The GDPR (General Data Protection Regulation) is an EU regulation and most organizations have to make significant changes in business processes and information security to align with it. The regulation applies to all organizations regardless of size and industry. In order for GDPR adjustment to be effective, it is necessary to identify personal data as well as their life cycle through the business processes of the organization (collection, processing, storage, transfer, deletion). Based on the collected data, a risk assessment is performed related to the processing of personal data in order to obtain clear answers to the following questions:
- What personal data is collected?
- Since when are they collected?
- Why are they collected?
- How are they processed?
- What is the legal basis for each processing?
- Where is the data stored?
- How long are they stored?
- Who has access to the data?
- To whom is the data transferred?
Procedures are then defined and introduced to enable staff processing personal data to perform their duties in an effective manner in line with the GDPR. Given the essential obligations of the GDPR Regulation (eg Respondents’ Rights, Data Transfer, Legality of Processing…), it is important that staff have clear guidelines for the processing of personal data.
The GDPR Regulation or the General Data Protection Regulation significantly increases the rights of individuals and as a result, organizations will have an increased number of requests and complaints from citizens. Organizations are required to respond to such requests within one month, unless the requests are unfounded, excessive, or there is a legal measure permitting denial of access.
The engagement of our consultants will ensure that you effectively adapt the regulations and establish practical procedures for processing personal data. The complexity of adapting and establishing the necessary processes requires knowledge of the regulation and expertise related to data protection and information security.
GDPR Adjustment – steps to take:
- GAP analysis – review of the initial situation and the situation after the adjustment in accordance with the GDPR (a document in which the initial situation is visible, the necessary and taken measures, and compliance after the adjustment. It is developed and supplemented throughout the project)
- Interviews with key employees (Identification of processing purposes, data types, data transfer, business process flow, data storage)
- Analysis of existing documentation (review of internal acts of the organization)
- Analysis of business software used in personal data processing (access control, data processing overview)
- Analysis of standard contracts with third parties in terms of data protection
- Analysis of existing security measures in the organization, backup storage, system settings, password management…
- Analysis of current legal provisions related to business. Analysis of legal acts related to personal data protection, legality of processing and retention periods, based on the activities of the organization
- Preparation of records of processing activities (purpose of processing, categories of personal data, categories of recipients ()
- Data protection impact assessment (making an assessment for the processing of personal data that is likely to pose a high risk to the rights and freedoms of individuals)
- Development of a Personal Data Protection Policy
- Proposed annex to the contract for all standard contracts (all clauses to be amended and added in accordance with the GDPR)
- Preparation of the document Respondents rights (document provided to respondents with their personal data, at their request)
- Adjustment of business processes in accordance with the GDPR regulation. Based on the analysis, instructions are made for the adaptation of existing business processes (removal of excessive processing, destruction of redundant documentation, safe use of the information system)
- Preparation of educational materials for employees
Our service helps you comply with legal and regulatory requirements taking into account your information technology and business goals. We provide a comprehensive approach to the management and protection of personal data, including third-party security management. For more information and a formal offer feel free to contact us.
YOUR PERSONAL INFORMATION IS SAFE WITH US
Copyright © 2020. ≈ Xiphos d.o.o.