12. 03. 2018
Ensuring compliance with the GDPR is currently one of the more pressing topics for all who deal with personal data in one way or another. As a rule, the motive for regulating data protection is not the desire to ensure personal data are accessed only by authorized persons with the necessary permissions, but rather the fear of high penalties. Rather than something, which can be achieved and then forgotten, personal data protection is a constant, living process.
What is data protection and why do we need it?
Data is the cornerstone of the digital transformation and drives today’s digital economy. More precisely, data define users – the more personal they are, the more valuable they are. A company, which manages databases of personal data, can regard such data as an important resource and, therefore, protect them as they would other assets.
At the same time, the company is not the owner of the personal data. Their owners are company customers, employees, suppliers, business partners, event participants, subscribers to news updates, and those who have expressed interest in the company’s offer. All of them have entrusted the company with their data for a specific purpose, and the company must ensure that they are used only for that purpose. As sometimes the temptation is simply too great, including for third parties, the company must protect the data accordingly.
How can we ensure appropriate data protection? Where do we start, and how do we proceed?
Data protection begins with recognition of the simple fact that it is not the sole responsibility of a lawyer or the IT department, but something that concerns all the employees in the company and requires the participation of stakeholders from various fields. At Mikrocop, when we act as a contracted personal data processor for a range of clients, we also advise them on ensuring data protection compliance. Judging by experience, we see that the most successful companies are those who understand this and act the same way. Our advisory team therefore includes a certified personal data protection officer, a lawyer, a quality assurance expert, a security engineer, and an experienced business consultant.
Furthermore, the company needs a clear overview of the personal data it manages or processes, including organized personal data processing records. It needs to know which data it provides to contracted processors, which data is sent to third countries, which special categories of personal data it stores, how it protects said data, and so on. If the company is able to quickly answer these questions, they can use the gap analysis to quickly identify which activities have to be performed and how much time will be needed.
At this point, we suggest that companies consider the extent of personal data processing. If they minimize the amount of data collected, as well as the extent of processing, the storage period, and the number of processors, they can simplify data protection and make it easier to ensure compliance.
Compliance also requires checking whether the company cooperates with reliable contractors, adjusts contracts with contracted processors, establishes records of personal data processing activities, if necessary, prepares or updates the classification plan and internal policies, and considers whether they need to conduct impact assessments. These are necessary for the processing of specific personal data and are recommended for all other processing.
How can you achieve a comprehensive overview of data protection, and how can you continually provide adequate data protection?
The legal aspect of ensuring compliance is just one aspect of data protection; at the very least, we also must not forget the areas of information support, information security, and the organizational culture of the company.
At Mikrocop, we believe that the issue of adequate information support is the quickest and easiest to solve. The reason for this is partly found in the current legal framework for the protection of personal data, which established the key challenges for information support for business some time ago. Nevertheless, the company should verify whether and how personal data are protected during transfer, that their disclosure is not possible, whether and how personal data is protected in databases and in the file storage, whether the roles and permissions of IT systems users are established in a way that only authorized persons can access personal data, how an individual can exercise their right to be forgotten, if the conditions for such are met, and how comprehensive the audit trail of users, administrators and other systems is. These and other related issues are particularly important when a company decides to use new software solutions; in that case, consideration should be given to the selection of appropriately certified tools and services. Otherwise, these issues must be kept in mind during changes to the company's information system, as well as employee turnover.
It is expected that changes in organizational culture are the most demanding, however, they are the only aspect which cannot be outsourced. Organizational culture has the power to negate all the company’s previous efforts – if management does not support data protection and compliance in an active and exemplary manner, if employees are not aware of the importance of personal data, if they do not understand or accept the need to ensure confidentiality, and if they do not take into account the rights of data subjects, despite the legal regulation, it will not be possible to ensure efficient and compliant data protection in the company. For this reason, we also recommend that companies maintain open internal communication about the importance of trust and other values, the role and value of personal data in the company's business, and the regular training of employees on compliance, operational quality, and information security.
What are the most common pitfalls we may encounter, and how can we avoid them?
The complexity of the challenge of ensuring the compliance of data protection raises a number of risks, and some traps require particular attention, as they are easily avoided.
Unfortunately, in practice, personal database administrators do not always have a clear legal basis for collecting personal data. As a result, they wonder how to ensure individuals, for example, the right to be forgotten or anonymized, if such is in conflict with their own legal interests. Incomplete knowledge of the field thus contributes to confusion about the rights of individuals, especially if data is kept on a legal basis and not on a consent basis. Therefore, the first task is to clarify the legal basis and storage periods and consequently to determine which individual rights come into practice and how to provide for them.
One problem, which we have frequently encountered in advising customers, is the various forms in which personal data may appear. Much personal data is found in documents, meaning that personal data protection is directly related to the management and archiving of documents, but this is not to be taken for granted. In many cases, companies focus solely on personal information in electronic form, whereas data on paper is simply overlooked or put into the drawer.
The key challenges still lie in designing appropriate personal data management processes and establishing accountability for such processes. Due to established organizational cultures and the pressure of existing business processes and ongoing operations, companies often find it difficult to establish an objective picture from within. In this case, choosing an appropriate advisor may be the right decision.
Sanja Žaubi, Data protection officer at Mikrocop
12. 02. 2019