The General Data Protection Regulation (GDPR) came into force on a compulsory basis in the European Union on 25 May and there are still some doubts regarding its scope of action. Many companies still don’t see clearly the changes that this legislation will bring to their day-to-day and so we have prepared a checklist with 10 security measures to take right now!
Planning the GDPR application
There should be a strategic plan of action for the implementation of the GDPR and before starting the action it is necessary to analyze the entire infrastructure of the company as well as all sources of information. All areas of the company should be involved in this project and this plan should include the identification, evaluation and categorization of private data that companies have stored, as well as their origin.
Appropriate professional counseling
Counseling professionals with knowledge of the new legislation is essential if GDPR is to be implemented correctly. The legal adviser is able to identify the steps already implemented and those still needed to comply with the GDPR. Needs assessment is very useful if you need to use a partner to make the necessary changes.
Name (or not) a DPO
The company needs to check if it is mandatory to appoint a Data Protection Officer. In case of need, this professional is responsible for the obligations contained in the GDPR. The new regulation requires that a DPO be designated if one of these cases occurs:
- The processing of data is carried out by a public entity (except courts that act in their judicial capacity);
- The core activities of the company consist of regular and systematic monitoring of personal data of subjects on a large scale;
- The core activities of the company are the large-scale processing of data related to criminal activity / complaints / offenses / etc provided for in articles 9 and 10.
Apply privacy by design
Processes must be created or adapted so that data is protected. The methodology to be used should be privacy by design, to facilitate the monitoring of communication of events related to personal data.
Update the privacy policy in accordance with the new law
The data privacy policy must be updated according to the new requirements of the legislation. A scale of classification and processing of personal data should be defined. The legal department of the company must be involved in this process.
Making information more secure
The company must implement processes that allow it to detect, report and solve problems of violation of personal data, always keeping in mind the security issue. RAAS gives you the guarantee of isolation of your data for a total protection of the information.
Changing service channels
Customer service procedures must be prepared to receive all requests under the new law, whether online or offline. It is essential to ensure that citizens’ data security is not compromised.
Ensure stakeholders comply with the new law
All suppliers involved in data processing must also comply with the requirements of the new RGPD. For example, when purchasing a database you should ensure that the subcontractor also complies with the new law, otherwise you may have problems.
Involve the entire organization in the process of adaptation
The company must create an internal communication program, so that it involves all areas in this change. The RGPD compliance officer should inform and sensitize employees about data privacy and the risks that non-compliance poses to the company.
Encryption and/or data masking
The company must ensure that highly sensitive data is encrypted so that there is no risk of loss and the company falls victim to the hefty fines set out in the new regulation. Data masking aims at creating a structurally identical but not equal version of data. This technique creates a database with fictitious but realistic information that can be used for testing and training purposes. Data masking solutions offer a variety of sophisticated scrambling techniques to protect sensitive data, irreversibly replacing them with data that is not real, while maintaining the referential integrity of the database.