How to turn your organization compliant with the new GDPR?

Personal Data Protection

On the 25th May 2018 the new General Data Protection Regulation (GDPR) will come into force, which represents a paradigm change on these matters.

Any entity that collects, stores, uses, reveals or processes in any other way personal data must ensure the safety of this information.

Personal Data is comprised by any information that is susceptible to idenfity a single individual, namely the name, identification number, localization data or physical elements such as pictures.

The biggest change the the new regulation brought to light is the fact that its the responsibility of the entities to be able to demonstrate that they comply with the legal requirements.

How to comply with the regulation

1. Consent

The processing of personal data is only possible is case there is free, specific, informed, explicit and inequivocal consent.

Each entity must be able to prove that it has obtained the required consent for each processed data.
2. Access by the data subject

In the same manner that only data that has been subject to consent by its data subject may be processed, the data subject must be able to withdraw that consent at any given time.

The data subject of the data must be able to consult the personal data.

The data must permit its portability to a different carrier, as long as it is technically feasible.
3. Implementation of the Regulation

Each entity must be able to prove:

That the personal data that they process are used only for the consented actions.

That the data is updated, is stored in a secure location and only accessed by the people necessary to perform its function.

That the entity has internal policies, codes of conduct and proceedings for processing personal data.

That monitor the data proccess in order to ensure that all mentioned procedures are executed.
4. Notification in case of breach

Each entity that processes personal data must be able to prove that it has a system that alerts the local authorities (Commisão Nacional para Proteção de Dados) within 72 hours of first having become aware of the breach.
5. Data Security

The entities must be able to ensure confidentitality, integrity and availability of the data processed, through the implementation of a information security system.

It is necessary to be able to locate the data and delete the information the is not accurate.

In certain cases, it is still necessary to perform security tests.
6. Data Protection Officer (DPO)

The entities that process personal data in large scale, as well as sensible data, must appoint a Data Protection Officer (DPO) that will be responsible for its security.

How we operate

In order to ensure that our clients comply with the GDPR (General Data Protection Regulation), our firm operates on three different stages:

1. Consultancy and instruction in light of the GDPR

  • Advise on real problems with practical application of the GDPR
  • Worker instruction on the best practices to adopt

2. Audit to the current process of personal data:

  • Inventory of all processed data;
  • Inventory of the consents and further requirements according to the data type and its purpose;
  • Inventory of the personal data access policies towards its user;
  • Inventory of all used security systems;
  • Verification of existing internal policies;
  • Verification of existance of a Data Protection Officer (DPO).

3. Operational measures to implement to comply with the GDPR

  • Drafting of a detailed report containing the measures to implement in order to comply with the GDPR;
  • Drafting of privacy policies and codes of conduct.

4. Analysis and adaptation of current technical and technological procedures

  • Listing of the safety measures to adopt in order to comply with the GDPR;
  • Execution of intrusion testing.
Contact us