IMPLEMENTATION OF EU GDPR (2016/679)
CONSULTATION AND IMPLEMENTATION OF EU GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (GENERAL DATA PROTECTION REGULATION)
GDPR CONSULTATION REQUIREMENTS MAY BE CONDITIONALLY DEPENDENT ON THE FOLLOWING STEPS:
- GAP analysis and assessment of current compliance level;
- Preparation of rules and procedures for meeting GDPR requirements;
- Assistance in implementing the rules and procedures for meeting GDPR requirements and bringing it fully into line with the Regulation;
- Monitoring and monitoring compliance of GDPR.
During GAP analysis, an assessment of the current level of compliance of processes in the organization with GDPR requirements is made. Our consultants are involved both in evaluating the current processes related to the processing and administration of personal data of individuals, as well as the processing of such data using IT tools. The evaluation criteria are both the requirements of Regulation (EC) 2016/679 and the use of control mechanisms and good practices set out in ISO 27001 and ISO 27002. The GAP analysis aims to ascertain whether the practices adopted and the IT tools used ensure the right of the owners personal data to:
- receive timely information on the use of the data;
- View and correct your personal information
- Receive the right to be "forgotten" (delete their personal data from register / system / archive, etc.);
- Restrict the processing of your personal data;
- Be alerted when compromising (unauthorized access, use, modification or deletion) of their personal data or limiting their processing;
- Require transfer of data to another data administrator - Appeal when disagreeing with the processing / use of their data;
- They can stop making decisions based solely on automated processing including profiling.
The specific analyzes and assessments that are carried out are mainly in the field of:
- The organization and reporting of the processing and use of personal data;
- The degree of centralization of data protection;
- Data protection levels;
- The level of data coherence;
- Data management rights;
- Notification mechanisms for compromising data;
- Actions in international data transfers;
- The roles and responsibilities of data protection;
- The overall level of compliance with the GDPR.
Preparation of rules and procedures for meeting GDPR requirements
Based on the GAP analysis, the consulting team:
- Proposes necessary changes in business processes related to the collection and processing of personal data;
- Proposes the necessary changes to the IT environment (networks, systems, databases, etc.) for processing
- Provides appropriate control mechanisms to deal with the data;
- Develops the necessary set of rules and procedures in line with the GDPR, to be implemented in the organization;
- Develops reporting and notification mechanisms.
When developing the rules and procedures, the requirements of Regulation (EC) 2016/679, as well as the good practices set out in ISO 27001 and ISO 27002, are respected.
Assistance in implementing the rules and procedures to meet the requirements
of the GDPR and to bring it fully into line with the Regulation:
During the implementation of the GDPR requirements and procedures, the consultants perform:
- Training - key employees involved in the process of implementation and implementation of the new requirements;
- Consulting - help with the implementation of new / changed business processes, internal controls, work organization and accountability;
At this stage, the consultant's involvement can significantly reduce the efforts made, increase the level of understanding and implementation, shorten implementation times, and provide a real preliminary assessment of the results of the GDPR implementation process.
Monitoring and monitoring compliance of GDPR
Successful implementation of GDPR requirements can be established by conducting an internal audit of business processes related to the processing and administration of personal data. The audit is conducted on a sampling basis, tracking the lifetime of randomly selected personal data.
Ensuring the successful maintenance of the requirements is the implementation of a procedure for permanent monitoring and monitoring of the processes of personal data management. In the framework of the annual audit program, activities should be added to analyze and evaluate the design and implementation of all activities and control mechanisms related to the maintenance of the GDPR. Depending on the activity and structure of the organization, the planning of the audit covers to some extent the following areas:
- Personal data - identification, privacy, owners, coverage;
- Nature and scope of the activity - administrator, territorial units;
- Legal basis for the administration of personal data - volume, character;
- Transparency of the processing and administration process;
- Level of data protection and accountability;
- Respect for the rights of the owner of personal data;
- Data security level;
- Monitoring and reaction to breakthrough (leakage, change, deletion) of data;
- International data transfer practices outside the EU;
- Use of subcontractors in administration.
INFORMATION SECURITY MANAGEMENT SYSTEMS
The Information Security Management System (ISMS) is an approach to manage the organization's sensitive information in a way that ensures its security. This information may be company-know-how, personal data, and property of the client.
The International Standard ISO 27001 sets requirements for Information Security Management Systems (ISMS).
ISO 27001 is applicable to all types of organizations: commercial, non-governmental, governmental and non-governmental.
The advantages of implementing an Information Security Management System:
- definition of security requirements and objectives;
- Ensuring that organizations comply with legislation and other regulatory requirements.
- ensuring that information risk is managed efficiently in terms of funds;
- defining new processes for managing information security;
- Assessing existing processes for managing information security;
- establishing compliance by internal and external auditors in organizations with policies, regulations and applicable standards;
- Providing customers with relevant information security information.
To save your information, the organization must take the following steps:
- defines an information security policy;
- Identify and assess security risks;
- identify and implement appropriate security controls for information.
Standard ISO 27001 requires strict compliance with relevant legal, regulatory and contractual obligations related to the security of information, optimized use of available resources, and periodic internal checks of the system for continuous improvement.