Dataprotection & DPO
General Data Protection Regulation (GDPR).
Since May 25, 2018, the GDPR or General Data Protection Regulation (AVG) is in force. The main purpose of the new privacy legislation is to give citizens/ stakeholders more control over how their personal data is processed by organizations.
The legislation imposes many rules that your organization must follow as soon as personal data is collected. Personal data means all information by which someone can be identified: name, address, telephone number, age, e-mail address, photograph, bank account number, medical report, etc.
In addition, certain personal data, more specifically ‘sensitive data’, may only be processed in certain circumstances. If sensitive data is processed, it must be given additional protection. This concerns, for example, data relating to race, ethnic origin, political opinions, religious beliefs or trade union membership. Data on health, sexual behavior, sexual orientation or criminal convictions also belong to this category.
In other words, the impact of the legislation on your organization is mainly determined by the extent to which personal data is processed (collection, structuring, storage, modification, consultation, transmission, dissemination or erasure of personal data).
Some organizations need or wish to employ a Data Protection Officer (DPO), also known as the Data Protection Officer. The DPO oversees the application of and compliance with GDPR legislation. The DPO should be independent and is often outsourced for this reason.
What if I am not GDPR compliant?
Organizations that fail to comply with the GDPR can be fined up to 4% of global turnover, with a maximum of 20 million euros. In addition to the financial consequences, your organization’s reputation will also take a serious hit.
It is the Data Protection Authority (DPA), as an independent body, that ensures that the basic principles of personal data protection are correctly observed.
An organisation-wide solution
Data privacy is not an exclusively legal story, but must be tackled organization-wide with the necessary attention not only to the security of your business-critical data (and therefore also personal data), but also to the procedures surrounding the processing of these data and the necessary awareness, knowledge and expertise of your employees.
Here is a simple example: your HR department collects personal data and you store this data on a local server or in a ‘Cloud’ environment. The legislation requires, among other things, that you communicate transparently why you keep certain data and that you may not process more information than necessary. When processing these data, you should take the necessary security measures to prevent data leaks. Should an incident nevertheless occur, you must have the right procedures in place to inform those involved and the authorities in a timely manner. Employees must be sufficiently aware of the importance that not all personal data can be processed just like that, as well as the procedures to act adequately in the event of a data breach.
Important steps in data security
The simplicity of the example above makes it clear why an organization-wide approach is necessary and what important steps must be taken:
Inform key people within your organization about the rules around processing personal data.
GDPR requires your company to establish a register of processing activities. Inventory your personal data and record the processing activities of this data:
- What data is held (name, address, age,…)?
- Where do these data come from?
- What are these data used for?
- Where are these data kept and for how long?
- With whom are these data shared?
3. Evaluate the measures
Based on the inventory, you can then assess whether sufficient security measures are being taken to prevent data breaches.
An important aspect here is the IT security measures that need to be evaluated. In other words, are the data adequately secured?
Also check whether you are required to carry out a Data Protection Impact Assessment (DPIA). This is the case if a data processing operation is likely to pose a high privacy risk to the data subjects whose data is being processed within your organization.
Other questions to ask include:
- Are we processing only the necessary data?
- Do we have a legal ground for processing the data?
- Are data not kept too long for the purpose for which they are processed?
- Are data subjects adequately informed about this?
Then also identify the necessary actions that still need to be taken to address certain security risks.
GDPR requires your organization to have procedures in place that address the rights that data subjects can invoke. This includes handling requests for access to personal data, electronic communication of data, deletion of data and so on, as well as procedures to identify, investigate and report data breaches.
How can we help?
An organization-wide approach also requires a multidisciplinary approach. Our teams therefore always consist of experts in IT security and Data Privacy.
- GDPR Audit: this is rather a ‘baseline measurement’ where the current situation is mapped and where the extent to which you are (not) compliant with GDPR legislation is evaluated. Based on the audit, concrete recommendations are formulated to close the ‘compliance gaps’.
- Data Protection Officer (DPO): fully outsourced or in support of the internal DPO.
- Data Protection Impact Assessment (DPIA): we advise you whether or not a DPIA is recommended and support you in its implementation.
- GDPR implementation: we support you in drawing up a roadmap with actions and projects to be compliant with GDPR. We can also support you in implementing the control measures (organizational, IT-technical, legal).
Complete our 2-minute self-assessment to get a quick scoring on the current Business Continuity Management (BCM) of your organization.
How to reduce the security risks while working from home or remote locations?
We explain how Internal Audit can seek the benefits of integrating innovative technology in their own way of working.