GDPR/Privacy protection management
GDPR Why is it important to align business with the GDPR Regulation?
The General Data Protection Regulation has been in effect since May 25, 2018, and as a regulatory framework of the European Union, it has greatly changed the way personal data is collected and processed. The most important part of the regulation is the process of data collection and processing, which should be recorded in such a way that it is known who collects and processes data, for what purpose and on what basis.
The General Data Protection Regulation sets out detailed requirements for organizations regarding the collection, storage and management of personal data. The regulation applies to European organizations that process personal data of individuals in the European Union and organizations outside the European Union that are directed at people living in the EU.
Personal data is all data relating to an individual whose identity has been determined or can be determined, called the respondent. Personal data includes information such as name and surname, address, ID or passport number, IP address, etc. There are special categories of data that cannot be processed such as racial or ethnic origin, sexual orientation, political views, biometric or health data , etc.
The two key roles in the processing of personal data are the controller and the processor. The data controller decides on the purpose and method of data processing, and the processor stores and processes the data on behalf of the data controller.
The General Data Protection Regulation lays down strict rules for data processing based on consent. The aim of these rules is to ensure that the individual understands what he is agreeing to. This means that consent should be voluntary, specific, informed and unambiguous and given on the basis of a request written in clear and simple language. Consent should be given by an affirmative act, such as checking a box online or signing a form.
The role of the personal data protection officer
The Data Protection Officer (DPO), who is appointed by an organization as necessary, is responsible for supervising how personal data is processed and for informing and advising employees who process personal data about their obligations. This officer also cooperates with the data protection authority and is the contact point for individuals and the data protection authority. A data protection officer should be appointed if the organization regularly or systematically monitors individuals or processes special categories of data, if data processing is a core business activity and if a large amount of data is processed.
Personal data is any information that can be used to uniquely identify, contact or locate individuals or, in combination with other sources of information, ensure their unique identification. Examples are: first and last name, OIB, location data, credit card numbers, etc.
Why is it important to care about privacy?
Over the past years, we have witnessed a large number of incidents in which personal data was misused, which affected numerous individuals and organizations. An example of such incidents are those in which identity theft occurred and their use for illegal purposes. It can be said that the main reasons for personal data protection are the following:
• Privacy protection of personal data owners
• Compliance with legal and regulatory requirements
• Implementation of corporate responsibility
• Increasing user credibility
• Reducing the number of security breaches.
In order to prevent such incidents, it is recommended that organizations implement information security systems aimed at protecting the privacy and personal data of individuals. For this purpose, the ISO/IEC 29100 standard can be used, which provides a framework for privacy and harmonization of ICT systems containing personal data, all for the purpose of better protection of personal data and improvement of organizations’ privacy programs through best available practices.
“43% of organizations experience a data security breach during one business year, and the increasing trend is 10% per year.” – Ponemon Institute report
What is ISO 29100 and how can it help in privacy protection management?
ISO/IEC 29100 is intended for use by individuals and organizations involved in the design, development, procurement, testing and maintenance of ICT systems in which they wish to protect all personal data contained in these systems. This privacy framework has been developed to assist organizations in defining their privacy requirements relating to all information as follows:
• specifying common privacy terminology,
• defining the actors and their roles in the processing of personal data
• describing privacy protection options and
• providing references to known IT privacy principles.
Although there are several existing standards related to security such as (ISO 27001, ISO 27002, ISO 27018 etc.), ISO/IEC 29100 focuses more on the processing of personal data.
The continuous growth in the complexity of ICT systems makes it difficult to protect privacy and comply with various applicable laws. Therefore, the ISO/IEC 29100 standard provides eleven essential privacy principles that have been developed to take into account applicable legal and regulatory, contractual, commercial and other relevant factors.
In addition, these principles can be used to guide, design, develop, and implement privacy policies and controls, and to conduct audits of an organization’s privacy management program. As can be seen in the figure, providers and recipients of personal data are identified as participants. Providers of personal data can be users of ICT systems, data owners or subscribers, while providers of application solutions or administrators are known as recipients of personal data. Privacy preferences are set by providers of personal data, and security measures are applied throughout the entire life cycle of information, from collection, storage, use, transfer to its deletion.
Source: PECB Whitepaper ISO 29100
How can ZIH help you?
For the needs of your organization, ZIH can carry out the following activities:
• Analysis of the current situation and identification of personal data records
• Education of employees
• Conducting a privacy impact assessment (DPIA) and protection of personal data
• Consulting in the implementation of organizational compliance measures
The first phase includes an analysis of the current state of compliance with the requirements of the Regulation related to the processing of personal data (collection, recording, organization, storage, modification, use, publication, deletion, etc.).
The training of employees who work with personal data includes obligations regarding the GDPR Regulation and the manner in which personal data is handled. ZIH can organize several different trainings, including training and certification of personal data protection officers (DPOs).
The goal of the analysis is the identification of all necessary improvements for the purpose of compliance with the Regulation. The Data Protection Impact Assessment (DPIA) is conducted with the aim of identifying possible privacy problems that may arise during activities involving the processing of personal data.
Consulting in the implementation of organizational measures includes the harmonization of existing internal acts and the preparation of new ones for the purpose of full compliance with the GDPR Regulation. This implies the preparation of internal acts to regulate all obligations arising from the Regulation regarding the protection of personal data, including the protection of their confidentiality, integrity and availability, and the possibility of adequate management of incidents that may endanger personal data.
PROTECTION OF PRIVACY
Depending on the needs of users and the current state of implemented security measures, ZIH proposes a possible work approach, guided by international norms and frameworks. In accordance with this, we organize workshops with management and with the expert guidance of our consultants, we help users to successfully implement their privacy management systems that will ensure successful protection of their personal data.
ZIH achieves this through the following consulting services:
• Preparation of privacy management system implementation projects according to the ISO 29100 standard and creation of a realization plan
• Analysis of the current state (GAP) and identification of processes relevant to privacy
• Creation of the necessary documentation of the privacy management system according to the ISO 29100 standard
• Assistance in the implementation of measures to ensure the privacy of individuals whose personal data the organization disposes of
• Implementation of internal assessments / participation and consultation in internal assessment procedures
• Elimination of detected inconsistencies in the privacy management system
Performing these tasks raises the level of security of the systems in which personal data is stored and raises the awareness of all employees so that this data, as well as the privacy of the persons to whom it belongs, is maximally protected.
Education in the mentioned areas:
• Application of the Personal Data Protection Regulation (GDPR)
• Education and certification of personal data protection officers
• Certified GDPR Foundation (PECB)
• Certified GDPR Data Protection Officer (PECB)
• Certified ISO 29100 Foundation (PECB)
• Certified ISO 27701 Foundation (PECB)
• Certified ISO 27701 Lead Implementer (PECB)
• Certified ISO 27701 Lead Auditor (PECB)
You may also be interested in these services and trainings:
ZIH has more than 20 years of rich experience in implementing security and privacy management systems, implementing security measures in accordance with the requirements of the General Data Protection Regulation (GDPR), and providing training in the aforementioned areas.