Compliance consulting

Ensure data protection compliance

PERSONAL DATA PROTECTION COMPLIANCE (GDPR)

The key challenges associated with ensuring personal data protection compliance are designing an appropriate personal data management process and establishing accountability for such a process.

As part of our range of consultancy services, we work with you to implement the relevant technical and organizational measures and propose good practices of personal data protection to facilitate compliance. You can rely on our expertise and experience in law, information security, compliance and quality business performance for a holistic view of data protection compliance.

STEPS TO ENSURE DATA PROTECTION COMPLIANCE

PLAN

Overview of data filing systems
Identification of risks
Personal data protection

DO

Implementation of personal data protection measures
Processing of personal data

CHECK

Verification of data management compliance
Regular audits of outsourced processors

ACT

Resolving issues of non-compliance
Preventing recurrence of non-action and improving protection

PERSONAL DATA PROTECTION IS A CONTINUOUS AND DYNAMIC PROCESS

Consulting to ensure regulatory compliance of personal data protection, primarily with regard to EU Regulation No. 2016/679 (General Data Protection Regulation, or GDPR), is carried out in several phases.

Overview of personal data

The first step is to get a clear overview of the personal data you manage or process. You need to establish, for example, what data you provide to outsourced processors such as Mikrocop, what data is transferred to third countries, what special category data you store, and how you protect such data.

Gap analysis

The aim of a gap analysis is to verify the data processing described in your protocols and internal regulations, identify the processes that contain personal data and specific types of data, and assess the gap between the current situation and that required by the regulations. The gap analysis output is a list of all processing activities, the anticipated scope of activities, estimates of the time needed to establish data processing records, prepare or amend identification plans, and prepare impact assessments.

Records of personal data processing activities

The next step is to establish records of personal data processing activities. Based on the gap analysis and process list, we review the amendments to the said processes required by the GDPR (unlike the Slovenian Personal Data Protection Act (ZVOP-1)), management of the databases necessary to perform data processing, and the properties of established integrations.

Classification plan

If necessary, we then draw up or amend a classification plan. Every instance of personal data processing must be justified, and data storage periods must be defined in the classification plan. We carefully review all storage periods and define the start and duration of storage periods for all types of processing. If you do not have a classification plan or if it is incomplete, we can advise you on drafting or amending the plan to achieve compliance.

Internal rules

If it is established that modification of the classification plan might also require amendments to the internal rules, we will also prepare or amend such rules. The latter applies if your internal rules have been confirmed by the Archive of the Republic of Slovenia.

Collaboration with external data processors

Working closely with you, we will verify the reliability of your external data processors and assess whether the existing agreements with these sub-processors need to be revised. It is normally necessary to specify the contents and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the rights and obligations of the processor.

Ensure data protection compliance

BENEFITS OF REGULATING PERSONAL DATA PROTECTION

Integrity

Our team of consultants combines expertise in law, information security, compliance and quality business performance.

Accountability

We will continue to work with you as your external DPO after ensuring initial compliance which is an ongoing process rather than a one-off adjustment.

Reliability

We use industry-proven and highly effective methodological approaches to help you get where you want to be.

SUCCESS STORIES

In harmonizing the personal data protection, a gap analysis was carried out. We effectively closed any gaps identified in the analysis, thereby ensuring prompt compliance with the GDPR and utilizing the harmonization process to outline the starting points for digitization.

– Boris Šušmak, Luka Koper

FAQ

What is personal data?

Personal data means any information relating to an identified or identifiable individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

What are the core principles of personal data protection?

Lawfulness, fairness and transparency of processing of personal data
Limiting the purpose of processing personal data
Minimum amount of data – adequate, relevant and limited to what is necessary for the purpose of processing
Data accuracy, completeness and currency
Limiting data to be stored in a form that permits identification for only as long as is necessary
Security, integrity and confidentiality of personal data – protection against unauthorized or unlawful processing, accidental loss, destruction or damage to the personal data using appropriate technical and organizational measures
Responsibility of the controller and outsourced processor of personal data to ensure compliance with the regulation

What are the legal grounds for collecting, managing, processing and storing personal data?

Personal Data Protection Act (ZVOP)
Contractual relationship
Consent of the individual
Legitimate interest
Protection of life

What rights does an individual have?

Right to erasure
Right to restriction of processing
Right to object
Right to transfer data
Right to withdraw consent

When can an individual request to exercise the right to be forgotten?

An individual may withdraw the consent on which the processing is based and for which there are no other legal grounds for processing
An individual may object to the legitimate interest of the processing
Personal data have been collected in relation to the provision of information society services directly to a child

Where can personal data be found?

In documents and metadata
In IT systems
In databases
In customer support systems
In process improvement tools
In shared folders
In cloud storage…

What are the responsibilities and liabilities of a personal data controller?

Protecting the rights of individuals
Implementing appropriate measures and policies for the protection of personal data
Ensuring the legality and security of personal data processing
Selecting suitable personal data protection

What are impact assessments and when are they necessary?

Impact assessments are essential for the processing of specific personal data and are advisable for all other processing incidences where the type of processing may pose a significant risk to the rights and freedoms of individuals. Impact assessments cover:

a systematic description of the anticipated processing and the purpose thereof, and, where appropriate, the lawful interests pursued by the processor,
an assessment of the necessity and proportionality of processing operations with respect to the purpose thereof,
an assessment of the risks to the rights and freedoms of data subjects,
measures to address risks (including safeguards) security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance.