GDPR increases the privacy of individuals and gives the authorities greater power to take action against companies that collect and hold their personal data. GDPR requires companies to provide adequate documentation of the assessments that led to certain organizational and technological choices.
The companies that have carried out the DPIA, and that have not yet done so, can proceed with the adaptation of the applications with the foreseen security measures. The new European regulation leaves the holder of the treatment a wide margin of choice on the measures to be applied on the basis of the risk analysis of the treatments carried out. Since we have moved from the concept of minimum measures to the more Anglo-Saxon concept of Accountability, there are no GDPR Compliant applications, but only GDPR Ready applications, i.e. ready to accept the necessary measures such as pseudonymisation or data encryption. Prioritizing and planning interventions based on risk is a recommended best practice.
Companies that have not yet done so must hurry to contract the processing of personal data managed by IT service providers in the Cloud or SaaS. It is not enough to simply appoint the provider as data controller, as you can often read in the proxy document. First you need to analyze the existing contracts, catalog the types of data managed and ask yourself "what would happen if ...". Then, perform a gap analysis with the requirements of the GDPR. With service providers in the Cloud, you will probably find high standard security measures, but also greater rigidity in case of a request to extend their effectiveness. With suppliers in SaaS you will have to proceed with the contractualisation of the management by specifying the data processed, the scope, purpose, method and duration of processing. The contract must also indicate how to communicate security incidents and data breaches, introducing SLAs consistent with GDPR's requests. If necessary, it must provide for the adaptation of the applications with the necessary security measures that emerged during the DPIA.
Excel is among the best software applications of all time and has certainly helped many companies in the treatment classification phase. However, it is unlikely to help complex organizations in managing their treatment registry efficiently. Once the first phase is over, it is time to think about optimizing the entire treatment lifecycle. Smaller companies can purchase standard applications, while larger companies will gain undisputed advantages in adopting ad-hoc applications that are more flexible and able to adapt to the peculiarities of their organization. Registry engineering should include the digitization of collaborative management processes (creation and modification of a treatment, approval process, etc.) and ensure their tracking to facilitate future audits. The registry will progressively evolve and integrate with other typical GDPR processes, such as DPIA or the management of the right to oblivion. Those who have already invested in multi-compliance systems should include and integrate the registry in a way that is consistent with the entire system.
Now that you have determined the privacy policies and policies, you can focus on individual processes to support GDPR management, verifying the gaps that need to be filled to mitigate risk. Follow these steps: 1. Outline the processes needed to manage privacy in compliance with the GDPR. 2. Select the tools for their implementation in compliance with the "natural" areas of existing platforms and optimization of internal development and management costs. 3. Sets the functional requirements necessary to implement the GDPR IT processes. 4. Establish the project roadmap for the implementation of the processes supporting the GDPR. If the processes you have outlined cannot be supported by the applications already in use, you can consider speeding up their implementation using the Business Process Management tools (BPMS) available in your company.
Most likely you will have involved all the Process Owners present in the company in order to collect the personal data subject to processing. You will have realized that the duplication and redundancy of data are two big problems that arise from the discontinuity between internal and external communication channels. Make sure you have identified all of them. For example: - Have you considered ALL #PEC boxes? Who has the access passwords? Why do you have them? What data goes through them and what data could go through them? How do you prevent related operational risks? - have you considered storing electronic documents? What PERSONAL DATA do you keep? How do you delete the ones you no longer need? Make a check-list, as complete as possible, and then critically review your treatment log.
The regulation prescribes an approach by design and by default, i.e. to think about what measures to take when designing processes to ensure privacy when they are executed. To integrate privacy indissolubly into your processes, review the way you manage organizational changes, but also technological changes. Make a list of all possible events that bring about change and check whether or not a DPIA is required. Always keep in mind that a simple change to the information system can affect the privacy management model and security measures already in place.