As of May 25, 2018, organizations have a legal obligation to comply with the new GDPR and should be prepared to satisfy the rights of data subjects and respond to violations of personal data privacy in less than 72 hours.
Non-compliance may impact negatively on the organization’s image and reputation as well as in the trust in the institution. Fines may be imposed of up to 20M€ or 4% of turnover (the higher of the two) in the case of companies or group of associated companies.
To speak about the General Data Protection Regulation it is important to focus our attention on what the GDPR identifies as personal data, i.e. any type of information relating to an identified or identifiable individual. Examples are name, identification number, an electronic identifier (e.g., IP, RFID) or a physical, genetic, economic or social identification element.
For some types of data, its treatment requires additional care and controls. We are talking about the special data categories, the so-called “sensitive data” which includes health, biometrics, sexual orientation, religious data or ethnicity or race data. Data relating to criminal convictions and infringements may only be processed under the control of a public authority or authorized by provisions of EU law.
In the case of the processing of personal data of children under the age of 16, it is only permissible if there is explicit consent granted by the holders of the child’s parental responsibilities.
To whom does the GDPR apply?
The GDPR makes explicit the rights of data subjects (Chapter III), as well as access, correction, deletion and portability of personal data. It also specifies the right to opposition, automated processing and limitation of data.
The GDPR compliance obligation applies to all organizations and subcontractors located in the EU who process the personal data of individuals regardless of nationality or place of residence, irrespective of the geographical location of the data treatment.
Who is responsible for compliance with the GDPR?
The strength of information security in an organization is equal to the level of its weakest link.
Involving Top Management in approving a governance model for the implementation of GDPR compliance is essential.
However, effective implementation will depend on the awareness of everyone in the organization and the implementation of appropriate procedures and control mechanisms to mitigate existing residual risks.
Compliance with the GDPR for the processing of data by subcontracted entities must be safeguarded contractually.
Achieving compliance with the GDPR, the Challenge!
Without wishing to enumerate them all, here are some of the requirements that we consider fundamental and, as such, central to our approach.
– Information to data subjects when requested
– Exercising the rights of data subjects
– Explicit consent by data subjects
– Treatment of “sensitive data” categories
– Documentation and registration of data treatment activities (in particular for public or private organizations with more than 250 employees)
– Data Protection Officer
– Technical and organizational measures and treatment safety
– Protection of data from conception
– Impact assessment on data protection
– Notification of security breaches (<72 hours) to the Control Authority
Data Protection Officer (DPO)
A Data Protection Officer (DPO) is obligatory for all public authorities and bodies (regardless of the type of data they are dealing with) and other organizations whose main activity is to systematically control people on a large scale, or who treat special categories of personal data on a large scale.
In choosing the DPO, their independence and absence of conflicts of interest as well as their professional and behavioral competences must be taken into account (Article 37 n. 5).
It is intended that the DPO be an “evangelizer” of the GDPR in the organization and is competent and influencial in the decision making in that area. Xisgroup offers this expertise as a service.
The XIS Group and the GDPR
The XIS Group brings together the experience and expertise to assist organizations in implementing compliance with the GDPR.
It has its own methodology supported by several international standards and good practices for the evaluation of risks and controls, information security, documentation of computer systems such as the ISACA Cobit 5.0 framework (a) and a number of standards of the series ISO 27000 and ISO 42010 (b).
Within the Group there is a deep knowledge of the public administration and private sector sectors, where its companies have been operating for more than 25 years.
Experience in the implementation of IT security policies and procedures, supported by ISO 27001 (c), computer audits and assessment of computer security risks and controls as well as experience in the implementation of computer security technologies and systems, allow for the identification of specific technical recommendations to meet the needs of each organization.
(a) COBIT 5 is a global business and management model for the governance and management of corporate Information Technologies. It enables organizations to maximize value and minimize risk related to information. It is a model that covers globally accepted principles, best practices, and analytical tools that can help any organization mitigate critical business problems related to information and technology.
(b) The ISO standard (International Organization for Standardization) 42010 is used to establish a consistent practice for designing architectural descriptions in the context of the software life cycle and development and maintenance processes.
(c) ISO 27001 is the standard and international benchmark for information security management.
XIS methodology for the implementation of GDPR compliance
Our methodology for implementing GDPR compliance has three main steps:
1. The basics and assessment (includes certified training).
2. Implementation (including certified training) – following the implementation, alert procedures are defined for the occurrence of incidents or need for communication with the control authority under the GDPR.
3. Data Protection Officer – DPO (as a service).
4. Continuous evolution – plan for continuous evolution or improvement, including periodic audits, analysis of indicators, review of procedures and codes of conduct and ongoing training.