GDPR/Privacy protection management
GDPR Why is it important to align business with the GDPR Regulation?
The General Data Protection Regulation has been in effect since May 25, 2018, and as a regulatory framework of the European Union, it has greatly changed the way personal data is collected and processed. The most important part of the regulation is the process of data collection and processing, which should be recorded in such a way that it is known who collects and processes data, for what purpose and on what basis.
The General Data Protection Regulation sets out detailed requirements for organizations regarding the collection, storage and management of personal data. The regulation applies to European organizations that process personal data of individuals in the European Union and organizations outside the European Union that are directed at people living in the EU.
Personal data is all data relating to an individual whose identity has been determined or can be determined, called the respondent. Personal data includes information such as name and surname, address, ID or passport number, IP address, etc. There are special categories of data that cannot be processed such as racial or ethnic origin, sexual orientation, political views, biometric or health data , etc.
The two key roles in the processing of personal data are the controller and the processor. The data controller decides on the purpose and method of data processing, and the processor stores and processes the data on behalf of the data controller.
The General Data Protection Regulation lays down strict rules for data processing based on consent. The aim of these rules is to ensure that the individual understands what he is agreeing to. This means that consent should be voluntary, specific, informed and unambiguous and given on the basis of a request written in clear and simple language. Consent should be given by an affirmative act, such as checking a box online or signing a form.
The role of the personal data protection officer
The Data Protection Officer (DPO), who is appointed by an organization as necessary, is responsible for supervising how personal data is processed and for informing and advising employees who process personal data about their obligations. This officer also cooperates with the data protection authority and is the contact point for individuals and the data protection authority. A data protection officer should be appointed if the organization regularly or systematically monitors individuals or processes special categories of data, if data processing is a core business activity and if a large amount of data is processed.
Personal data is any information that can be used to uniquely identify, contact or locate individuals or, in combination with other sources of information, ensure their unique identification. Examples are: first and last name, OIB, location data, credit card numbers, etc.
Why is it important to care about privacy?
Over the past years, we have witnessed a large number of incidents in which personal data was misused, which affected numerous individuals and organizations. An example of such incidents are those in which identity theft occurred and their use for illegal purposes. It can be said that the main reasons for personal data protection are the following:
• Privacy protection of personal data owners
• Compliance with legal and regulatory requirements
• Implementation of corporate responsibility
• Increasing user credibility
• Reducing the number of security breaches.
In order to prevent such incidents, it is recommended that organizations implement information security systems aimed at protecting the privacy and personal data of individuals. For this purpose, the ISO/IEC 29100 standard can be used, which provides a framework for privacy and harmonization of ICT systems containing personal data, all for the purpose of better protection of personal data and improvement of organizations’ privacy programs through best available practices.
“43% of organizations experience a data security breach during one business year, and the increasing trend is 10% per year.” – Ponemon Institute report
What is ISO 29100 and how can it help in privacy protection management?
ISO/IEC 29100 is intended for use by individuals and organizations involved in the design, development, procurement, testing and maintenance of ICT systems in which they wish to protect all personal data contained in these systems. This privacy framework has been developed to assist organizations in defining their privacy requirements relating to all information as follows:
• specifying common privacy terminology,
• defining the actors and their roles in the processing of personal data
• describing privacy protection options and
• providing references to known IT privacy principles.
Although there are several existing standards related to security such as (ISO 27001, ISO 27002, ISO 27018 etc.), ISO/IEC 29100 focuses more on the processing of personal data.
The continuous growth in the complexity of ICT systems makes it difficult to protect privacy and comply with various applicable laws. Therefore, the ISO/IEC 29100 standard provides eleven essential privacy principles that have been developed to take into account applicable legal and regulatory, contractual, commercial and other relevant factors.
In addition, these principles can be used to guide, design, develop, and implement privacy policies and controls, and to conduct audits of an organization’s privacy management program. As can be seen in the figure, providers and recipients of personal data are identified as participants. Providers of personal data can be users of ICT systems, data owners or subscribers, while providers of application solutions or administrators are known as recipients of personal data. Privacy preferences are set by providers of personal data, and security measures are applied throughout the entire life cycle of information, from collection, storage, use, transfer to its deletion.
Source: PECB Whitepaper ISO 29100
How can ZIH help you?
You may also be interested in these services and trainings:
ZIH has more than 20 years of rich experience in implementing security and privacy management systems, implementing security measures in accordance with the requirements of the General Data Protection Regulation (GDPR), and providing training in the aforementioned areas.