The General Data Protection Regulation (GDPR) came into force on 25th May 2018. The good news is that data privacy principles remain the same. The challenge is that there are many more requirements under this regulation which companies must adhere to. Many of the new requirements focus on data security aspects. D4n6 is best placed to provide various services in this respect by combining its information security and legal expertise under one roof.
ARE YOU LOOKING TO STRENGTHEN YOUR PROCESSING SECURITY OR ASSESSING YOUR COMPLIANCE WITH THE GDPR? FIND OUT HOW WE CAN ASSIST YOU.
Compliance with GDPR involves various elements. We have set up a streamlined system from data analysis to training to cover all your possible needs. If you are looking for a one-stop-shop to ensure your compliance with GDPR we can help.
We customise our compliance programme depending on the size of your organisation. Our services include:
- data gathering and assessment;
- policy drafting and review;
- security process analysis;
- advisory on various privacy aspects and data subject rights;
- language simplification of client-facing documents;
- training sessions and awareness campaigns;
Security of Processing
A guiding principle in GDPR is that data privacy should be ‘by design and default‘. This applies to technical and organisational measures. So each time you handle people’s personal data e.g. of employees or clients, you need to make sure that data protection is factored in.
All processing must adhere to the principles of data protection. For instance, do you know when to encrypt, pseudonymise or anonymise data? Moreover, unless you have a good reason to do so, data that you no longer need, should be deleted.
All data should be kept securely and for this ideally you should have a strong information security policy to cover processing of data, whether it is stored in a physical or digital location.
D4n6 can take you through this whole process and guide you to set up the security requirements which work for you and which ensure that your data is properly protected.
Handling Personal Data Breaches
In the event of a data breach, if personal data is exposed, you have 72 hours within which to notify the supervisory authority. In Malta, this would be the Office of the Information and Data Protection Commissioner (IDPC).
Apart from notifying the authorities, you are also requested to communicate the data breach to the data subjects without delay. This only applies if the data breach can put the data subject at risk. If for instance, the data stolen is encrypted, this requirement would not apply.
In most cases however, to be sure whether a data breach has occurred, one would need to analyse the data first. Suspicion of a breach alone does not trigger the notification process. This is where D4n6 can come into play and assist organisations with assessing the facts of the data breach and whether such occurred in the first place.
Moreover D4n6 can help you protect against any future breaches by advising on the right information security posture required to minimise such risks.
Data Protection Impact Assessments
Conducting an impact assessment is a way to help you understand how your product or service could affect customer data. Once you carry out the exercise you can identify any risks in your processes. In doing so, you can then plan how to counter-act those risks (data privacy by design) before launching your product or service.
GDPR requires that an organisation carries out this kind of analysis whenever there is a high risk that customer’s rights and freedoms can be affected.
We can assist you in carrying out such assessments and also train you to be self-sufficient in carrying out these tasks on an ongoing basis.