GDPR Guidance

” The Regulatory & Compliance Framework of General Data Protection Regulation (GDPR)
aims on homogenizing all national legislation of European state members
and enforces implementation for all member states. “

GDPR Regulation & Compliance Framework

In reference to the data protection directive of 1995, European Commission decided to implement the new regulatory framework of GDPR in order to protect privacy and personal data of individuals, by homogenizing all European member states national legislation.

GDPR regulation and compliance framework represents an effort of radical reform on all data protection legislation in Europe, by giving the power of control to the owner (individual), regarding the organizations that collect, analyze and use their personal data.

Following are some of the major points of GDPR framework:

  • GDPR is applicable and obligatory to companies located outside Europe if their service and business activities are conducted within EU
  • Definition of what constitutes the term “personal data” will be extended also to data that associate with physical location of an individual (address), IP addresses of personal devices, RFID characteristics of a personal device, medical records and related health data, along with all personal characteristics of an individual (bio data)
  • Protection & compliance responsibility and legal liability extend to both Controllers and Processors of personal data.

Maximum Penalties for Non-Compliance or Violation of GDPR may rise up to 20.000.000 million euro or 4% of annual GDP .

 

Duties & Responsibilities of Controllers & Processors

Controllers and Processors of personal data are obliged to comply to following duties and responsibilities:

  1. During collection and process of personal data:
    Abide by GDPR principles of lawfulness, fairness and transparency
    •Limit the purpose of collection / processing personal data
    •Collect only the minimum amount of data needed for processing (Data Minimization)
    • Store accurate up-to-date data only.
    • Maintain a retain policy and a safe destruction policy
    • Maintain integrity and confidentiality of personal data.
  2. Controllers and processors are obliged to report any breach along with all actions taken to resolve it to national authority, within 72 hours of the incident.
    Disclosure requirements are replaced by the requirement to keep detailed processing records.
    • Explicit consent is mandatory before any process of personal data takes place by a third party.
    • Procedures for getting consent to process any personal data are to be more strict and thorough.

 

Rights of the Individual

Individuals where their personal data get processed (by given explicit consent) for any kind of purpose maintain following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Individuals rights claim should be met by organizations within one month. Non-compliance on abiding to those rights by controllers and processors is considered a “major violation” regarding GDPR terms and may carry a penalty.

 

SYNTAX Compliance Services

As the urgent need of compliance arises for all organizations, SYNTAX offers compliance services to the following issues:

  • Most organizations lack the knowledge on the amount and nature of personal data they process and store, which data are still of any value or what level of legal basis they need to maintain and have no retention policy in place.
    • Most organization are not aware on where these personal data are stored nor who has access to them.
    • When there is a need to search for a specific piece of information, it is proven to be a time-consuming effort and results may not always be satisfactory.

Taking under consideration the rising need of an organization on complying with GDPR, along with the need of maintaining business functions, SYNTAX offers a four-pillar methodology:

1)  Discovery phase: This phase includes all actions necessary to discover all personal data within organization, associate ownership and categorize them according to their value of use and sensitivity level.
2) Protecting Phase: Implementation of measures against unauthorized access and maintain confidentiality and integrity of data

3) Access Control Phase: Implementation controls of access management and preventing policies against breaches and leaks. Implementing controls against miss-usage of personal data

4) Investigation & Forensics Phase: Implementation phase where audit controls are applied to ensure accountability and offer also possible forensics service if needed.

These phases are offered via a combination of technology solutions portfolio and consulting services, based upon Strategic Planning and Assurance, along with Interim (Chief) Data protection officer service.

 

SYNTAX Methodology Advantages

SYNTAX Methodology offers significant advantages to an organization by both complying to GDPR and be able to get best value of relevant business information:

  1. Offers the possibility of maximizing ROI (Return on Information), as opposed to what is known as Return on Investment
  2. Maximizing expected data value in organization resources via:
  • Minimizing paper work and documentation
  • Minimizing need for retaining data to a sufficient level of supporting business needs in order to achieve maximum operational functionality and respected goals
  • Build a retention policy with full compliance to GDPR framework
  • Build a classification and labeling plan for personal and business data
  1. Minimizing risks of non-compliance.

SYNTAX  ISGRC experts are able to offer a preliminary estimation of your compliance level to the new GPDR framework.

Please contact us at isgrc@syntaxitgroup.com or call us to schedule a meeting or a small workshop for your organization.

About SYNTAX IT Group