GDPR. Are you ready?

The General Data Protection Regulation is important for all organizations. This is a sum up of the absolute essentials you need to know if you are in some way involved. It will probably trigger you to reach out and search more information relevant for your particular profession.

THE NAKED TRUTH

From May 2018 organizations will not only have ethical and legal obligations to actively protect personal data. They will be obliged to prove they are doing that effectively and according to the law and any breach will result in considerable fines. And that through a uniform regulation throughout Europe.

WHO DOES GDPR APPLY TO

Fairly all organizations based in the EU plus organizations processing personal data of data subjects who are residents of the EU.

MUST DEMONSTRATE WHY AND HOW - ACCOUNTABILITY

Organizations must be able to justify why their collecting, storage and processing of data is legal. Organizations must actively demonstrate / prove HOW they are compliant with the regulation. So they must at any time be able to show their methods and procedures applied in order to protect the data against leakage, loss and corruption.

MUST KEEP RECORDS

Organizations must keep records of their personal data processing activities.

ACTIVE CONSENT FROM DATA SUBJECT REQUIRED

A Data Processor must implement a means through which the data subject actively agrees with his data being processed. This could be a form to be filled in and signed. Consent by default is not accepted.

Data processing without active consent is only allowed in situations such as national security, to protect public or personal health and by part of the public administration.

DATA SUBJECT’S RIGHTS

RIGHT TO BE INFORMED

An organization must clearly inform a data subject that their personal data will be collected or processed. It must also provide adequate information about who will be processing and how they can be reached by the subject.

RIGHT TO HAVE ACCESS

The data subject can ask any organization what information it has on that person and the organization is obliged to give that information.

RIGHT TO RECTIFICATION

A data subject has the right to demand immediate rectification of wrong information used by a processor

RIGHT TO DATA PORTABILITY
In case of automated processing, organizations must be able to deliver the personal data they keep in such a way to the data subject that the subject can use it him- herself or hand it over to other organizations to use. So standardization is of essence.

RIGHT TO OBJECT AGAINST PROCESSING AND PROFILING

Any person can refuse his personal data being processed. To continue, the data processor will have to prove he has legal grounds to continue (for example in life and death situation in health sector). So again, it is the processor who will need to come up with the proof.

RIGHT TO BE FORGOTTEN

Anyone can ask a controller to erase the data the controller has on them. Unless the controller can prove it is legally rightful to keep the data, he has to erase the data.

AUTOMATED DECISION MAKING AND PROFILING

If an organization uses automated decision making based on processing of data, then it must have safeguarding mechanisms to avoid an automated process to make a decision that can be harmful against a data subject.

DATA PROTECTION OFFICER

If the core activity of an organization relates to processing of personal data, then that organization is obliged to assign a Data Protection Officer (DPO). The DPO acts independent of controller or processor and reports directly to upper management. The DPO can be an employee or external contractor.

PSEUDONOMIZATION

If for the purpose of sharing personal data, it is not legally necessary to expose explicit characteristics such as names, the sharing organization is obliged to apply pseudonomization, the replacement of these characteristics by placeholders.

MUST ANNOUNCE BREACHES

Controllers must report any data breach to the supervisory authority within 72 hours. This way we will see from now on many data breaches in the news. Failure to do so results in heavy fines.

TRANSFER OF PERSONAL DATA OUTSIDE EU

Is only allowed under strict conditions of the GDPR. So this activity creates liability to the data processor. Data processor must guarantee that the level of protection of personal data is not undermined. And that will in many cases not be easy. So the organization needs to take legal (contracts etc) and technical measures.

CHILDREN

Throughout all aspects of the GDPR increased responsibility is imposed on organizations when processing personal data related to children.

HEAVY FINES

Infringements of the regulations can lead to fines up to 20M Euro or 4% of annual turnover of the organization.

HOW TO MINIMIZE RISK

An organization minimizes risk if it takes the GDPR seriously and sets up a structured infrastructure for the protection of personal data and the minimization of data processing.

  • By internal regulations and procedures, personnel trainings and internal audits - This includes breach notification procedure
  • By assigning a Data Protection Officer if needed or possible
  • By performing Data protection impact assessments
  • By applying automated systems that can significantly help to comply
  • For data minimization
  • Pseudonomization
  • DLP in all communication and storage systems
  • Monitoring privileged user activities
  • Control and monitor (remote) access to personal data, including audit trails
  • Apply encryption
  • Apply fingerprinting/digital signatures to ensure data integrity
  • Automated records of data processing actions
  • The use of these automated measures also sustains compliance with the “data protection by design” obligation.

 These are just the very essentials. Inter Engineering actively contributes to making IT more secure with advice, solutions and services. It will be an honor to discuss your organization’s specific needs and help you improve your or your customers’ security.

Active Care Support Service Overview

Health Check

We proactively perform periodic health checks in your environment

Virtual Replication

We replicate your environment for troubleshooting and reviewing changes

Remote Support

Our engineers connect remotely to your system for immediate support

Support engineer

You have your own personal support engineer

 Copyright © 2019. All rights reserved. Designed & Built by Inter Engineering.