The key challenges in ensuring the compliance of personal data protection lie in designing appropriate personal data management processes and establishing accountability for such processes. With proven experience in the fields of law, information security, regulatory compliance, and business process quality, we help you approach data protection from a comprehensive perspective. We prepare and implement the necessary technical and organizational measures and propose good practices to ensure personal data protection (GDPR) compliance.
We support you on your path to paperless business – we apply proven methodologies and have experienced experts of various profiles in our consulting teams. Contact us!
Sanja Žaubi, Data protection officer at Mikrocop
Overview of the personal data
As a rule, advice on ensuring that personal data protection is complaint with legislation, primarily with the European Union General Data Protection Regulation (GDPR), is a multi-step process. First, you need a clear overview of the personal data you manage or process, including organized personal data processing records. You need to know which data you provide to contracted processors such as Mikrocop, which data is sent to third countries, which special categories of personal data you store, how you protect said data, and so on.
To that end, we begin to compile a gap analysis in which we verify the data processing described in your protocols and internal regulations, identify processes which contain personal data and specific types of data, and assess the gap between the current situation and that required by regulation. The gap analysis results in a list of all processes, an anticipated scope of activities, and estimates of the time necessary for:
- establishing data processing records,
- preparing or adapting classification plans,
- preparing impact assessments.
Records of personal data processing
We proceed with establishing records of personal data processing activities. Based on the gap analysis and process list, we review:
- changes to said processes required by the GDPR, as opposed to the local Personal Data Protection Acts,
- management of the databases necessary to perform data processing,
- the properties of established integrations.
Classification plan and internal rules
If necessary, we then prepare or amend a classification plan. The purpose of the personal data processing must be justified, for which it is necessary to establish appropriate data storage periods in your classification plan. As such, we review all storage periods and define the start and duration of the storage periods for all processes. If you do not have a classification plan or your plan is incomplete, we can advise you in preparing or completing such a plan in order to achieve compliance.
In addition, if we find that amending the classification plan requires amending your internal rules, we will prepare or supplement such rules. The latter applies if the administrative authorities have confirmed your internal rules.
Impact assessments are essential for the processing of specific personal data and are advisable for all other processing where it is possible that the type of processing will pose significant risk to the rights and freedoms of individuals. At Mikrocop, we advise clients on the preparation of impact assessments covering, as a minimum:
- a systematic description of the anticipated processing and the purpose thereof, and, where appropriate, the lawful interests pursued by the processor,
- an assessment of the necessity and proportionality of processing operations with respect to the purpose thereof,
- an assessment of the risks to the rights and freedoms of data subjects,
- measures to address risks (including safeguards), security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance.
Cooperating with contract data processors
Working with you, we verify whether you are cooperating with reliable contract data processors and evaluate whether you need to update existing contracts with these processors. This is usually necessary. In any case, you must specify at least:
- the contents and duration of processing,
- the nature and purpose of processing,
- the types of personal data processed,
- the categories of data subjects,
- the rights and obligations of the processor.
IT system compliance
In parallel, we also address the challenges of ensuring the compliance of your IT system. Although the issue of the GDPR compliance of dedicated software may seem quickly and easily solved, we nevertheless recommend that you not underestimate it. Together, we will answer the following questions:
- Are personal data secured during transmission in such a way as to make their disclosure impossible? If so, how?
- Are personal data adequately protected in databases and in file storage?
- Do your employees share personal data via email or cloud services?
- Are the roles and permissions of IT systems users set up in such a way that only authorized persons can access personal data?
- How does an individual exercise their right to be forgotten, if the conditions for such are met?
- For audit purposes, how comprehensive are records of the actions of users, administrators, and other systems?
These and other related issues are particularly important when deciding to use new software solutions. We recommend that you then consider choosing appropriately certified tools and services; in any case, you should be aware of such issues in light of changes to your IT systems or eventual employee or contractor turnover.
Personal data protection is a continuous process, not an end state
If we really want to protect personal data, we have to take comprehensive care of it
Ensuring compliance with the GDPR is currently one of the more pressing topics for all who deal with personal data in one way or another. As a rule, the motive for regulating data protection is not the desire to ensure personal data are accessed only by authorized persons with the necessary permissions, but rather the fear of high penalties. Rather than something, which can be achieved and then forgotten, personal data protection is a constant, living process.We recommend good practice
Attention, shared folder users and email enthusiasts – here comes the GDPR
The key challenges in ensuring the compliance of personal data protection lie in designing appropriate personal data management processes and establishing accountability for such processes. Companies often experience difficulties because, under pressure from ongoing operations, they don’t establish a comprehensive overview of all the personal data they process.We recommend good practice