Data protection by design, or Privacy by Design, is the basis for optimal protection of Personal Data.
As DPO or Privacy specialists, we provide a GDPR Dossier, one that is offered to you online because “DATA LIVE.” However, there is always a shift in personnel responsibilities or a new application is brought into use. These are things that privacy regulations require to be followed properly at all times.
What is that, a GDPR File?
If you wish for your organization to become GDPR proof, we at iReto suggest the GDPR File for.
DPO Associates works according to this scheme;
-
1 Raising awareness
Both key personnel and staff are correctly informed around the processing of personal data. They are going to learn to assess the impact the GDPR implementation will bring to the organization.
-
2 The register of processing activities
After a thorough study of the processing activities and internal processes, it identifies the personal data being processed, where it came from and who you shared it with.
-
3 The DPO
The DPO checks whether the organization is acting in accordance with the requirements described in the AVG legislation and assists where necessary.
-
4 Rights of data subjects
It verifies that the organization provides for all data subjects’ rights and what they can invoke, how personal data can be deleted and how that data will be communicated electronically.
-
5 Communication
Creating a privacy policy and privacy statement tailored to the organization, outgoing mail settings, monitoring customer lists and how to handle the processing of personal data in the area of marketing.
-
6 Request for access
Who has access to which application and to what extent can a particular person see data within the organization? Retaining login codes or passwords and drafting the destruction procedure for them.
-
7 Determining legal basis
For each processing operation, the legal bases are determined and documented. These bases publish through various channels so that customers or patients can inform themselves.
-
8 Consent
Evaluation of how consent is sought, obtained or recorded. Consent statements shall be free, specific, informed and unambiguous.
-
9 Personal Data of Children
The development of systems to ascertain the age of data subjects and whether consent must be sought from parents or a guardian for processing the personal data of minor children.
-
10 Data breaches
Establish adequate procedures to detect, report and investigate personal data breaches. Failure to comply with the reporting requirement can result in a fine, on top of the fine for the data leak itself.
-
11 Privacy by Design
Data protection by design and concepts such as a data protection impact assessment are enacted and implemented in the operation of the organization.
-
12 International
Determine which supervisory authority the organization falls under if it operates internationally.
-
13 Existing contracts
Reviewing existing contracts, primarily with processors and subcontractors and making changes where necessary.
How to get GDPR right?
Step 1: Analysis of the organization
At the initial meeting, we will review what personal data the organization processes, how and for how long it is stored, and who has access to this personal data.
This involves mapping all processes associated with data processing. These processes are done according to the protocol written in the ISO27001 standards where an overview can be obtained of the hardware and software used.
To optimize personal data security, the following actions are systematically taken;
- The fire safety of the offices
- Can water damage occur?
- Are there climate protection measures?
- What about the power supply?
- Is there detection against security breaches?
- Do employees recognize malware?
- Are there backups and how are they secured?
- Is the network okay?
- What data resides on mobile devices?
- Was incident and continuity management considered?
Step 2: Developing a privacy plan
We prepare the privacy plan or privacy management with the person in charge of an organization.
Here we verify whether passwords are used, who has access to them, and appoint a person responsible within the organization for managing all passwords.
This person in charge shall ensure that passwords are kept and changed according to a new procedure at set times or ensure the removal of login codes when staff leave to prevent misuse.
During the drafting of the Privacy Plan, iReto examines whether there are any processing operations that qualify for conducting a DPIA, a Data Protection Impact Assessment.
According to IT Tips, issues under scrutiny include;
- Use of a Firewall and whether it is used hardware wise or software wise.
- Configured settings on devices supplied by manufacturers
- Settings of firmware
- Setting passwords on laptops, computers, tablets and smartphones
- The use of 2FA or MFA
- The Cloud environment: who has access to it?
- Scanning for viruses and using USB sticks
- Use of (public) networks
- Preventing the installation of unapproved software
- Sandboxing: running in a protected environment
- Up-to-date policies of all devices, operating systems and software
Step 3: Roll out within the organization
Creating a processing register where the purpose of processing is specified, the categories of data subjects are recorded, the nature of personal data and whether there are multiple processors, sub-processors or joint processors.
Registers also exist when surveillance cameras are installed and when a data breach is identified.
Through and flow chart, it is possible to determine in one respect from where the personal data to be processed enters the organization, who processes it and how it is further processed again upon leaving the responsible processor.
Processors and controllers are registered and then contacted to draft and sign a customized processor agreement.
Because the data subject, patient or client must be correctly informed, the existing website is scrutinized for the following issues;
- Privacy Statement
- Cookie Policy
- Secure connection: SSL
- Use of reCAPTCHA
- General Terms and Conditions
- Website Disclaimer
In addition, employment contracts are reviewed and, if necessary, amended to comply with privacy laws, because blue and white collar workers must also be aware of the privacy policy of the company, organization or practice where they are employed.
Step 4: Monitoring & follow-up
Once the GDPR Dossier is created, systematic follow-up follows. The file can only become optimal with a 3-year review and adjustment. Data live so there are continuous changes in an organization and legislation can be adjusted through the coherence mechanism between European member states.