BCEB Roadmap to Compliance for General Data Protection
• Owner and Data Controller
9 King Charles Tower, Shield Street, Newcastle Upon Tyne, UK
Owner contact email: email@example.com
1. Introduce a GDPR
The GDPR (General Data Protection Regulation), which entered into force in April 2016 following its publication in the Official Journal of the European Union, is applicable from May 2018 and is mandatory in all its elements and directly applicable in each of the Member States. A major component of the GDPR relates to being transparent and providing accessible information to individuals about the collection and use of their personal data.
The regulation establishes rules concerning the protection of physical people with regard to the treatment of personal data, as well as rules concerning the free movement of such data.
Protects the rights and the fundamental freedoms of the physical people, in particular the right to the protection of personal data.
Under the GDPR, all companies and organizations must have a lawful basis for all processing and storage of personal data. Some companies or organizations might qualify for an exemption or derogation (another fancy way to say exemption). Without one, or a lawful basis, processing or storing personal data is considered “prima facie unlawful.”
2. What is Personal Data?
– Any information relating to an identified or identifiable natural person (‘data subject’);
– An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
• Looks, appearance and behaviour, including eye colour, weight and character traits.
• Workplace data and information about education, including salary, tax information and student numbers.
• Private and subjective data, including religion, political opinions and geo-tracking data.
• Health, sickness and genetics, including medical history, genetic data and information about sick leave.
– Examples – Names, Address, NI numbers, E-mail addresses, IP Addresses, CCTV images
3. Definition of certification scope
Certification audit performed. This will evaluate the implementation of the technical standard, including the effectiveness of the organization’s procedures.
– A certificate valid for 3 years is issued upon satisfactory result
– Surveillance audits to verify that the procedures continue to fulfil the requirements of the standard and monitor the continual improvement
– Re-certification after 3 years to confirm the continued conformance and effectiveness of the procedures as a whole
4. BCEB Roadmap for General Data Protection
4-1) How BCEB collects and uses personal data. It applies to the following:
– Potential and certified clients of BCEB for the engagement of any types of certification services;
– Delegates attending BCEB training courses;
– Subcontractors (trainers, auditors, technical experts and/ or report reviewers) to be engaged/engaged by BCEB, and
– Other stakeholders/ interested parties for any further business dealings.
Who is data protection certification for?
Organizations with employees are directly affected by the GDPR requirements for record keeping, but all organizations processing the personal data of “natural persons” resident in the EU for professional or commercial reasons are considered “controllers” or “processors” (who may manage data on behalf
of the controllers) fall within the scope of the regulation. The processing of any data relating to an EU citizen “data subject” is within scope, regardless of where the processing organization is incorporated, registered or listed.
The data lifecycle approach to the regulation means data protection is no longer a problem for the IT or marketing department, but one requiring a holistic approach across the organization.
1. REGULATION (EU) 2016/679
2. As envisaged in GDPR article 42
3. There are some exceptions for public bodies processing data in order to enforce public security or the prevention, investigation, detection or prosecution of criminal offences
4-2) Types of Data collected
BCEB collects personal data directly from agency when receiving the information ask for the BCEB services or approached by employee or representative of BCEB. This is usually done through BCEB enquiries mailbox, intra net, face to face, telecommunication (skype) and/or email with BCEB employee or with BCEB representative.
Data to be collected may include but not limited to the following:
– Full name, age, job title, phone number, email address, residential address, office address, identification number, passport number;
– CV, academic certificates and all of training certificates, history of auditing and/or training experiences, professional registration, consulting experiences;
– Financial and transactional data such as credit card details for payment of service/ course; and invoices
– Any information that has voluntarily shared with BCEB such as feedback and opinions of BCEB services.
4-3) Purposes for Using the Data
BCEB can use the personal data that may include but not limited to the following:
– Prepare a proposal regarding the certification services or training courses offered by BCEB;
– Prepare a subcontractor agreement for the engagement of audit, training, report review, technical advice services;
– Perform qualification of trainers, auditors, technical experts and/ or report reviewers;
– Prepare audit plan, audit reports for the certification service rendered;
– Register of delegates and updating to relevant system;
– Deal with any complaints or feedback; and
– Meet compliance and regulatory obligations and as required by accreditation bodies, training partners, and/ or local authorities.
