Companies have only 15 months to adapt to the new rules for data protection brought by GDPR (General Data Protection Regulation). Information about customers, suppliers and employees are processed by almost any company. Apart from these there are big databases of personal data to be found for example in health reports or in registers of citizens in the state administration. If organizations don’t adjust the processing of this data to the new rules, they are facing fines up to €20 million or 4% of their global turnovers.
‘‘The regulation about personal data protection will touch overwhelming majority of companies.‘‘ says Eva Skornickova, legal consultant for data protection and IT security. ‘‘The changes will affect the entire process from data collection, through their processing, to shredding or deleting them from the system.‘‘
The regulation adjusts, among many others, the form of approval that needs to be gained from each person when collecting these data. The approval has to be explicit, unambiguous and repealable at any time. For example, when you run an e-shop, it is important to revise the way how you inform the customers about their rights and what options for law application you give them. One of the rights of your customers is for instance to require irrreversible deletion of their personal data from your systems.
For organizations of state administration and organizations working with big databases or especially sensitive data there is a requirement to appoint a person responsible for personal data protection (Data Protection Officer, DPO). The role of the DPO is above all to oversee the compliance with GDPR and to provide internal operations like audits or trainings. Don’t forget though that the final responsibility for compliance with GDPR is borne by company leaders.
In practise it means that companies will have to, among other things, revise contracts, guidelines and internal documents, so that they comply with the new legislation. In many organizations that had no clearly defined roles for work with data until now, these will have to emerge. Changes in technicalities will also affect big amount of internal systems that get in touch with personal data.
In case that an incident happens in spite of all measures, companies will have to report the data leak to authorities and alert the affected persons, and that all within 72 hours of finding out.
GDPR audit is a very good way how to start preparing your company. We will help you to find out what you should improve.
Analysis of internal security
From the security point of view, it is important for companies to thoroughly think about how personal data is worked with in their organizations. The next step is to minimise the risk that an intentional or unintentional data leakage will occur. Practically this means there’s a need to start with analysis of movement of personal data. Mapping out where they are located, who can access them, and how they are manipulated is the base for identification of security weak spots.
‘‘This kind of audit often reveals that there already are incidents going on. When employees share data via public cloud services, or through an unencrypted flash disk, the attacker can very easily access them,‘‘, explains Matej Zachar, security manager in Safetica Technologies. ‘‘Results of such an analysis serve as a base for implementation of further measures. From the GDPR point of view it’s necessary to set rules that will enable prevention of any such incidents.‘‘
The main steps to comply with GDPR
• Internal audit of work with data
• Defining rules concerning the ways to treat personal data
•Trainings of employees which ensure that rules are really observed
• Encryption of data
• Limiting the ways how data can be handled and shared
• Implementation of a DLP solution which secures that data will not leak due to a failure of an employee
• Backing up data repositories so that nothing gets lost
• Protection against external attackers using a trusted antivirus solution and other network security technologies like IDS/IPS, firewalls and other
Make the first step towards understanding GDPR - come to our webinar.