GDPR

General Data Protection Regulation

Starting on May 25, 2018 the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the so-called “GDPR” will be in effect. This groundbreaking legal act unifies data protection across the EU and affects all entities that process personal data.

 

We will provide you with comprehensive support in your pursuit of following GDPR

A company that provides financial products of multiple financial institutions received a request from the parent company to achieve full compliance with the General Data Protection Regulation (Regulation (EU) 2016/679). This company has had long-term cooperation with AEC; therefore, it turned to us for help. In particular, the customer needed to identify the purposes of personal data processing and storage and verification whether their status currently complies with GDPR.

In the first phase, our specialists, through interviews with company employees, identified the scope of personal data processing, the types of processed personal data and the purposes of the personal data processing. In the next step, the legality of identified processing purposes was verified and the first modifications and changes were designed in order to achieve the legality of processing in compliance with GDPR. The outcome of this phase was a summary of personal data processing.

In the second phase, the analysis focused on individual measures designed to protect personal data and its compliance with the requirements of the Regulation. Since this regulation defines security measures only as a framework, the standard IEC / ISO 27001:2013 was chosen as the reference for specific security measures in agreement with the client. The outcome of this stage was a report on the state of compliance with the requirements of GDPR as well as a security plan containing all measures that must be implemented in order to ensure full compliance with GDPR.

New Obligations

​Stated briefly and simply, there is a significant tightening of regulations in processing personal data. New conditions not only require the modification of existing processes related to data processing in the organization, but they also require the compulsory implementation of many additional measures.

This new European standard requires a comprehensive approach to the field of information security, although it focuses on personal data only. In connection with this regulation, new obligations arise for the automatic processing of personal data. This leads to better transparency, as well as heightened security.

This can be achieved by adopting appropriate concrete measures, not only in the field of cybernetic security, but also physical security, administrative, organizational and procedural. It is necessary to interconnect all of these areas comprehensively in order to make privacy function as a seamless system.

A synthesis of an appropriate organizational structure, clearly defined processes and procedures, good documentation for management and correctly applied technologies is essential for ensuring the satisfactory protection of personal data.

 

AEC Solution

​Using more than twenty-five years of experience in information security and information technologies, we offer a wide array of products and services. This makes it possible to meet the majority of the new European legislative standard requirements. There is no need to solve all the required measures using your own internal resources. Our specialists can help you with a number of them. Such outsourcing is also cost-effective in many cases. GDPR complexity requires a comprehensive approach to managing privacy. AEC offers a unique pairing of knowledge in the area of systematic information security management and deployment of appropriate security technologies.

Analysis of Compliance with GDPR Requirements

The foundation for proper implementation of GDPR requirements is a detailed comparison between the current state and data protection requirements as defined in Regulation. That is the only way to ensure the effective implementation of all GDPR requirements. AEC can prepare a detailed analysis and recommend a suitable procedure and scope of implementation.

Design and Implementation of Processes and Methodologies

GDPR is based on the principle of “privacy by design” and a “risk-based approach.” This requires not only the introduction of new security processes and methodologies within an organization, but it often has an impact on the context of information systems’ architecture and applications. These include procedures for reporting security incidents, information obligations, or the right to erasure. AEC can design and implement processes and a methodology customized to the organization’s environment.

Processing Management Documents

An essential part of personal data protection is appropriate organizational management documentation (policies, directives etc.) that demonstrates compliance with GDPR requirements. AEC can prepare governing documents or modify the extent of existing internal policies and processes to be consistent with respect to GDPR requirements.

Implementation of Technical Measures

The basic GDPR requirement to ensure the protection of personal data is to guarantee their confidentiality, availability and integrity. This implies the deployment of adequate technical measures to ensure proper security and to identify a security breach (Data Loss Prevention, Network Behavior Analysis, SandBox, cryptographic tools etc.). AEC can design and implement appropriate technical solutions according to the individual needs of organizations.

Data Protection Impact Assessment

Data Protection Impact Assessment is an essential tool to ensure high security of personal data while handling any personal information, such as profiling, processing sensitive data or carrying out public area monitoring (CCTV), etc. AEC can assess the obligation of the organization to implement DPIA and if such obligation arises, it can propose the appropriate method of implementing DPIA in existing (e.g. project) methodologies. In addition, AEC can also provide the processing of specific DPIA analysis, including any consultation with the Supervisory Authority.

Data Protection Officer – DPO

One of the new GDPR requirements for compulsory subjects is to appoint a Data Protection Officer. This role requires a person with sufficient experience and expertise in the area of personal data protection. There is an expectation that there will be a shortage of suitable candidates for the DPO position in the job market. However, this role can also be outsourced. This service can be provided by AEC with their experienced and certified consultants to ensure the fulfillment of all the obligations of the DPO.

Implementation of GRC Solutions

GDPR creates many partial duties, particularly for large organizations processing a large volume of personal data. GRC solutions (Governance, Risk and Compliance) can be an essential element that enables the effective management of personal data protection and compliance to GDPR requirements, including monitoring the extent of compliance. AEC can provide optimal design and implementation of appropriate GRC solutions, with their team of experienced consultants for this purpose.

References

We cooperate with companies and organizations across the entire market for the long-term. Our customers not only include international companies, but also small businesses and entrepreneurs. We offer maximal cooperation to all of them and we provide them tailored services regarding their size and the sphere of their activity. We’ll gladly provide concrete references upon request.