GDPR or Regulation 2016/679 of the European Parliament and of the Council are new rules on the processing of personal data which are mandatory for any business as from 25 May 2018.
Steps for GDPR
- Consumer and customer awareness of the personal data being processed and their rights at any time;
- Designation of a Data Protection Officer, if necessary;
- Defining goals and duration of personal data storage;
- Preparation of a plan and organization for notification of CPDP in the event of breakthrough in the personal data system;
- Applying the principles of personal data protection;
- Authentication and proof that the processing of personal data is in compliance with the Regulation;
- Settle relations with third parties, such as couriers with whom you have contracts in relation to your business;
Updating privacy and data protection policies, if necessary;
What is the deadline for implementation?
The deadline by which all must have introduced the appropriate measures is: 25.05.2018
Are there any sanctions?
After 25 May 2018, the maximum amount shall be up to EUR 20 000 000 or up to 4% of the organization’s annual turnover for the preceding financial year.
How do we meet the requirements of the regulation?
Step 1: Understand the rules;
Step 2: Analysis and Planning – GAP Analysis, Impact Assessment, Risk Assessment;
Step 3: Implementation;
What are the main innovations for companies?
- Entitlement to access – upon request, organizations must provide electronically information about the personal data they process and store for a person;
- Data portability – entitles citizens to request the personal data they have provided;
- The right to be forgotten – gives citizens the right to request the deletion of their personal data by organizations;
- Organizational confidentiality is required to include data protection measures from the very beginning of introducing new systems. Personal data collected must not exceed the data required to perform its duties;
- Express consent to the provision of personal data;
- Data Protection Officer (DPO) – Introducing a new post in organizations to be responsible for internal data retention rules and compliance with the regulation;
- Disclosure notification – within 72 hours of a detected personal data breach, the organization must notify the competent authorities;
What is GAP analysis?
GAP analysis is an assessment of the organization’s current compliance level with GDRP requirements.
Specific analyzes and assessments that are carried out are mainly in the field of:
- The organization and accountability of the processing and use of personal data;
- The degree of centralization of data protection;
- Data protection levels;
- The level of data consistency;
- Data management rights;
- Notification mechanisms for compromising data;
- Actions in international data transfers;
- Data protection roles and responsibilities;
- Overall level of compliance with GDRR;
What also includes analysis and planning?
Following the GAP analysis, our experts consult the implementation and implementation of organizational and technical measures and processes.
Depending on the needs of the organization, this stage may include developing and implementing processes and procedures for removing inconsistencies in:
- Defining the necessary data processing changes;
- Preparing to make changes to the IT data processing environment;
- Determining appropriate control mechanisms for data handling;
- Develop advanced reporting and notification mechanisms;
What does implementation involve?
- Define – Create and / or update internal security policies, policies and procedures;
- Development – verification of changes in the IT environment, internal security, organization of work and registers development;
- Implementation – Understand the employees with the new rules and the developments;
- Carrying out an internal audit – a general verification of compliance with the requirements of the Regulation;
Timeframe for entering all stages?
The time for verification and implementation of the process may vary depending on various factors such as the level of processes already in place, the volume of the organization and other.
Should a Data Protection Officer be identified in the company?
The Regulation provides for a Data Protection Officer to have only certain categories of administrators, namely:
- Public authorities or bodies except in the case of courts in the exercise of their judicial functions;
- Administrators whose activities, due to their nature, scope and objectives, require regular and systematic scrutiny of data subjects;
- Administrators whose main activities consist of large-scale processing of special categories of data and personal data related to convictions and violations;
Need legal services?
AVISEC works together with law firms so that we can offer a maximum and complete solution to companies that do not have legal departments to be able to secure this part of the GDPR requirements.
Why choose AVISEC?
AVISEC can take care of the full technological introduction of GDPR in your organization! Contact us for more information!