Even though the GDPR may look complicated, there there is a simple way of creating a roadmap of becoming compliant with the GDPR and avoiding future problems.
The EC has introduced the General Data Protection Regulation (GDPR), a new regulation unifying rights, responsibilities, reports, protection and, unfortunately, also penalties regarding personal data handling.
Even though the GDPR may look complicated, there is a simple way of creating a roadmap of becoming compliant with the GDPR and avoiding future problems. The EU values personal rights and therefore takes handling of personal data seriously.
Abuse of personal data or not protecting them may lead to significant fines up to 4% of the company’s annual income or 20 million EURO.
First of all, GDPR is a strong regulation affecting every business and organisation dealing with personal data of anyone living in the EU.
Thus it also affects businesses operating outside the EU territory which, for some reason, process data of persons living in the EU.
GDPR could be divided into three main areas – security, personal data accessibility and legal.
This requires adding controls and, most probably, reorganisation of your data structure and storing process.
Personal data is each one’s personal possession – one can always ask to receive information about what data is stored about him/her, how the data is used or ask to remove it completely.
Personal identifiable information (PII), information that can lead to identification of a person, is also considered as personal data.
Your organisation must be able to trace and locate all personal information on request. In many cases, this will require adjusting the information storage and handling system and structure.
Successful implementation can actually give your organisation the advantage of using the information for better analyses of your business which could lead to a more precise planning.
Our company can help you to implement some mapping tools that, in the need of future handling, will give you an overview on where in your organisation this private data is stored.
In case of a request, your organisation must be able to remove and discard all personal information.
This may seem simple, but much of this information may stay on various media or backups.
Each organisation that stores personal data is obliged to have an approval from the owner with exact specifications how this private data will be handled and disclosed.
The owner of the information has right to receive and move his/hers personal data stored in your organisation. And you must be able to provide it.
In case you store a high amount of data that a great number of owners can request, your organisation may face significant workload.
Thus it is absolutely essential to have the best automated systems available.
GDPR requires personal data processors and controllers to protect this data against unauthorized disclosure.
If personal data is stolen or disclosed, and if investigation reveals that the organisation did not take enough effort to protect it, significant fine of up to 20 000 000 EURO could be given.
GDPR does not particularly contain a full list of controls.
Information protection is based on good practice and standards.
Your organisation should possess systems that record and control every access to the data.
An installation of an appropriate Data loss prevention tool is strongly recommended.
A sufficient tool will fully control what data and in which way is extracted from your organisation.
Our company has extensive experience with DLP product implementation into diverse environments, helping to protect against various threats, including corporate spying.
An appropriate control over the systems is recommended. All logs from the systems should be collected to some central place, assessed, correlated by SIEM and monitored 24/7.
Security incident when personal data are disclosed to unauthorised person must be reported to national authority within 48 hours.
For this purpose, our company is offering SOC as a service that save significant amount of budget compare to in house SOC.
Abusing unpatched vulnerabilities are one of the easiest way to breach the environment and still data. It is recommended to regularly assess your environment for vulnerabilities. For this purpose, our company is offering our vScan solution that is easy to implement and cost friendly.
Above are mentioned minimum controls, but implementation of full information security standards is for big processors of private data inevitable.
Processing of personal data must be fair and transparentin relation to the corresponding person. It’s the responsibility of the company to inform the user what personal data has been collected and for which purpose.
The owner must agree to the intended purpose and to the fact, that the data is being collected.
The conditions for consent have been consolidated, so that the companies will no longer be able to take advantage in long illegible terms and conditions full of legalese.
Now the request for the consent must be given in an intelligible and easily accessible form, together with the information about the intended purpose of the processed data – meaning it mustn’t be ambiguous.
GDPR stipulates that the data owners must be given an opportunity to opt-out processing of their data and they must be informed about this right of rejection (opt-out) upon the first contact with the data controller.
In case data of a person younger than 16 is being processed, consent of a legal representative is required.
1. Accountability – Responsible person or DPO
Assigning one responsible, skilled and knowledgeable person for this task will make the GDPR compliance process much easier and smoother.
Our company can offer the service of one of our Information Security Consultants who operate as data protection officer as it is required by the GDPR.
DPO is responsible for evaluating and enforcing adequate GDPR processes.
DPOs must be appointed in the case of:
2. Assessment – Data protection impact analyses (DPIA)
Each project dealing with private data is required to start with a DPIA. The DPIA is classification and assessment of private data, compliance and risks from the legal, technical and security perspective.
Our company provides you with DPIA and with following solution proposal.
3. Design solution
After the assessment an appropriate solution should be designed.
To meet the GDPR requirements this solution should include legal adjustments, training, processes, technical solution and information security implementation.
Our company consultants have vast experience in designing solutions for large environment, including fortune 500 companies, and they are available to support or fully design your GDPR solution.
The last step is the implementation of these designed legal, training, technical and information security controls.
These implemented solutions should be subject to a regular compliance audit in order to reveal and prevent any possible gaps.