GDPR – General Data Protection Regulation
The GDPR (General Data Protection Regulation) is an EU regulation and most organizations have to make significant changes in business processes and information security in order to comply with it. The regulation applies to all organizations, regardless of size and industry. In order for the compliance to GDPR to be effective, it is necessary to identify personal data as well as their life cycle through the business processes of the organization (collection, processing, storage, transfer, deletion).
Based on the collected data, a risk assessment related to the processing of personal data is carried out in order to obtain clear answers to the following questions:
- What personal information is collected?
- Since when are they collected?
- Why are they collected?
- How are they processed?
- What is the legal basis of any processing?
- Where is the data stored?
- How long are they stored?
- Who has access to the data?
- To whom is the data transferred?
Subsequently, procedures are enacted and introduced to enable staff processing personal data to perform their duties effectively in accordance with the GDPR. Given the essential obligations of the GDPR Regulation (eg respondents’ rights, data transfer, lawfulness of processing…), it is important that staff have clear guidelines for the processing of personal data.
The GDPR Regulation or the General Data Protection Regulation significantly increases the rights of individuals and as a result, organizations will have an increased number of requests and complaints from citizens. Organizations are required to respond to such requests within one month, unless the requests are unfounded, excessive, or there is a legal measure that allows denial of access.
Hiring our consultant will ensure that you effectively comply with regulations and establish practical procedures for processing personal data. The complexity of adapting and establishing the necessary processes requires knowledge of regulations and expertise in data protection and information security.
GDPR adjustment – steps:
- GAP analysis – an overview of the initial situation and the desired state in accordance with the GDPR.
- Interviews with key employees (determining the purpose of processing, data types, data transfer, business process flow, data storage)
- Analysis of existing documentation (review of internal acts of the organization)
- Analysis of business software used in personal data processing (access control, data processing overview)
- Analysis of standard contracts with third parties in terms of data protection
- Analysis of existing security measures in the organization, backup, system settings, password management…
- Analysis of current legal provisions related to business. Analysis of legal acts related to personal data protection, legality of processing and retention periods, based on the activities of the organization
- Preparation of records on processing activities (purpose of processing, categories of personal data, categories of recipients ()
- Data protection impact assessment (preparation of an assessment for the processing of personal data that is likely to pose a high risk to the rights and freedoms of individuals)
- Development of personal data protection policy
- Proposed contract annex for all standard contracts (all clauses to be amended and added in accordance with GDPR)
- Preparation of the document Respondents’ rights (document submitted to the respondents with their personal data, at their request)
- Adaptation of business processes in accordance with the GDPR regulation. Based on the analysis, instructions are made for the adaptation of existing business processes (removal of excessive processing, destruction of redundant documents, secure use of the information system)
- Preparation of educational materials for employees
Our service helps you comply with legal and regulatory requirements taking into account your information technology and business goals. We provide a comprehensive approach to the management and protection of personal data, including third-party security management. For more information and a formal offer feel free to contact us.