GDPR

GDPR

On May 25th, 2018, the General Data Protection Regulation (GDPR) entered into force in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

The Regulation introduces a number of new requirements in relation to the previous Act on Personal Data Protection and unifies the principles of personal data protection in the European Union. All entities that process personal data on the territory of the European Union, are required to follow these principles.

Studies have shown, that:

  • 72% of surveyed companies perceive the MAXIMUM POSSIBLE PENALTY of 4% of annual turnover, as very severe;
  • 50% of surveyed companies are NOT EQUIPPED WITH TOOLS NOR TECHNOLOGY giving consumers the “right to be forgotten”;
  • 42% of surveyed companies DO NOT HAVE ANY PROCEDURES of informing the proper data protection authority in the event of a violation.

New requirements include the following:

  •  The obligation for companies to inform about occurring violations:
    • To the supervising authority
    • To the persons whose data was incorrectly processed
  • An extended right to be forgotten

  • The right to view information processed, by persons whose data is being processed

  • Including data protection in the process of designing new technological solutions.

Do you know:

  • What personal data is being processed by your company and where the data is located?
  • Who is authorized to process personal data and who actually does it?
  • Is there a method to supervise the resources, in which personal data appears?
  • Are you able to detect unauthorized access to personal data or a breach of their confidentiality?
  • Are you able to quickly and reliably inform about a violation of the principles of processing personal data?
  • Can you ensure data of persons who request their data be forgotten, will cease to be processed and stored?
  • Are you able to grant access to personal data being processed, to a person who requests access to their data?

The lack of a positive reply to any of the questions above indicates a significant probability of a violation of GDPR principles.

Violation or lack of compliance with GDPR principles may result in high financial penalties of up to EUR 20 000 000 or 4% of a company’s global turnover. The higher amount is taken into account in the case of a given entity.

Beside financial aspects, companies should also consider the risk of losing credibility among their clients as a reliable partner.

Introducing GDPR is a process consisting of a legal analysis, IT analysis and the implementation of tools.

The process should begin with an audit both in terms of procedures and technology supporting current management of personal data. Its’ results will show areas, directions and scopes of activities which require adjustment to comply with the new regulations.

Key activities regarding procedures:

  • Appointing a Personal Data Protection Inspector
  • Updating internal regulations
  • Training for employees
  • Preparing tools for monitoring processes and processing data as well as detecting violations
  • IT system susceptibility tests

Key activities regarding technology:

1. Protection of stored data:

  • ​Data encryption and pseudonymisation

2. Supervision over data processing:

  • Managing identity and authorizations
  • DLP systems and monitoring of databases (DAM)

3. Detecting security incidents:

  • SIEM (log analysis)
  • IPS/IDS, Webgateway (analysis of network traffic)
  • Supervision over the use of cloud services
  • Antimalware software

Based on our rich experience and knowledge, we developed a proprietary and innovative product: DIGITAL IDENTITY, thanks to which we can guide Your company through this process. If you decide to implement this product, you will receive:

  • Adjustment of existing procedures to current legal regulations
  • Possibility of implementing this product without significant interference with systems currently existing in the organization
  • Improvement of corporate security with regards to personal data processing
  • Improvement of the level of security of persons whose data is processed.

DIGITAL IDENTITY is a product, which will provide You with comprehensive compliance of existing procedures with current legal regulations.
It consists of the following modules:

  • Client Portal – managing the process of granting and cancelling consent
  • Consent – managing a centralized register of consent for the processing of personal data
  • Authorization – managing a centralized process of granting access to personal data based on issued authorizations
  • Secure Data – managing the database index and search engines
  • Secure Communication – managing the security of mailings
  • Audit – control and reporting