If we really want to protect personal data, we have to take comprehensive care of it
Ensuring compliance of personal data protection with the GDPR is a pressing issue for all who deal with personal data on a daily basis as data controllers or data processors.
Personal data protection is not an end state; it is a continuous and dynamic process. If the motive for regulating data protection is not the desire to ensure that personal data is accessed only by authorized persons with the necessary permissions but rather the fear of high penalties, there is a high probability that our attempt at guaranteeing compliance will not entirely succeed.
What is personal data protection and why is it needed?
Data are the cornerstone of digital transformation and the driver of digital business. The more specific information data give about the user, the more personal they are, the higher their value. If we manage personal data filing systems, we should consider them important assets and protect them as such.
At the same time, we should understand that we do not own personal data. Their owners are company customers, employees, suppliers, business partners, event participants, subscribers to news updates, and those who have expressed interest in the company's offer. All of them have entrusted the company with their data for a specific purpose, and the company must ensure that they are used only for that purpose. As sometimes the temptation is simply too great, including for third parties, the data must be properly protected.
Legal basis for the collection, management, processing and storage of personal data
- Personal Data Protection Act
- Contractual relationship
- Consent of the individual
- Legitimate interest
- Protection of life
How to protect personal data?
Data protection begins with recognition of the simple fact that it is not the sole responsibility of a lawyer or the IT department, but something that concerns all the employees in the company and requires the engagement of various stakeholders.
- At Mikrocop, when we act as a contracted personal data processor for a range of clients, we also advise them on ensuring data protection compliance. Judging by experience, we see that the most successful companies are those who understand this and act the same way and act the same way. Our advisory team therefore includes a certified personal data protection officer (DPO), a lawyer, a quality assurance expert, a security engineer, and an experienced business consultant.
Furthermore, the company needs a clear overview of the personal data it manages or processes, including organized personal data processing records. It needs to know which data it provides to contracted processors, which data is sent to third countries, which special categories of personal data it stores, how it protects said data, and so on. If the company is able to quickly answer these questions, they can use the gap analysis to quickly identify which activities have to be performed and how much time will be needed.
In harmonizing the personal data protection, a gap analysis was carried out. We effectively closed any gaps identified in the analysis, thereby ensuring prompt compliance with the GDPR and utilizing the harmonization process to outline the starting points for digitization.
– Boris Šušmak, Luka Koper
At this point we also need to define the scope of personal data processing. By minimizing the amount of data collected, as well as the extent of processing, retention periods and the number of data processors, we can significantly simplify data protection and guarantee compliance more easily.
In order to ensure personal data protection compliance, we must also:
- Verify whether we are working with reliable contracted data processors,
- Review and amend contracts with contracted data processors,
- Establish records of personal data processing activities,
- Prepare and amend the classification schedule and internal rules, if needed, and
- Establish the need for impact assessments (required for processing of special categories of personal data and recommended for other data processing).
Responsibilities of the personal data controller
- Protecting the rights of individuals
- Implementing appropriate measures and policies
- Ensuring the legality and security of personal data processing
- Selecting suitable personal data processors
How to take a comprehensive approach to personal data protection?
The legal aspect of ensuring compliance is just one aspect of data protection; at the very least, we also must not forget the areas of information support, information security, and the company's organizational culture.
At Mikrocop, we believe that the issue of adequate information support is the quickest and easiest to solve. The reason for this is partly found in the current legal framework for the protection of personal data, which established the key challenges for information support for business operations some time ago.
As expected, changing the organizational culture is the hardest part of the story, and the only one that cannot be outsourced.
Organizational culture has the power to negate all the company's previous efforts – if management does not support data protection and compliance in an active and exemplary manner, if employees are not aware of the importance of personal data, if they do not understand or accept the need to ensure confidentiality, and if they do not take into account the rights of data subjects, despite the legal regulation, the company will not be able to ensure efficient and compliant data protection.
For this reason, we also recommend that companies maintain open internal communication about the importance of trust and other values, as well as about the role and value of personal data in our business operations. Another very important thing is continuous training of employees on compliance, quality, and information security.
What are the most common pitfalls, and how can we avoid them?
The complexity of the challenge of ensuring the compliance of data opens up a series of risks and pitfalls, some of which may be easily avoided. These include the dilemmas relating to the legal grounds for processing and the form of personal data, and mostly the implementation of responsible handling of personal data.
In practice, however, we do not always have a clear legal basis for collecting, managing, processing and storage of personal data. Therefore, we wonder how we can ensure the data subject's right of erasure or anonymization of data, if this conflicts with our legal interest. Incomplete knowledge of the area creates confusion about individual rights, in particular if data are kept to comply with a legal obligation rather than on the basis of consent. The first step is to clarify the legal grounds and retention periods and on the basis of these determine what rights of the data subjects are applicable to our case and how they can be exercised.
Today personal data can be found in physical (paper) and electronic documents, systems and databases, shared folders, semi-private cloud storage and other media, not to mention ring binders, filing cabinets and drawers. Often the main problem is the diversity of occurrence and form of personal data.
As a lot of personal data is contained in documents, personal data protection is directly linked to document management and storage, which is, unfortunately, not self-evident to all. Sometimes we tend to focus on personal data in electronic form, but forget about paper documents, or simply put them away in a drawer.
The key challenges lie in setting up suitable procedures for handling personal data and establishing accountability for them. Quite often, this is a challenge since it is hard to view the situation objectively from within the company, bound by organizational culture and the existing business process and ongoing business operations. In such a case, selecting a qualified consultant may prove to be the right decision.
Where can personal data be found?
- In documents and metadata
- In IT systems
- In databases
- In customer support systems
- In process tools
- In shared folders
- In cloud storage
- In filing cabinets and drawers
- So, anywhere else?
Want to know more? Contact us!