Welcome to DPO Associates: “Protect, Detect, Respond”

Data protection by design, or Privacy by Design, is the basis for optimal protection of Personal Data.

As DPO or Privacy specialists, we provide a GDPR Dossier, one that is offered to you online because “DATA LIVE.” However, there is always a shift in personnel responsibilities or a new application is brought into use. These are things that privacy regulations require to be followed properly at all times.

What is that, a GDPR File?

If you wish for your organization to become GDPR proof, we at iReto suggest the GDPR File for.

DPO Associates works according to this scheme;

  • 1 Raising awareness 

Both key personnel and staff are correctly informed around the processing of personal data. They are going to learn to assess the impact the GDPR implementation will bring to the organization.

  • 2 The register of processing activities

After a thorough study of the processing activities and internal processes, it identifies the personal data being processed, where it came from and who you shared it with.

  • 3 The DPO

The DPO checks whether the organization is acting in accordance with the requirements described in the AVG legislation and assists where necessary. 

  • 4 Rights of data subjects

It verifies that the organization provides for all data subjects’ rights and what they can invoke, how personal data can be deleted and how that data will be communicated electronically.

  • 5 Communication

Creating a privacy policy and privacy statement tailored to the organization, outgoing mail settings, monitoring customer lists and how to handle the processing of personal data in the area of marketing.

  • 6 Request for access

Who has access to which application and to what extent can a particular person see data within the organization? Retaining login codes or passwords and drafting the destruction procedure for them.

  • 7 Determining legal basis

For each processing operation, the legal bases are determined and documented. These bases publish through various channels so that customers or patients can inform themselves.

  • 8 Consent

Evaluation of how consent is sought, obtained or recorded. Consent statements shall be free, specific, informed and unambiguous.

  • 9 Personal Data of Children

The development of systems to ascertain the age of data subjects and whether consent must be sought from parents or a guardian for processing the personal data of minor children.

  • 10 Data breaches

Establish adequate procedures to detect, report and investigate personal data breaches. Failure to comply with the reporting requirement can result in a fine, on top of the fine for the data leak itself.

  • 11 Privacy by Design

Data protection by design and concepts such as a data protection impact assessment are enacted and implemented in the operation of the organization.

  • 12 International

Determine which supervisory authority the organization falls under if it operates internationally.

  • 13 Existing contracts

Reviewing existing contracts, primarily with processors and subcontractors and making changes where necessary.

How to get GDPR right?

Step 1: Analysis of the organization

At the initial meeting, we will review what personal data the organization processes, how and for how long it is stored, and who has access to this personal data.

This involves mapping all processes associated with data processing. These processes are done according to the protocol written in the ISO27001 standards where an overview can be obtained of the hardware and software used.

To optimize personal data security, the following actions are systematically taken;

  • The fire safety of the offices
  • Can water damage occur?
  • Are there climate protection measures?
  • What about the power supply?
  • Is there detection against security breaches?
  • Do employees recognize malware?
  • Are there backups and how are they secured?
  • Is the network okay?
  • What data resides on mobile devices?
  • Was incident and continuity management considered?
Samen sterk! Ons team in actie op kantoor.

Step 2: Developing a privacy plan

We prepare the privacy plan or privacy management with the person in charge of an organization.

Here we verify whether passwords are used, who has access to them, and appoint a person responsible within the organization for managing all passwords.

This person in charge shall ensure that passwords are kept and changed according to a new procedure at set times or ensure the removal of login codes when staff leave to prevent misuse.

During the drafting of the Privacy Plan, iReto examines whether there are any processing operations that qualify for conducting a DPIA, a Data Protection Impact Assessment.

According to IT Tips, issues under scrutiny include;

  • Use of a Firewall and whether it is used hardware wise or software wise.
  • Configured settings on devices supplied by manufacturers
  • Settings of firmware
  • Setting passwords on laptops, computers, tablets and smartphones
  • The use of 2FA or MFA
  • The Cloud environment: who has access to it?
  • Scanning for viruses and using USB sticks
  • Use of (public) networks
  • Preventing the installation of unapproved software
  • Sandboxing: running in a protected environment
  • Up-to-date policies of all devices, operating systems and software


Step 3
: Roll out within the organization

Creating a processing register where the purpose of processing is specified, the categories of data subjects are recorded, the nature of personal data and whether there are multiple processors, sub-processors or joint processors.

Registers also exist when surveillance cameras are installed and when a data breach is identified.

Through and flow chart, it is possible to determine in one respect from where the personal data to be processed enters the organization, who processes it and how it is further processed again upon leaving the responsible processor.

Processors and controllers are registered and then contacted to draft and sign a customized processor agreement.

Because the data subject, patient or client must be correctly informed, the existing website is scrutinized for the following issues;

  • Privacy Statement
  • Cookie Policy
  • Secure connection: SSL
  • Use of reCAPTCHA
  • General Terms and Conditions
  • Website Disclaimer

In addition, employment contracts are reviewed and, if necessary, amended to comply with privacy laws, because blue and white collar workers must also be aware of the privacy policy of the company, organization or practice where they are employed.

Step 4: Monitoring & follow-up

Once the GDPR Dossier is created, systematic follow-up follows. The file can only become optimal with a 3-year review and adjustment. Data live so there are continuous changes in an organization and legislation can be adjusted through the coherence mechanism between European member states.

Delen:

Meer berichten

gdpr audit

An Audit in NIS2

Introduction: The European Union has responded by introducing the NIS2 directive, an update to the original 2016 Network and Information Systems (NIS)

Partners

©DPO Associates Alle rechten voorbehouden. Privacy verklaringCookie verklaring | Algemene voorwaarden