Decisions: Standards and certifications
17 September 2018 | 0
While sometimes seen as a necessary cost of doing business, standards and certifications can also confer competitive advantage and become a differentiator in a crowded market.
Thus goes the mantra of those who offer such services, but is there any truth to it? And in the new era of General Data Protection Regulation (GDPR), have attitudes changed towards regulation, compliance, standards and certifications? Do Irish organisations see the benefits?
The National Standards Authority of Ireland (NSAI) report for 2017, which was released in August, reports that standards play a key role in boosting international trade, contributing to GDP and creating jobs.
“More and more businesses are recognising that standards can offer them a competitive edge and overcome potential barriers to trade. This is a position supported by a report conducted by the Centre for Economics and Business Research (CEBR), which found standards play a pivotal role in supporting Ireland’s continuing economic recovery by significantly boosting trade and GDP, and creating new jobs,” Geraldine Larkin, CEO, NSAI.
Indeed, another report by CEBR on the UK economy found that “standardisation at a national level would be associated with approximately £8.2 billion (€10.37 billion) of the £29.0 billion of GDP growth recorded in 2013 (2014 prices)”.
The annual report states that NSAI currently has more than 23,000 standards in its catalogue, of which 1,490 were published or revised in 2017. Some 1,324 were brand new, with 4 coming from Ireland, 989 from the European authority, CEN, and nearly 500 from further afield.
By way of context, between the CEN and the European Committee for Electrotechnical Standardisation (CENELEC), ICT ranks third behind transport and mechanical engineering for publications on standards, with almost 2,500.
As for activity in standards, in 2017 NSAI sold 12,875 globally, with 6,819 sold in Ireland. The Irish figure represents 15% increase on the previous year.
Uncertainty and challenges
Despite this apparent strong uptake of standards and certifications, there is still much uncertainty and challenge in markets in Ireland, but Larkin is confident of the effects of the NSAI’s work in the area.
“Much has been reported about the challenges that Ireland and Irish business face during the current economic recovery and the evolution of a post-Brexit environment. Standards present one important way to tackle the challenges and take advantage of opportunities that may arise.”
“It is in this environment that I see standards, conformity assessment and metrology as crucial supports to business. NSAI is committed to providing the key components of the trade infrastructure which enables industry and the consumer to go about their business with an ‘assured confidence’,” wrote Larkin.
“Now, more than ever, Irish businesses need certainty. With just over a year to go until this country’s relationship with its closest neighbour, competitor and ally is due to change fundamentally, businesses need to prioritise for this momentous shift.”
With GDPR being the most recent, and arguably the most widespread, experience for many organisations in the kinds of activities that are associated with achieving compliance with regulation and standards, TechPro spoke to Elizabeth Fitzgerald, a solicitor working with technology companies.
Fitzgerald said that in her experience, the highest levels of compliance were among companies where the processing of data that comes under GDPR is central to their business.
“If you are a B2C company, where data is integral to your product, then compliance is a major issue,” said Fitzgerald.
Among such companies, she said compliance rates are high and GDPR has been seen as an opportunity to reduce risk by getting control over data, an exercise which many had been hoping to do but for which the regulation provided additional impetus.
“These businesses cannot do business until they demonstrate that they have complied to the highest levels,” said Fitzgerald.
Now those companies have a better view of what is happening, better knowledge of their own and partner and supplier situations, which has reduced the unknowns in terms of risk.
“That has been a general benefit of GDPR. There is less data that is loose,” said Fitzgerald.
As GDPR was published in 2016, many companies, particularly those without legacy systems, had built its provisions into their products and services, allowing them to get a head start, Fitzgerald argues.
“Contract review and sale closure has been much faster for that kind of company because they have gotten ahead of the game,” she reports.
Overall, Fitzgerald said, she has been quite impressed by the engagement of companies generally, with GDPR and applying its provisions.
One area in ICT where standards and certifications will have a major impact in the future is around skills and professionalisation.
According to Mary Cleary, deputy CEO of Irish Computer Society and ICS Foundation, there is a problem in ICT as a profession.
Certification implies quality being validated, Cleary argues, and that is becoming more important than ever before, because of globalisation and digital transformation.
Interoperability and standards are key elements in different fields of IT, particularly in areas such as health. Financial services too, rely on standards for interoperability, she said.
However, despite this reliance within the industry, there is a key area where there is a distinct lack of standards and regulation.
“When we talk about IT, it is not a regulated profession,” said Cleary.
When someone goes to college and gets a degree in engineering, they are an engineer, or when someone goes through medical school, they become a doctor. However, when someone graduates with a degree in computer science, she observes, there is little definition for the role they might take up in the ICT world.
This is compounded, she says, by the situation where people have gradually gained experience over the years and may have attained positions of significant responsibility in technical roles, without having formal qualifications.
Cleary said that there are various bodies and initiatives currently working to find ways for people to structure and formalise their record of professional development and growth.
Cleary sits on the ICT Standards Consultative Committee for the NSAI, addressing these issues, also working with European bodies.
There is work being done at European level, she said, supported by the European Commission, implemented by CEN, around IT professionalism and standardisation around the components and the characteristics of that professionalism to try and drive a common language and definition of what it means to be an IT professional.
