Even though the GDPR may look complicated, there is a simple way of creating a roadmap of becoming compliant with the GDPR and avoiding future problems. The EU values personal rights and therefore takes handling of personal data seriously.
Abuse of personal data or not protecting them may lead to significant fines up to 4% of the company’s annual income or 20 million EURO. First of all, GDPR is a strong regulation affecting every business and organisation dealing with personal data of anyone living in the EU.
It therefore also applies to businesses operating outside the EU that, for some reason, process the data of people living in the EU. The GDPR can be divided into three main areas – security, accessibility of personal data and legal.
This requires adding controls and, most probably, reorganisation of your data structure and storing process.
What is the goal:
Personal data accessibility and structure
Personal data is each one’s personal possession – one can always ask to receive information about what data is stored about him/her, how the data is used or ask to remove it completely.
Personal identifiable information (PII), information that can lead to identification of a person, is also considered as personal data.
Full visibility
Your organisation must be able to trace and locate all personal information on request. In many cases, this will require adjusting the information storage and handling system and structure.
A successful implementation can benefit your organization by using the information to better analyze your business, which can lead to more accurate planning. Binary Confidence can help you implement some mapping tools that will give you insight into where this private data is stored in your organization for future processing.
- Removal
Your organization must be able to remove and destroy all personal data upon request. This may seem simple, but a lot of this information may remain on various media or backups.
- Informed consent
Each organisation that stores personal data is obliged to have an approval from the owner with exact specifications how this private data will be handled and disclosed.
- Private Data portability
The owner of the information has right to receive and move his/hers personal data stored in your organisation. And you must be able to provide it.
If you are storing large amounts of data that may be requested by a large number of owners, your organization may face a significant workload, which is why it is absolutely essential to have the best automated systems in place.
Security
The GDPR requires processors and controllers of personal data to protect that data from unauthorized disclosure. If personal data is stolen or disclosed, and an investigation reveals that the organization did not make sufficient efforts to protect it, significant fine of up to 20 000 000 EURO could be given.
In particular, the GDPR does not contain an exhaustive list of controls. Information protection is based on best practices and standards.
- Access control
Your organization should have systems in place that record and control every access to data. It is highly recommended to install a suitable data loss prevention tool. A sufficient tool will fully control what data is obtained from your organization and how it is obtained. We have extensive experience implementing DLP products in various environments, helping to protect against various threats, including corporate espionage.
- Monitoring
An appropriate control over the systems is recommended. All logs from the systems should be collected to some central place, assessed, correlated by SIEM and monitored 24/7.
- Reporting
Bezpečnostný incident, keď sa osobné údaje sprístupnia neoprávnenej osobe, sa musí do 48 hodín nahlásiť vnútroštátnemu orgánu. Na tento účel naša spoločnosť ponúka Security Operation Center as a service (SOCaaS) as a service that will save a significant amount of money compared to your own SOC.
- Vulnerability management
Abusing unpatched vulnerabilities are one of the easiest way to breach the environment and still data. It is recommended to regularly assess your environment for vulnerabilities. For this purpose, our company is offering our vScan solution that is easy to implement and cost friendly.
- Full information security standard
Above are mentioned minimum controls, but implementation of full information security standards is for big processors of private data inevitable.
Legal requirements
The processing of personal data must be fair and transparent in relation to the person concerned. It is the company's obligation to inform the user about what personal data has been collected and for what purpose. The owner must agree to the intended purpose and to the fact that the data is being collected.
- Informed consent
The conditions for granting consent have been unified, so that companies will no longer be able to use long and unreadable terms and conditions full of legalese. Now, the request for consent must be made in a clear and easily accessible form, together with information about the purpose of the data being processed – that is, it must not be ambiguous.
- Opt-out
GDPR stipulates that the data owners must be given an opportunity to opt-out processing of their data and they must be informed about this right of rejection (opt-out) upon the first contact with the data controller.
- Persons under 16 years
In case data of a person younger than 16 is being processed.
- Responsible person or DPO
Assigning one responsible, skilled and knowledgeable person for this task will make the GDPR compliance process much easier and smoother. Binary Confidence consultants pôsobia aj ako experti pre ochranu údajov, ako to vyžaduje GDPR.
DPO is responsible for evaluating and enforcing adequate GDPR processes as well as for monitoring company’s compliance with GDPR and advising company on legal requirements to comply with GDPR.
DPOs must be appointed in the case of:
- public authorities,
- organizations that engage in large scale systematic monitoring, or
- organizations that engage in large scale processing of sensitive personal data.
4 steps how to achieve GDPR compliance
- Accountability and Responsibility
Each data controller must adhere to 6 principles of GDPR accountability for personal data processing (Lawfulness, Purpose and Storage Limitation, Data Minimization, Data Accuracy, Security and Integrity), must fulfil requirements of transparent, secure and fair processing for rights and freedoms of data subjects, fulfil requirements of data subject rights, maintain Records of processing activities and implement adequate technical and organizational measures to prevent Data Breaches.
- Assessment – Analyse your systems and processes
Each project dealing with private data shall include:
- Data Mapping
Each project dealing with personal data processing should start with analysing company’s systems and processes by Data Map evaluation. Data mapping process helps organization to obtain 360 view and complete lifecycle of personal data flows from the point of collection up to the point of data erasure including all processes, processing points and processing assets.
- Gap Analysis
Each project dealing with personal data processing should include Gap Analysis. Gap analysis determines whether the technical and organizational measures already in place can achieve the GDPR objectives and compliance and what needs to be implemented or improved in order to achieve the GDP compliance. Gap analysis is a technique used to determine steps needed to move from current state to a desired future state and to compare current performance of measures and controls for GDPR compliance.
- Data Protection impact assessment (DPIA)
Each project dealing with personal data shall process a DPIA. The DPIA is classification and assessment of private data from Data Mapping and evaluating compliance and privacy risks from the legal, technical and security perspective.
Our company provides you with DPIA and with following solution proposal.
- Design solution
After the assessment an appropriate technical and organizational solutions and measures should be designed.
To meet the GDPR requirements this solution should include legal adjustments, training, processes, documentation, technical and organizational solutions and information security implementation.
Our company consultants have vast experience in designing solutions for large environment, including Fortune 500 companies, and they are available to support or fully design your GDPR solution.
- Implementation
The last step is the implementation of these designed legal, training, technical and information security controls and measures. Our methodology steps for GDPR implementation are Plan – Do – Check – Act.
These implemented solutions should be subject to a regular compliance audit in order to reveal and prevent any possible gaps.
The project funded through grant agreement number 101145856 is supported by the European Cybersecurity Competence Centre.
