It's a clear way of showing that your company knows what it is doing. Use it to increase your clients trust in your company. Add it to your homepage and slides and tell your clients about it:
The General Data Protection Regulation (GDPR 2016/679) is a regulation created by European Commission which aims to unify data protection within the EU and to govern the export of personal data beyond EU’s boundaries.
One of the main goals of the GDPR regulation is to give the EU citizens / residents (data subjects) more control over their personal data and in doing so, increase their rights and freedoms. It harmonizes the data regulation across EU (and also Non-EU based companies doing business in the EU) which simplifies things, but at the cost of more strict data protection rules and sever penalties for breaking them.
The regulation concerns any organization who is processing personal data of a EU citizen, regardless if the company who is doing the controlling / processing is EU-based on not. The same but put in another way: Any company that has a customer database of some-sort which contains personal data of a EU citizen.
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data.
Example 1: Company-A with a customer user database on their hard drive.
Example 2: Company-A which provides e-mail & work schedules to their workers.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
A processor is an entity which processes personal data on behalf of the controller.
Example 1: Cloud Company-B which rents virtual machines to Company-A.
Example 2: Cloud Company-B which provides e-mail & working schedules services to Company-A.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Overview of GDPR actions
The new regulation will mean big changes for many companies. Your company might need to be a lot more careful when working with customers personal data than before. If your company has it's fingers all over the place, the GDPR effort might be quite painful at first.
Make sure that your companies cybersecurity is in order and that your customers personal data is safe & secure. Verify that all your solutions are using encryption and that the devices are running with the latest security patches. Double and tripple check that only the designated people have physical access to your systems containing personal data + log all access (when, what, why, who, where).
Create a complete map of your companies personal data usage (creation, update and deletion). Remember to include who is responsible / owns the different data sets and where & how it is stored. Remember how broad the definition of personal data is: you might have to re-arrange your databases etc to comply with the new regulation. Make sure your personal data is secure through it's whole life-cycle: initialization, update, deletion. Also remember to check that all of your backup systems comply with the tight rules.
Document everything related to the GDPR area. Your personal data inventory & map will come in handy here. Create a up-to-date DPIA and IRP documents. Remember to clearly document all work which touches your customers persona data (why, who, where, how) etc. In case of a breach / other problems, these documents & logs (when up-to-date and accurate) might prove more valuable than you think... (Article 35, Article 30)
Make sure that you have clear information about how your company is using your personal data and keep your promises. You do not need to renew your current customers consent, but any additional consents that you need, must be asked for + clearly marked as OK. Do not overstep your customers consent. Heavy fines await if you get caught doing things with your customers personal data without having permission to do it. Consent for children (data subjects below 16 years) must be given by the child’s parent or custodian (Article 7, Article 8).
Make sure that all of your employees understand and follow the GDPR regulation. Minimize the access to the personal data and write accurate logs of those who do access it and why. Remember that a single person (who might be breaking the GDPR rules badly...) can create huge problems even if you the worlds best cybersecurity in place...
Make sure you that can prove that you cybersecurity is in order and that you are on top of things. Train your employees for a cybersecurity breach, what actions should be done, what documents should be filed etc. In the case of a personal data breach you will have 72 hours to inform supervisory authority about the incident. You may also need to inform all affected users. Be prepared for this. Have the right procedures and documents in place and proceed accordingly to minimize the damage.
Be prepared for user requests related to their personal data: Right to rectification, Right to erasure - Right to be forgotten, Data Portability - Data migration. See GDPR KEY CHANGES for more details.
Depending on your business model it may or may not be mandatory for your company to have a designated Data Protection Officer (DPO, Article 37). To simplify and clarify things we recomend that all companies should have designated PDO (Company internal one-stop-shop mechanism related the personal data & privacy area). NOTE: before assuming the DPO role be sure to read the WARNING text regarding the possible legal risks.
All privacy switches which are present in the solutions that your company is selling should be set to high by default.
The good news: The above sums it up quite nicely. Any company which has managed to correctly implemented the three "rules" mentioned above, should (to a large extent) have captured the essence of the GDPR regulation.
The bad news: That the devil is in the details. The complexity of any given solution tends to grow rapidly when you open up the simplified version of the concept. The real scope of the bullets mentioned above is a lot bigger than just the 88-paged GDPR document itself...
