Where to start with GDPR?

or what are Data Protection Officer (DPO) and Data Protection Impact Assessment (DPIA)

 

The EC has introduced the General Data Protection Regulation (GDPR), a new regulation unifying rights, responsibilities, reports, protection and, unfortunately, also penalties regarding personal data handling.

Even though the GDPR may look complicated, there is a simple way of creating a roadmap of becoming compliant with the GDPR and avoiding future problems. The EU values personal rights and therefore takes handling of personal data seriously.

Abuse of personal data or not protecting them may lead to significant fines up to 4% of the company’s annual income or 20 million EURO.

 

First of all, GDPR is a strong regulation affecting every business and organisation dealing with personal data of anyone living in the EU.

Thus it also affects businesses operating outside the EU territory which, for some reason, process data of persons living in the EU.

GDPR could be divided into three main areas - security, personal data accessibility and legal.

This requires adding controls and, most probably, reorganisation of your data structure and storing process.

What is the goal:

Personal data accessibility and structure

Personal data is each one’s personal possession - one can always ask to receive information about what data is stored about him/her, how the data is used or ask to remove it completely.

Personal identifiable information (PII), information that can lead to identification of a person, is also considered as personal data.

Full visibility

Your organisation must be able to trace and locate all personal information on request. In many cases, this will require adjusting the information storage and handling system and structure.

Successful implementation can actually give your organisation the advantage of using the information for better analyses of your business which could lead to a more precise planning.

Our company can help you to implement some mapping tools that, in the need of future handling, will give you an overview on where in your organisation this private data is stored.

 

  • Removal

In case of a request, your organisation must be able to remove and discard all personal information.

This may seem simple, but much of this information may stay on various media or backups.

  • Informed approval

Each organisation that stores personal data is obliged to have an approval from the owner with exact specifications how this private data will be handled and disclosed.

  • Private Data portability

The owner of the information has right to receive and move his/hers personal data stored in your organisation. And you must be able to provide it.

In case you store a high amount of data that a great number of owners can request, your organisation may face significant workload.

Thus it is absolutely essential to have the best automated systems available.

Security

GDPR requires personal data processors and controllers to protect this data against unauthorized disclosure.

If personal data is stolen or disclosed, and if investigation reveals that the organisation did not take enough effort to protect it, significant fine of up to 20 000 000 EURO could be given.

GDPR does not particularly contain a full list of controls.

Information protection is based on good practice and standards.

  • Access control

Your organisation should possess systems that record and control every access to the data.

An installation of an appropriate Data loss prevention tool is strongly recommended.

A sufficient tool will fully control what data and in which way is extracted from your organisation.

Our company has extensive experience with DLP product implementation into diverse environments, helping to protect against various threats, including corporate spying.

  • Monitoring

An appropriate control over the systems is recommended. All logs from the systems should be collected to some central place, assessed, correlated by SIEM and monitored 24/7.

  • Reporting

Security incident when personal data are disclosed to unauthorised person must be reported to national authority within 48 hours.

For this purpose, our company is offering SOC as a service that save significant amount of budget compare to in house SOC.

  • Vulnerability management

Abusing unpatched vulnerabilities are one of the easiest way to breach the environment and still data. It is recommended to regularly assess your environment for vulnerabilities. For this purpose, our company is offering our vScan solution that is easy to implement and cost friendly.

  • Full information security standard

Above are mentioned minimum controls, but implementation of full information security standards is for big processors of private data inevitable.

 

Legal requirements

Processing of personal data must be fair and transparent in relation to the corresponding person. It’s the responsibility of the company to inform the user what personal data has been collected and for which purpose.

The owner must agree to the intended purpose and to the fact, that the data is being collected.

  • Informed consent

The conditions for consent have been consolidated, so that the companies will no longer be able to take advantage in long illegible terms and conditions full of legalese.

Now the request for the consent must be given in an intelligible and easily accessible form, together with the information about the intended purpose of the processed data - meaning it mustn’t be ambiguous.

 

  • Opt-out

GDPR stipulates that the data owners must be given an opportunity to opt-out processing of their data and they must be informed about this right of rejection (opt-out) upon the first contact with the data controller.

  • Persons under 16 years

In case data of a person younger than 16 is being processed, consent of a legal representative is required.

4 steps how to achieve GDPR compliance

1. Accountability - Responsible person or DPO

Assigning one responsible, skilled and knowledgeable person for this task will make the GDPR compliance process much easier and smoother.

Our company can offer the service of one of our Information Security Consultants who operate as data protection officer as it is required by the GDPR.

DPO is responsible for evaluating and enforcing adequate GDPR processes.

DPOs must be appointed in the case of:

  • public authorities,
  • organizations that engage in large scale systematic monitoring, or
  • organizations that engage in large scale processing of sensitive personal data.

2. Assessment – Data protection impact analyses (DPIA)

Each project dealing with private data is required to start with a DPIA. The DPIA is classification and assessment of private data,  compliance and risks from the legal, technical and security perspective.

Our company provides you with DPIA and with following solution proposal.

3. Design solution

After the assessment an appropriate solution should be designed.

To meet the GDPR requirements this solution should include legal adjustments, training, processes, technical solution and information security implementation.

Our company consultants have vast experience in designing solutions for large environment, including fortune 500 companies, and they are available to support or fully design your GDPR solution.

4. Implementation

The last step is the implementation of these designed legal, training, technical and information security controls.

These implemented solutions should be subject to a regular compliance audit in order to reveal and prevent any possible gaps.

 

 

News & Blog

3 najdôležitejšie témy, o ktorých CISO diskutujú v súvislosti so SOC as a Service!
30. 08. 2023

3 najdôležitejšie témy, o ktorých CISO diskutujú v súvislosti so SOC as a Service!

V komunite kybernetickej bezpečnosti sa do popredia dostávajú diskusie o porovnaní interného SOC…
TOP 12 ukazateľov kvalitného poskytovateľa SOC as a Service
17. 08. 2023

TOP 12 ukazateľov kvalitného poskytovateľa SOC as a Service

Pokiaľ v zabezpečení vášho IT prostredia postupujete o level vyššie, pravdepodobne riešite…
MS Exchange zraniteľnosť
18. 03. 2021

MS Exchange zraniteľnosť

Microsoft Exchange je pomerne rozsiahlo rozšírené a obľúbené riešenie emailového servera, ktorý umožňuje organizáciám akejkoľvek…
Vakcína je životne dôležitá. Vedia to aj hackeri
09. 10. 2020

Vakcína je životne dôležitá. Vedia to aj hackeri

Ukradnuté údaje o vakcíne proti koronavírusu môžu pomôcť konkurencii. Hackerský útok však okrem toho môže spomaliť aj jej vývoj. To by mohlo mať zásadný vplyv na krajiny, ktoré bojujú s prepadom ekonomík a druhou vlnou ochorenia COVID-19. Aspoň proti fiktívnym kyberzločincom sa však postaví silný súper – účastníci súťaže Guardians 2020.

see all

Contact

Address

Binary Confidence s.r.o.
Špitálska 53,
811 01 Bratislava
Slovak republic

E-mail

info@binconf.com
support@binconf.com

Telephone

+421 2 321 999 80

    I agree with Privacy and Data Protection Policy
    By clicking [I agree] you consent to processing your personal data by company Binary Confidence s.r.o. and you accept Privacy and Data Protection Policy.

    © 2024 Binary Confidence. All Rights Reserved.Privacy and Data Protection Policy.