TRUST-IT with its specialized consultants (engineers and lawyers) is able to assist your company and provide all the necessary services for the compliance with GDPR requirements.
GDPR increases companies’ liabilities and imposes very high fines in cases of non-compliance with its requirements. The implementation of the GDPR aims to:
- Strengthening the rights and freedoms of individuals to protect their personal data.
- The need for unification of application of the rules regarding the protection of personal data in the EU.
According to the GDPR:
- The concept of simple personal data and sensitive personal data is specified.
- GDPR adds definitions such as “limitation of processing”, “profile training”, “pseudonymization”.
- The definition of “controller” is laid down and determines the purposes and means of the processing of personal He must be able to demonstrate at any time that he is applying the GDPR.
- The definition of “Data Protection Officer” is set up. He informs and advises the controller and processor as well as the staff that processes personal data, about their obligations derived from GDPR regarding data protection
- Data breaches must be reported to the supervisory authority within 72 hours
- Increased risk management requirements are created, including Data Privacy Impact Analysis (DPIA).
In cases of non-compliance with the requirements of the GFCF, administrative fines are imposed against the controller up to € 20,000,000 or, in the case of enterprises, up to 4% of the total annual turnover of the previous financial year.
The project of preparing a company to comply with the GDPR requirements is distinguished in the following phases:
|PHASE 1||Identification, Data Mapping & Data Flow Analysis|
|PHASE 2||GAP Analysis|
|PHASE 3||Data Privacy Impact Assessment (DPIA)|
|PHASE 4||Implementation of Action Plans|
|PHASE 5||Contingency Plan|
|PHASE 6||Audits – Controls|
|PHASE 7||Awareness – Training|
|PHASE 8||Ongoing Management & Follow-up|
This is the identification phase. In this phase we define what the company’s core activity actually is. This is the mapping of all the company’s data:
- What data are collected and processed within each phase of the activities of the company
- Who has access to these data
- Who is involved in the processes of these data
- Which are the tools used for the processes of the data
- Where are these data
- In what processes are the data used
The company must also proceed to a data flow analysis. This is a requirement of GDPR.
The data flow analysis provides an overview of the systems:
- Where the company stores data
- The process according which the company processes data and
- How data are exchanged between the systems.
The outcome of the identification phase will be a complete overview of the company’s personal data, of the systems, processes and people that handle them.
In this phase the results of Phase 1 are compared with the requirements of GDPR, so we can define the gaps of a company to comply with GDPR. This procedure is known as GAP analysis.
The GAP analysis shall point out the most obvious areas:
- Do we have control over basic security?
- Do we have control of basic rights?
Shall changes be made to the rights?
As one of the new requirements in the EU GDPR, companies must conduct a Data Privacy Impact Assessment (DPIA) before the implementation of specific initiatives.
A DPIA can be translated into a basic assessment of the registered party’s level of protection.
The purpose of a DPIA is that a worst-case scenario for the registered party shall be considered, anticipated and thereby avoided.
DPIA will be conducted in 4 phases:
- SUB-PHASE 1: Definition of threats
- SUB-PHASE 2: Evaluation of impact
- SUB-PHASE 3: Evaluation of vulnerabilities
- SUB-PHASE 4: Risk treatment
This phase is the implementation phase. It depends on the company’s “digital maturity” level.
This phase consists process measures and technical measures.
Process measures are the company’s ability to document what is being done and why, with the assistance of checklists or process diagrams, covering the company’s ability to demonstrate how it implements, maintain, updates and ensures the company’s IT solutions.
Technical measures are the systems and the infrastructure that is securely structured and supports the business process and requirements set out in the regulation.
It is required that all private and public companies / organisations subject to the EU GDPR be able to document at any times that they are compliant with the GDPR.
In cases that a leak of sensitive information occurs, the GDPR contains a new requirement that private and public enterprises must inform the relevant authorities within 72 hours of the data leak being registered. In the report that is required to be submitted to the Regulatory Authority the following must be reported:
- What types of data were leaked?
- How many registered parties does the leak involve?
- What are the consequences to those registered parties?
- What has been done to ensure that this does not happen again?
It is therefore up to the company to prepare a contingency plan, in advance, which can be implemented immediately when it is needed.
This plan should describe in detail the procedures to be followed as well as the responsibilities of the involved persons in cases of leakage of personal data, that means who within the company shall be responsible for doing what.
This phase includes all the necessary audits and controls to be conducted in order to confirm the compliance of the company with the requirements of the GDPR.
In all processes for complying with the GDPR, there is an important organizational goal of educating individuals who manage personal data so that the employees involved are aware of their specific tasks regarding to the protection of personal data.
Continuous training of the staff will also ensure the company’s compliance with the requirements set out in the GDPR.
The meaning of awareness is an anthropocentric approach to personal data security, to ensure that authorised personnel to handle personal data understand their tasks and they are able to apply them correctly, efficiently and in a short time, using the right tools, system support and automated processes.
The required procedures followed by a company to comply with the GDPR is a continuous process that needs to be updated when there are changes in the structure of the company’s operations.
Therefore, a governance model indicating the tasks of stakeholders involved in control, inspection, risk management, policies and resources is required, based on an annual cycle.
This annual cycle ensures, that the company performs the necessary actions in the action plans and can prove that it complies with the requirements of the GDPR.
The measures of this governance model should be reviewed at regular intervals and when there are changes in the company to be accordingly adapted.
This concerns, for example, the purchase of new systems or devices, the implementation of new processes, the merge with other companies or the establishment of new partnerships with third parties.