Seal of Data Protection – ISiCO Datenschutz
How is your company managing its data-protection arrangements?
Well? Then get us to certify you, and benefit from the positive impact which this will bring in your company’s external presentation and the efficiency of its processes.
Pursuant to the far-reaching changes in this field which the European General Data Protection Regulation (GDPR) will entail from 2018, data protection will continue to become increasingly important for your company. In the meantime, i.e. during the transitional stage until the GDPR comes into force, you have the proper opportunity to deal with this subject consistently.
As part of our consultancy services – but independently of them, too – we can provide you with an opportunity to have your high level and high standards of data protection certified by us.
You will be able to make powerful use of this certificate in your external presentation, thus fully satisfying your customers, staff, business partners and other interested parties that you are making every effort to attain a high standard of data protection in your company.
Along with factors of external presentation, you will also see a positive impact within your company and in your business processes. A certified data-protection management system attests to frictionless processes in dealing with data containing personal information and verifies effective structures in this and related areas. You will see the effect in your daily work and results.
Audits and certifications can also help to make data processing more effective and thus cheaper, because they create systematic knowledge of the procedures used in each case and their mutual interaction.
To sum up: certified data protection will bring your company the following benefits:
- Attested data processing and IT processes in conformity with legislation
- Creation of competitive advantages
- Data protection = good publicity
- Certification will increase awareness in your data-processing department of the implications of its work under data-protection law
- Internal learning processes will be successfully initiated
- Customers will be able to compare different companies with regard to their data protection.
Attaining your data-privacy seal through ISiCO-Datenschutz GmbH:
1. Decision and preparation
First must come the decision to have your own company certified with regard to its data protection, and in particular the decision on “what” is to be certified – an individual product or service, or the whole company. Once this decision has been made, it will be necessary to make initial preparations, which can be best done with the help of an internal or external data-protection officer. In this way a general overview should be produced of the available documentation relating to all processes involving data protection.
Once this has been completed, we shall work jointly to set the objectives and determine further action, particularly the timescale.
2. Audit (fully independent)
An audit of your actual situation, in all processes having points of contact with data-protection law, will be carried out in checklist-based interviews by our experienced legal counsel and IT consultants. In this way an investigation will be made of all data flows in your company, to ensure they conform with data-protection regulations. The audit process will in particular comprise the following:
- Analysing existing data-protection documents, rules and precautionary arrangements
- Recording the actual situation by means of checklists
- Interviews with management board, departments and IT
- In situ inspections
- Recording existing corporate structures and IT processes
- Sifting all relevant contracts and other documents
Once the audit has been completed, an analysis will be made of the extent to which the main statutory requirements and regulations governing data protection have been met, and a comprehensive report will be drawn up on your compliance with data-protection law:
- Legal check on contracts, works agreements, internal guidelines and corporate processes
- Identification of potential risks and security gaps
- Identification of anomalies in IT security
3. Putting measures into practice
The results of our analysis, showing what further measures are needed to meet statutory requirements, will be set out in a Catalogue of Measures and gradually put into practice under our consultants’ supervision.
As soon as a proper standard of data protection is reached in all areas, i.e. all lights (as it were) are “green”, we shall issue our Seal of Data Protection. Depending on the size of the company, the following measures will be due in detail for implementation:
Across the whole company:
- Official procedure log
- Overview of technical and organisational measures pursuant to Section 9 of the German Data Protection Act (BDSG)
- Internal-procedure overview
- Contractual duty of all staff to comply with data secrecy
- Works agreements, corporate guidelines governing e.g.: private internet, e-mail and telephone use, clean-desk rules, passwords, telework stations
- Video-monitoring arrangements
- Time recording, personnel-management system, document-management system
- Policies on use of: laptops, mobile phones, smartphones, RAS/VPN access, etc.
- Use of administrator account
- Use, application, destruction and transport of external data carriers
- Post room
- Visitor regulations
- Use of document shredders
- Procedure in case of loss of codes or code cards
- Onboarding-offboarding staff
- Servicing of IT and telecommunications, debtor management
- Data transmission to credit agencies
- Transmission of data containing personal details for advertising purposes
- Data trading, address trading
IT and infrastructure:
- RAS/VPN access
- Virus protection
- IT security measures
- Emergency plan
- Other documentation
Entitlement schemes for:
- Server and file systems
- e-mail systems
- Data warehousing
The user’s licence for the Privacy Seal runs for two years. If it is to be extended, a re-audit must be carried out and priority measures put in place.
The Seal of Data Protection can be used on your website, apps and products or services.
Get in touch with us to receive a non-binding offer.