It has been agreed across Europe that there are four pillars to professionalism, and these all have to be standardised.
The first is competence. There is now a European eCompetence Framework for ICT since 2016.
Secondly, there is education and training. There is a project approved by CEN, around standardising curriculum guidelines, based around the eCompetence Framework, to ensure education and training is available on a standardised basis to ensure learning outputs for students are appropriate.
Third, a common body of knowledge. There is a project underway to create a definitive common body of knowledge for the profession. This is partly based around an initial collection of 23 key roles.
The 23 generic European ICT Professional Profile descriptions reflect the top of a European ICT Profile family tree, according to CEN. The profiles may be used for reference, or as the starting point to develop further ICT professional profile generations, by European stakeholders. The profiles are structured in six families and cover the ICT business process.
Fourth is a code of ethics. There are various codes available and that can be brought together as a basis, but with the implications of the likes of AI and autonomous machines, the need for this is greater than ever, Cleary says.
“There is a great willingness in Europe and at home to support and fund these initiatives,” said Cleary.
Cleary believes that not only will this standardisation of the profession help employers and IT professionals themselves, but it will also go some way to tackling the shortage of skilled professionals across the industry.
The lack of definition in the profession has a direct impact for those going into education, she argues, and puts many off pursuing an ICT career.
“In my opinion, and from the evidence I have seen in the studies and work that’s being done at European and local level, we are not getting enough people into the profession to study for it, because they don’t really perceive what an IT professional is, so it doesn’t have the same status.”
Employers too, Cleary argues, are becoming less tolerant of people without evidence of the necessary skills for ICT roles, and are increasingly demanding not just evidence of qualification, but also of ongoing learning and professional development.
The CaeersPlus initiative from the Irish Computer Society allows IT professionals a means of recording and tracking their ongoing development. “CareerPlus will help you measure and describe your competences against a recognised European standard,” says ICS.
This month sees Laztech and Global Knowledge address the central theme of standards and certification from their own perspectives, while NUACOM examines cloud computing and its effects for efficiency.
|GDPR compliance can deliver business benefits|
|“By working with partners that conform to the ISO 27001 standard for information security, organisations benefit from those principles when complying with that aspect of GDPR”||
Laztech IT Services Carmel Mulligan
|When it comes to compliance, one regulation has loomed above all others recently: GDPR. Much of the coverage to date has focused on how technology can address this, but this is out of proportion to the attention it gets in the regulation itself. GDPR has seven core principles and only one – integrity and confidentiality – has a technology component to it.
That’s not to diminish its importance: at Laztech IT Services, we have noticed a trend towards organisations moving towards more proactive managed services with their providers. This is happening because GDPR is forcing organisations to take a more rigorous approach to back-up and information security. By working with partners that conform to the ISO 27001 standard for information security, organisations benefit from those principles when complying with that aspect of GDPR.
Although compliance is often the driver for improving security and data protection, there are business benefits. Ransomware has been a widespread risk for many businesses in the past year, as an infection can pose serious setbacks. If a company has an online back-up of its data, it can work with an IT partner to restore the data and minimise the potential downtime which in other circumstances would badly affect a business’ ability to keep running. In this way, GDPR is a great opportunity for companies to be safer against a significant business risk like ransomware by having a regular backup strategy.
In addition to considering where IT can play a role in developing a compliance plan, the regulation’s other principles provide a useful guide. They consider areas such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and accountability.
The first step is to discover what data you’ve got, who it’s about, why you hold it and where you do so. Just as companies might build an asset register of physical items belonging to the business, this effectively becomes a personal data register of information that an organisation collects about its employees, customers and suppliers. This exercise will also uncover where this information is stored, and whether it’s up to date.
Documenting all of these stages is critical, as it complies with the GDPR principle of accountability. This also requires a business to put in place a retention and deletion policy. This ensures it only keeps the data it needs for as long as it needs. This process also needs to include physical records, not just electronic data.
Many of these stages will be uncharted territory for many companies, which is why it is valuable to engage with an external consultancy such as Datatrails that specialises in GDPR, data protection and privacy. This can give an invaluable independent assessment of an organisation’s readiness for compliance. What’s more, it can support companies that need to nominate a data protection lead within the business.
GDPR will help organisations to get to their ideal state for data control and management, which can only be beneficial. The Data Protection Commission has already indicated that it wants organisations to self-comply; I believe that once business owners realise this will allow them to get a better grasp of their data, they will see the benefits of compliance.
The culture of a business keeping every bit of information will change to one of keeping only what it needs. This will lead to greater efficiency, because it will be easier for a business to locate records when requested to do so. It will also significantly reduce its costs for data storage and maintenance. Compliance is an opportunity, not an obstacle.
|Compliance and standards for cyber security|
|“Acknowledge that cyber security is a people problem, not a technology problem, and prioritise accordingly”||
Global Knowledge Steven Purcell, country manager Ireland
|In order to ensure compliance with accepted IT and business standards, learning today must focus on the candidate’s ability to manage vulnerabilities and propose controls, processes, and updates to a company’s policies. Nowhere is this more important than the whole area of cyber security. Based on the insight and relationships developed over many years, Global Knowledge has developed a best practices model of a superior cybersecurity organisation and discovered several critical characteristics that successful cybersecurity organisations all seem to share.