Lawful Basis for Collecting Personal Information
The GDPR defines the lawful grounds for data processing where one of the following applies:
– Has the Content of the data subject
– Processing is necessary for :
• The Performance of contract with the data subject (or to enter into a contract)
• Compliance with a legal obligation
• Protect the vital interests of a data subject or another person
• Performance of task carried out in the public interest or in the exercise of official authority vested in
• Purposes of legitimate interests (eg : commercial interests, individual interests or broader societal benefits) May include clients (dg : service announcements, product recalls)
4-4) BCEB Share the Data
• BCEB employees via access to client files
• Each agency can see only their own information.
• IT service providers to set up and maintain BCEB systems;
• BCEB authorized representatives for the conduct of certification services;
• Accreditation bodies and/ or local authorities as required.
4-5) Retention Time
Personal Data shall be retained and stored for as long as reasonably necessary to fulfil the original purposes for which it has been collected, and to comply with applicable accreditation, legal and regulatory obligations, a longer retention period may be required or permitted.
Agreement with Agency : 6 years
Employment records : 6 years
Contracts, declarations of interest : 6 years
Audit report : 3 years
Mailing : One year after last action
Invoices : 10 years
Logo requests : Two years from last action
4-6) BCEB protects the privacy
BCEB observe the strict security procedures in the storage and disclosure of information to prevent unauthorized access, loss or destruction of personal data. These may include but not limited to the following:
1) Physical Security :
– keeping offices and storage units locked;
– keeping server rooms or cabinets locked;
– cabling desktop machines and laptops to desks;
– implementing clean desk policies;
– ensuring that fire and burglar alarms are in place and that they are functioning correctly;
– ensuring that BCEB equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life.
(Computers, Photocopiers, Mobile telephones, Digital cameras, Storage media)
2) Technical Security :
– ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;
– ensuring all computing devices are regularly updated with manufacturer’s software and security patches;
– using antivirus software on all devices;
– implementing a strong firewall;
3) Organizational Security :
– provide training and awareness programs on security and privacy, make sure BCEB employees, subcontractor, and BCEB representatives understand the importance and means by which they must protect personal data
– documenting data collection and retention policies;
– ensuring the use of strong passwords by having a password policy in place that is enforced;
– documenting data back-up policies;
4) Personnel Security: individual employee, subcontractor, service provider, representative, training partner and so on is obliged by BCEB Confidentiality Agreement
4-7) The Rights of Personal Data
Personnel Data may exercise certain rights regarding their Data processed by the Owner.
– Access to personal information (Managing personal data requests) : You have the right to request what personal data BCEB hold about you subject to BCEB right to identity verification.
– Correction and deletion: You have the right to correct or amend your personal data if it is inaccurate or needs to be updated. You may also have the right to request the deletion of your personal information, however this may not be always possible if it is due to legal requirements and other obligations to keep such data. If BCEB is asked to delete your data, BCEB may keep some minimal information about you to be able to demonstrate that BCEB has fulfilled its obligations.
– Filing a complaint: Any complaints about BCEB adherence to the practices described in this Roadmap shall be addressed as described here.
BCEB reserves the right to update this Roadmap from time to time and this Roadmap was first established in June 2018.
BCEB undertakes to collect and protect personal data in accordance with GDPR (European Union’s General Data Protection Regulation) data privacy requirements.
BCEB offers the management system services to the organizations, in relationship to the business context and the sector of affiliation:
– gap analysis on the GDPR
– certification of the professional figures in comparison to the norm UNI 11697
– IT services certifications according to ISO 27001, ISO 20000 and ISO 22301 standards.
If you have questions or concerns about your privacy, please write to us:
– By email at firstname.lastname@example.org
– In writing, to the relevant BCEB authorized representative, using the email address from the contact directory of BCEB website at www.bceb.uk