Do you know your organisation’s main GDPR compliance and IT security risks? Test yourself by asking the following key questions:
- Do you know where your company keeps databases that contain personal data and who can access relevant systems?
- What can those who can access the systems do there? Are system changes logged and can they be retrospectively identified?
- Does your company have a data backup plan in place and do the IT staff follow it?
- Does your company have a disaster recovery plan for resolving information security incidents and is the plan regularly updated?
If the four questions about the effectiveness of your cyber security and data protection aroused your attention, you have taken the first notable step towards mitigating your organisation’s data management risks. Data protection is not a one-off activity that is separate from your day-to-day operations. The above questions need to be asked regularly. Responses should depend not only on the number of identified public data leakages but also on the frequency of ‘routine’ incidents, such as users’ temporary lack of access, sharing of user IDs and passwords, information exchange with persons outside the European Economic Area (EEA), unauthorised persons’ unrestricted access to the office and workstations, etc.
Although laws and regulations are abstract and complex, they have to be translated into specific activities that can be executed, taking into account the nature of the organisation (its business needs, systems, data, policies, etc). Hence, the GDPR affects not the legal but also the technical and organisational aspects of data protection. The GDPR requires a comprehensive and integrated approach, designed based on your business needs, and adequate understanding and coverage of all the above aspects. As usual, problems can be more easily avoided by applying preventive measures rather than focusing on correcting retrospectively identified mistakes.
A core feature of the GDPR is a risk-based approach. This means that the higher the risk of data leakage in data processing, the stricter the data protection regulations for the organisation. Compliance with the GDPR requirements assumes that an organisation establishes internal rules which specify data processing and protection in the context of that organisation. From a wider perspective, this means that the assessment of data protection risks is a fundamental and continuous activity in the daily operation of all organisations. When a problem arises and /or becomes public, the organisation must be able to prove (to the Data Protection Inspectorate or, in the worst case, to the court of law) that all reasonable and appropriate retrospective and prospective internal measures were applied to protect data and prevent breaches.
Effective data protection and privacy assurance programs and systems, which take into account the company’s business interests, regulatory requirements and optimal technological options, help managers and employees build a data privacy and protection culture. Goals-based planning and implementation can significantly improve an organisation’s data processing and process management quality.
Compliance with the GDPR requirements is a time-consuming and consistent process, which should be underpinned by an ethical culture and, where resources are limited, the involvement of recognised and certified external experts.
We can help you take the first step by providing support and guidance in mapping the existing situation and conducting a data security audit – a GDPR compliance audit. We have the expertise and extensive experience to provide answers to any questions and advise you in finding the best solution for identifying and mitigating your company’s risks. In a GDPR compliance audit, our certified IT auditors assess, among other things, your organisations’ IT security hygiene and draw attention to possible threats. Where risks are identified, we suggest measures that are appropriate for your organisation’s business and policies. Based on that, you can take specific steps to improve your processes. The service is primarily designed for internal use but, based on our GDPR compliance audit or review, we can also issue conclusions or confirmations to third parties.
Please contact us and we will help you find a solution that best fits your needs.