At 25th May 2018 a new regulation about data protection and control, also known as General Data Protection Regulation (GDPR) will come to force.
If you process personal data (f. e. customer credentials) it is probable that the new regulation will affect you.Processing of personal data means operation or batch of operations with personal data which are done with or without the help of automated processes.
This article will help you to understand or identify requirements and find solutions.
Regulation and data protection relates to every organization or company in the EU which uses personal data.In extraordinary cases can a fine reach up to 20 millions euro or 4% of the company turnover.
- In case of extensive processing a DPO (Data Protection Officer) must be employed.
- It requires DPIA (Data Protection Impact Assessment) to perform high-risk processing and optionally a consultation with the Office for Personal Data Protection.
- Strengthens subject`s rights and states a new ones – right to be forgotten, portability right etc.
- Brings higher sanctions for infringement of personal data protection.
- It´s uniformly applicable across the EU.
What GDPR considers as personal data?
Besides personal data like name, gender, date of birth, age etc. it is IP address, photography, e-mail address and phone number. Separate chapters are sensitive personal data (biometric, genetic…) which are subject to a much stricter regime.
How to GDPR?
Related to ordinance above and obligations resulting from it; it is needed to make analysis what in your organization falls under the GDPR. Based on the analysis use individual measures and solutions with respect to your business environment.
Analysis itself will not be only basis for new standards resulting from GDPR but also might reveal potential vulnerabilities of IT environment and this deeply affect your overall level of data protection.
Comparative analysis and plan to accommodate GDPR
Comparative analysis and building a plan to accommodate GDPR are the first steps which organizations need to do to reach agreement. Comparative analysis gives answer to question about lack in fulfilment of GDPR requirement and the plan to accommodate GDPR is a guideline which will help company to reach the final goal.
Impact assessment on personal data protection
The impact assessment on the protection of personal data is second step which, in addition to fulfilling requirement of processing this assessment, will allow for the processing of personal data and planned measures in terms of actual risks.
Draft of processing changes
Processing changes are third step to reach conformity with GDPR requirements. Changes originate from previous analytical phase and information about disagreements with GDPR requirements. Among new or changed process are adding, removing, changing or moving personal data, reporting incidents etc.
Suggestion of ICT procuration
Suggestion of ICT procuration is key step to allow ICT department take such steps in implementing technology in a way to reach agreement with GDPR. Storage and backup of data, monitoring and logging, networks, mobile devices, physical infrastructure security, antivirus protection, and more are the key areas we deal with when designing measures.
Outsourcing the authorized officer
As part of the implementation of the GDPR, it is necessary to decide on the role of the Data Protection Officer, who is responsible for managing personal data protection, and also bears responsibility for this area.
If you are interested in providing further information, do not hesitate to contact us…
Source: eset.cz, tmcoy.cz, gdprcompliance.eu, gdpr.cz