for long period of times – for legal or auditing purposes or for medical records – and in those cases, you must implement the appropriate retention policy that specifies the ‘shelf-life’ of the data. The SME may not have the resources to carry this out.
What is the ISO 27001 standard Annex SL and Annex A high-level structure? Why is it important?
One way of managing the security of data is by implementing and being certified to ISO 27001:2013, the information security management system standard. ISO 27001 facilitates the implementation of a robust and systematic approach to managing information, thereby protecting the organisation’s reputation.
The standard helps businesses to become more resilient and responsive to threats to information security. It helps keep the company secure so it can focus on doing “business as usual” whilst clearly showing clients and suppliers its commitment to protecting information.
ISO 27001 can assist companies with the requirements of GDPR by:
Annex SL was developed in order to ensure that all future ISO management system standards (including ISO 27001) share a common format irrespective of the specific discipline to which they relate.
Annex SL prescribes a high-level structure, identical core text, and common terms and core definitions. This common structure will greatly facilitate the integration of management systems including quality (ISO 9001), environment (ISO 14001), energy (ISO 50001), health and safety (ISO 45001) and information security (ISO 27001).
Which are the companies you’d normally work with, and are they different when it comes to requirements or practices?
We work with both large and small manufacturing and service companies in the private sector and with organisations in the public sector. We look at the profile and scope of the organisation’s activities before deciding on the nature and degree of documentation of the management system.
When it comes to the assessment stage, what are the usual processes a business should undergo?
Before the company applies for certification to ISO 27001 it needs to ensure that it has met all of the requirements of the standard including undertaking an information security risk assessment and documenting a Statement of Applicability, which identifies the most appropriate information security controls that apply to the company.
It can best do this by carrying out a pre-certification audit of the information security management system.
How important is the audit and follow-up when it comes to the implementation of corrective action? What steps are usually required?
A company that is certified to ISO 27001 is required to implement an internal audit schedule and undertake internal audits of the whole management system. It is important that it implements the corrective actions that ensue in a timely and effective manner.
Can you tell me about the upcoming courses in September and November?
We are running a 2-day IRCA-approved Internal Information Security Management System Auditor training course in Dublin this September and November.
How will they benefit from ISO 27001:2017 Internal Auditor training?
The 2-day internal auditor training course gives the delegates the skills to undertake internal audits of the information security management system standard.
Thanks again for taking the time to chat with us!
About Gerry Higgins
Gerry has carried out first-, second- and third-party audits in a number of jurisdictions and across a range of organisations involved in the manufacturing and service industries in both the public and private sector. He has also assisted many companies to demonstrate compliance with their statutory and regulatory requirements under the aegis of the Pegasus legal register service that Antaris offers on a multi-jurisdictional basis.
Gerry is CEO of Antaris, which he founded in 1994, has a degree in engineering and an MBA from the University of Limerick and is a chartered engineer and Fellow of Engineers Ireland. He is also a chartered environmentalist through IEMA. Previously, he held positions in industry and academia and enjoys the interaction between management system implementation and training.
Sign up to receive the latest industry and company news direct to your inbox.