THE GDPR IS UPON US: ARE YOU READY FOR THE REVOLUTION?
May 25th 2018 will mark the start of a new era for the protection of personal data and the laws that regulate processing by Public and Private Organisations. This is the date, in fact, when the General Data Protection Regulation (better known as the GDPR) (EU 2016/679) will come into effect.
The GDPR introduces new rights, responsibilities, duties and measures, but above all it dictates a new organisational model on companies that considers the handling of personal data within the production process. This model is aimed at ensuring greater protection for the user’s personal data and greater control over the information concerning him/her on the one hand, and on the other at providing guidelines and definite, shared tools to Public and Private Organisations for processing such information safely and transparently, gaining the greatest possible business benefit without damaging the user’s privacy.
To help Public and Private Organisations to comply with the GDPR within the timescales provided for in the new Regulations, Net Service offers a structured service in phases that starts with a census of the processed data, an analysis of the company processes involved and an evaluation of the client’s needs, and then continuing with tangible support while implementing the required modifications.
Approved by the European Parliament in April 2016, the GDPR will absorb current European and national legislation on Privacy, which is no longer suited to ensuring transparent handling of information in the Internet and Big Data era.
The legislation has a dual goal: on the one hand, harmonising privacy and information confidentiality laws of all the European countries, and on the other ensuring greater transparency and security in the handling of sensitive data for the processed by Public companies and bodies for the User.
This is a first important milestone for the standardisation of European privacy policies, that all those handling personal data must abide by, updating their own company processes, IT infrastructures and marketing activities before the legislation comes into force.
The General Data Protection Regulation (GDPR) introduces a new framework of obligations and measures, effective in all business scenarios and applicable to both the public and private sector, which must be observed by Organisations with offices within the European Union, and also by non-EU Organisations that offer services and/or conduct monitoring activities within the EU.
The legislation is for all those subjects and Organisations in the public and private sector that must handle third party personal data - whether relating to employees, clients, students, users or suppliers - as a part of their activities.
The principle of applicability of the European Union’s right to handle personal data that has not been processed within EU territory is also introduced. This takes place when data connected to the offer of items or services to EU citizens or data that requires monitoring of their conduct exist.
Applicability of the regulations therefore depends on the nature of data processing and no longer on the place where the Data Processor is based or on the size of the company.
With the GDPR, privacy becomes a company process to be managed in every single phase, an inherent element that is the basic requisite of any processing activity. This means that companies will require a new organisational model and new procedures. Personal data will have a value, becoming a development engine and driving force for the new emerging economy.
Therefore, the connotations of information provided and the ways in which consent can be obtained for the handling of personal data change, which become more understandable and easy to access, and new tools, procedures and professionals are introduced to increase the protection of processed data, in order to increase protection for the handled data, aid transparency and prevent or manage the risks coming from cyber attacks.
Sanctions will also be more severe in the event of violation and the management and transfer of EU citizen personal data is regulated for the first time, even when processed outside the European Union.
Therefore, in summary, the new European general Data Protection Regulations provide for an increase in users’ rights as well as the measures to be adopted by organisations and the Data Processors’ obligations. Below is a summary of the principles:
GDPR: USE NET SERVICE
With twenty years’ experience in the IT sector, Net Service has developed a specific intervention method to help its clients on their path towards the GDPR.
This is a GDPR compliance process split into three modules (Technological Compliance and Data Governance, Legal Support and Advisory Service and Bringing Marketing activities up to standard), which accompanies the companies and bodies involved while managing the necessary changes to methods and infrastructures for adapting to the new European regulations on privacy.
A GDPR compliance service guaranteed by certified skills in the applicational, infrastructural and legal fields, that are used for a customised approach, open to collaboration with technological partners, that provides for both the integration of Cyber Security and Data Management best practices, and the use of international standards, with the ISO 27001 and ISO/IEC 29134/2017 frameworks. All this to ensure modular, effective and flexible solutions for our clients.
Data auditing and a tailor-made operational plan that starts with the definition of the analysis parameter and the assessment of the requesting company or body’s organisational model, and then continues with creation of the type of service depending on their actual needs. Net Service will guarantee the presence of skilled personnel, in particular:
- Process expert
- IT security expert
- Legal expert on GDPR
These professionals will be assisted by support structures such as the Legal and regulatory competence centre, the Cyber Security Centre and the certified ICT provision structure, and by support tools, i.e. tailored software and applications that comply with GDPR.
The aim is to provide the client with a more efficient, flowing and legally-compliant organisation and greater security with regard to the organisation’s information assets and the sensitive data belonging to the users involved in processing.
TECHNOLOGICAL AND DATA GOVERNANCE COMPLIANCE
With a wealth of staff specialised in the Cyber Security, Disaster Recovery, System Integration and Information System Auditing fields, Net Service offers precious technological support for all those organisations that still have to update their own systems and IT procedures to the GDPR requisites. Here are the main realms of intervention:
- Integrated organisational and technological assessment
- Data Inventory and Data Discovery and Classification.
- Data Governance
- DPIA Analysis (Data Protection Impact Assessment)
- Risk Assessment.
- Gap analysis and Remediation or Action Plan (Risk Management)
- Change Management
- Cyber Security
- DPO support tools
LEGAL SUPPORT AND ADVISORY SERVICE
The GDPR requires greater transparency and responsibility, not only in the personal data handling methods, but also in the storage of documents that defines processes and use of said data.
Companies and bodies that handle personal data must provide proof of the purpose of handling, the categories of data handled and the identity of any third parties and third-party counties with which data is shared/transferred, and also the legal basis for said transfers, the technical and organisational security measures and storage periods.
In order to be prepared on May 25th 2018, it is therefore necessary to have a partner with proven experience in both the technological and the legal fields.
Net Service provides its clients with a team of legal experts who are experienced in the technological field. These are specific professional figures with several years of experience for both resolving management problems from a legal point of view and in evaluating ad hoc IT solutions in the technical-legal domain. Here are some of the services planned as part of the GDPR framework:
- Rewriting of information packs that relate to the handling of data
- Updating of Cookies, Privacy and Terms and Conditions pages
BRINGING MARKETING UP TO STANDARD
One of the GDPR’s goals is to offer a single legislative framework for Direct Marketing activities too. It has now been stated by several sources that good privacy and personal data management can be an excellent starting point for increasing turnover.
In order for the motto “Privacy is good for business” to become reality, it is however necessary for companies with a client database to align their best practices on the matter to the GDPR principles.
Net Service can be your ally in the process involved in bringing marketing activities and tools up to standard, for both business and governance purposes. In order to do so, it provides its clients with the tools and skills that allow their Marketing departments to use the personal data acquired in full observance of the GDPR. Within this framework, Net Service can be your consultant for:
- Cookie analysis and mapping
- Anonymization and pseudonymization of Analytics platforms
- Updating of best practices for sending newsletters and DEMs
- Database entry of profiled users (Lead generation)
- Creation of sponsored posts to appear on social media (Social Media Advertising)
- Advertising campaigns on search engines (e.g. Google Adwords)
- Census and review of DPIAs of third-party marketing platforms