Step 1: Acknowledge that cyber security is a people problem, not a technology problem, and prioritise accordinglyThis critical piece — the human — has the largest impact on return on investment (ROI) for cybersecurity success. The first step in building a winning team is prioritising people. A firewall or intrusion prevention system that is poorly configured by a knowledgeable human will never work as intended. With hiring and outsourcing a major challenge, an investment in people is more important than ever, which means preserving and enhancing the greatest asset you have — your people.
Step 2: Address the human element so your cyber security thinking can evolve ahead of the “bad guys”
We believe that successful cyber security is a three-dimensional solution: People, Processes, and Technology. Successful cyber security organisations think about all three dimensions and get them right. The latest thinking involves the philosophy of “zero-trust” cyber security. This model is equivalent to locking all the rooms in the castle and only providing keys to the rooms each person needs. This lock-down model works well because, even when credentials are compromised, it limits risk exposure to minimal data and systems.
Step 3: Cyber security is maturing into sub-specialties and professionals should develop the skills they need to “play their position”
Cyber security has grown in complexity to the point that there are sub-specialties that have emerged. In our analysis of successful cyber security organisations, eight specific specialisations have emerged over the last few years. Very large organisations have teams in each of the eight specialisations, while smaller organisations tend only to have a few cyber security personnel.
These eight specialisations are:
See more on our cyber security learning and training solutions at www.globalknowledge.ie
|Beware GDPR certifications|
|“Training now becomes an important part of this new regulation, and businesses and organisations need to make sure that their employees are trained to a standard and ensure they have a clear understanding of what the GDPR means”||
Data Protection Group Paul McCourtney, Certified Data Protection Practitioner and CEO
|Officially recognised certifications are a new feature of the EU General Data Protection Regulation (GDPR). The Regulation expressly recognises certifications from approved and accredited certification bodies as acceptable mechanisms for demonstrating compliance.The Irish National Accreditation Board is the accreditation body in Ireland for the purposes of Article 43(1), but as yet there are no accredited bodies that can grant GDPR Certification, or say you are “GDPR Certified”. And it is important to note that such certification will only apply to processing operations or sets of operations, and not to individuals, such as Data Protection Officers (DPO).
There are though, many courses out there for all different skill levels from basic entry on what the GDPR is about and what you need to know as a business, right up to in-depth training for the likes of DPOs and people working at high levels in privacy and compliance. Companies need to decide what level of training is appropriate for them and their staff.
The GDPR is a substantial piece of legislation which imposes many obligations on all entities that process personal data of EU residents. Just stating you are compliant is not sufficient, you must be able be able to evidence your compliance — Article 5 (2): “The controller shall be responsible for, and be able to demonstrate, compliance with the principles”
The Irish Data Protection Act was signed into law on 24 May 2018, as a result of the Regulation and changes the previous data protection framework established under the Data Protection Acts 1988 and 2003. Its provisions included establishing a new Data Protection Commission as the State’s data protection authority, transposing the law enforcement Directive into national law and giving further effect to the GDPR in areas where member states have flexibility.
Training now becomes an important part of this new regulation, and businesses and organisations need to make sure that their employees are trained to a standard and ensure they have a clear understanding of what the GDPR means and how to implement that in practice within their business.
GDPR.ie and GDPRTraining.ie, part of The Data Protection Group, have teamed up with GURU Team Ireland to provide training courses at all different levels. These courses are designed to provide businesses with a platform to help their employees understand how the GDPR applies to their organisation and advise and assist in delivering what is needed to achieve legal compliance.
This structured approach to training provides attendees the necessary knowledge that will help them understand and work within the organisation in implementing and maintaining compliance.
The company has built a dynamic team of some of Ireland’s best legal, privacy and compliance experts, many with more than 30 years experience, to deliver comprehensive GDPR workshops and training, solutions to SMEs, professional bodies and enterprises throughout Ireland and Europe.
|Improving productivity with cloud computing|
|“Our Cloud Phone System is focused on five main areas: mobility, automation, management, connectivity and productivity”||
NUACOM Igor Toma, CTO
|Cloud computing offers great advantages to today’s businesses in terms of mobility, scalability, automation and cost. It’s time to say goodbye to convoluted legacy systems and welcome 21st century technologies, using internet growth in favour of your business.At NUACOM, we help Irish businesses to implement a new communication system based on cloud computing technology, which opens a whole new world of opportunities. Our Cloud Phone System is our main product and is focused on five main areas: mobility, automation, management, connectivity and productivity, with numerous features including:
If you run marketing campaigns, you can use the call tracking and measure your results.
We integrate with Salesforce, HubSpot, Pipedrive, Google and Zapier, which this last one can be connected to hundreds of business apps.
We cater for any business size, from a small office of 2 or 3 team members up to organisations with 100+ employees, multiple locations. The only requirement is to have broadband connection in the business.
Call us at (01) 554 0222 or email@example.com