The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018.  The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data. It will have huge impact on many organizations’ operation.

A company out of EU without business intended for EU customers may also unintentionally get involved with business activities subject to GDPR. The local organizations are encouraged to have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.

Depending on the impact and its due diligence, the offending organization to GDPR may be subject to a fine up to the higher amount of EUR 20,000,000 and 4% of its annual global revenue. 

Important Requirements in GDPR

As compared to Directive 95/46/EC, the requirements are enhanced, some of which important ones are listed below:

  • Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
  • Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
  • Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
  • Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
  • Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
  • Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected.
  • Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
  • Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
  • Certification: Voluntary data protection certification to show compliance to this regulation.

Click here to learn more about the key points in GDPR, and understand how a management system based on ISO 27001 can support the achievement of compliance with GDPR.

Possible Solutions by the Organizations

  • Arrange management and front-line employees to attend GDPR related training courses.
  • Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
  • Implement controls on outsourced processes
  • Implement regular internal and external audits on operations.
  • Improve the ISMS based on risk levels.

Support by DQS

DQS Academy provides professional training courses and audit/certification service on GDPR and ISO 27001:2013, to help clients to improve their information management system, and reduce the risk of violation to the regulation.


針對處理歐盟市民的個人識別資訊的《通用數據保障條例》(GDPR) 將於2018年5月25日開始生效。該條例不僅適用於歐盟內的組織,也適用於歐盟以外的處理上述個人數據的組織。這對很多組織的運營帶來極大衝擊。



每一個有國際業務的公司都值得花時間看一下此條例和評估一下相關風險。按此瞭解GDPR的關鍵要求及如何通過基於ISO 27001:2013的資訊安全管理體系來協助公司符合GDPR的要求。


  • 安排管理和相關前線人員參加GDPR相關的培訓課程;
  • 實施基於ISO 27001:2013 的資訊安全管理體系 減低違規風險;
  • 對外包過程實施控制
  • 實施內部和外部審核進行日常監察;
  • 按風險水平持續改善資訊管理體系。


DQS 學堂 正提供一系列的GDPR 和 ISO 27001:2013 培訓課程審核和認證,幫助機構或企業改善其資訊管理體系,降低違例風險。