GDPR is more
like a continuous process
than a one time effort *
Your alertness, security and personal data awareness is the main goal. The documents and logs are there to help your organization in it's personal data work and to verify your appropriate & correct usage of it (Note: Cheating here may end up in game-changing administrative fines).
A well implemented GDPR cycle = Fewer problems
* like all security related problems
Protect your companies back against administrative fines via becoming GDPR compliant. It is no longer enough to say that your company is safe & secure. Or that you are complying with the laws & regulations and that you have your customers consent - You must soon be able to prove it.
Let Zen-mode Solutions help you (A) verify your cybersecurity and (B) create the required GDPR documentation that proves that your company is safe & secure and that your company for-fills and is following the GDPR regulation.
It can generally be said that the GDPR is good thing for all EU citizens, but at the same time it also creates big challenges for many companies...
When the regulation is well implemented and understood; it helps to (A) clarify your business model (B) remove possible security problems and (C) it might even create new business opportunities for your company. It also clarifies what you can and cannot do with personal data.
When poorly implemented and understood; your company risks receiving "game-changing" fines in case of (A) a personal data breach or (B) when overstepping your powers or (C) when running into other GDPR listed problems which you should have been prepared for...
Earlier, if a company experienced a breach of their customer's personal data, the company might have received a warning letter from the authorities. As of 25.5.2018 the penalty for the most serious GDPR infringements can be up to €20 Million or 4% of the companies annual global turnover (whichever is greater) (Article 83) - Can you afford a slip-up?
Commission Zen-mode Solutions to perform a thorough GDPR Cybersecurity readiness check for your Company / Innovations.
Let us help you create your Data Protection Impact Assessment (Article 35, a.k.a PIA: Privacy Impact Assessment) and IRP (Incident Response Plan) documents, test and secure your IT / IoT / main solutions. We will investigate, pinpoint and help you remove possible security problems before you run into trouble...
We can help out in different parts of your GDPR effort or you can outsource the whole problem to us (includes cyclic cybersecurity checkups + required documents & log updates + your customers GDPR contact point).
Helping you in your GDPR & Cybersecurity effort
1. Cybersecurity Forensics & Risk Analysis
Mapping your companies cybersecurity status & GDPR readiness
Investigating & Analyzing what parts of your company & products are affected
2. Cybersecurity Solution / Code Audit
Assuring your solutions & code safety
Making sure your used platforms, frameworks, library and code are safe & secure
3. Products Network Cybersecurity Check & GDPR compliance check
Assuring your solutions network safety
Regression testing your solutions different platforms + IP-packet analysis
4. Report + End Report
Documents containing our Cybersecurity & GDPR findings & recommendations.
The end report contains our verification of the selected GDPR & cybersecurity areas
- Can you prove that your company is complying with the new Data Protection Regulation?
- Is your DPIA (Data Protection Impact Assessment, Article 35) or PIA (Privacy Impact Assessment) in order and up-to-date? Be prepared to send it over to your authorities when things have gone wrong...
- Is your company processing large amount of personal data? Is the personal data safely stored, both physically and electronically?
- Do you have your customers consent? Can their data be erased or migrated in / out of your systems? Can you prove it?
- Can you prove that your whole chain respects the GDPR (from start to finish)? How about your third party business partners, what do they have access to?
- Who has access to your companies personal data? Do you have any logs of data processing activities? Is all network access to your data encrypted? Has this been verified?
- Does your company have video / CCTV access to a public place? Who can access this data / video feed and from where and using what? Can you show us your access logs from this?
- Are your solutions inside people's houses? Are you sure they are not leaking anything? Who can access this data / video feed and how?
- Who is your PDA (Data Protection Authority)? Do you need a PDO (Data Protection Officers)?
- If you notice that you have been breached, what are your next steps? What if the breach happened a long time ago? Please show us your IRP (Incident Response Plan)
The assessment shall contain at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The personal data should be:
The assessment shall contain at least:
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Personal data shall be:
WARNING: Legal risks to being a DPO: Before assuming DPO role - Check your rights & liabilities: Check (1) your companies policies (2) employers insurance policies (3) local countries laws: iapp: In some countries, DPOs – or their equivalent under local law – may be held personally liable for failing to comply with local privacy law.
That contract or other legal act shall stipulate, in particular, that the processor:
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- takes all measures required pursuant to Article 32;
- respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
- assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Below are some (pre-GDPR) administrative fine examples related to privacy: