Wednesday, November 22, 2017

Countdown to GDPR

Soon the new European data protection regulation will come into force. Are we ready to face it?
The entry into force of GDPR in Europe is imminent. The effective date is May 25, 2018 and by that day companies must be ready to comply with the new regulations. The consequences of non-compliance can range between 4% of the company's income or 20 million euros in fines.

However, many organizations have not yet implemented the appropriate and necessary processes and technologies to comply with this new regulation on the privacy of personal information. The cases of ransomware or leakware have increased in these last two years, with serious consequences for the economy and the prestige of its victims. Are we prepared to reduce the impact of these types of attacks on our companies, and to comply with GDPR?

GDPR is the most stringent data protection regulation in the world. It has been designed so that the individual has the greatest possible control over their personal data: how they are processed, used and stored. This has a special impact not only on multinational organizations with access to personal information of European citizens, but also on companies. 90% of corporate documents contain some type of personal information, whether customers, employees or third parties.

For this reason, the document management software used in a company is key to comply with the rules of protection of personal data and privacy. The software that we use to store our documents must guarantee the protection of the personal data of the individuals and help us in the management of the rights of the individuals and our obligations as data holders.

The functionalities available in the document management software should include the requests of the users, such as the "right to be forgotten", as well as the ability to qualify the information according to the levels of privacy and confidentiality. They must also give us the tools to make sure that we can report any incidents to the competent authority within 72 hours of the event.

It is important to consider performing a situation analysis to determine if our company and our document management software are prepared to comply with the GDPR standard. This analysis should include the following steps:

  • Analyze thoroughly the current situation of personal data management. It is important to define the incoming and outgoing data of the company: what information is stored, how it is processed, who accesses it, etc. This includes exchanges with suppliers, partners and government agencies, which should also comply with GDPR.
  • Define what data is unnecessary. You can't accumulate data regardless. Each stored data must have its reason for being now and should not be stored for future potential use. This will reduce the responsibility and the workload on that data.
  • Identify those interactions with clients that require their permission, or in which they should be notified. You must work on terms that meet the requirements of the standard and at the same time are not complicated to understand. These documents must be easily available to the client.
  • Identify other actors involved. The fulfillment of the norm is extinguished if one piece in our chain of access to the information is not fulfilling it. The rules of personal data deletion applies to the entire chain. As part of compliance, we must notify third parties who access our data, for the corresponding elimination on their side.
  • Define the "right to access" correctly. This is an aspect that includes several facets. Our clients should not only know that they have the right to obtain a copy of their data, but should establish the mechanism by which they can do so. This is a joint task for the technology area and the legal area. The document manager will be key in this aspect.
  • Develop a violation notification process. GDPR requires that we notify the appropriate data protection agency when there is a possibility that user data may have been accessed in an unauthorized manner. The regulation specifies a window of 72 hours. The processes and mechanisms to make this notification, and the texts and messages that will be sent must be defined. A specific workflow for the management of these incidents is a technological tool that can be used.
  • Hire additional specialists if necessary. Or assign the task to someone from the company. But the transition must have a leader. The standard contemplates the figure of the "Data Protection Officer" (DPO).
There is little margin in terms of time to adapt to the regulations, but with the right tools, a quick transition can be achieved. The situation analysis must be approached by manageable stages to reach a good port, in such a way that the transition is as traumatic as possible.

No comments:

Post a Comment