The GDPR – General Data Protection Regulation – was born due to the need to regulate citizens’ data security more seriously. Increasingly, we make personal data available to the companies we engage with, and because of the ongoing threats from cyber attacks, it is critical to ensure that shared data stays secure. The GDPR aims to protect citizens’ personal information and, a year and a half after its arrival, there are still many doubts as to the real impact it will have on organizations. So we have prepared this article in which we explain how GDPR impacts the security of your business!
Care in the processing of personal data
According to the law, personal data is considered as any information relating to an individual person identified or identifiable by such data (identifiable ‘by reference to an identification number or one or more specific elements of his / her physical, physiological, psychological identity, economic, cultural or social ‘). All data that has these characteristics must be kept securely so that there is no risk of loss or leakage. Datapeers plays an important role in companies that want to ensure maximum information security through data masking. Data masking aims to protect sensitive data from unauthorized access. In practice, data masking tools create a version similar to the original data in terms of structure but without revealing its true information. In fact, its original format remains unchanged, but the data presented is fictitious. That is, in a column of a database with bank information of users of an online store, it is possible to mask the data by creating new bank numbers in which the digits were “mixed up”, creating fictitious numbers, but with the same value. for the intended data processing. Masked data can be used in test environments and audits, not compromising the analysis result, but always ensuring the confidentiality of the information.
Data Processing Consent
The regulation creates additional barriers to current data collection and processing practices in Portugal by introducing stricter rules for companies regarding consent for the collection and processing of personal data. Businesses have to consider creating a contract with the data subject, complying with legal obligations and defending the data subject’s vital interests. With the new regulation, a contact from a business card, for example, cannot be included in any database without the explicit consent of its holder. In practical terms, the use of pre-selected boxes, no response, inactivity and consent through terms and conditions will no longer be allowed as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new regulation.
Appointment of a DPO
According to the RGPD, the Data Protection Officer (DPO) can be anyone working in the organization, provided it meets certain conditions. The DPO needs to have expertise in the field of law and data protection practices. You are not required to be a lawyer, but you must have a thorough knowledge of data protection and experience in this field. The DPO will need to be able to advise the company’s management and its employees on the obligations of the Regulation as well as other data protection provisions in force in the EU and other Member States. It is important that this professional is able to teach, communicate their ideas and make themselves understood with all employees of the company. The DPO needs to know everything about the company in detail, namely the procedures of each department. The DPO is also required to monitor the compliance of the company’s processes with the new GDPR through audits. The regulation allows the DPO to perform functions other than data protection responsibilities, but it is advised that this professional devotes most (or even all) of his or her time to data protection and compliance issues.
Changes to Company Security Policy
The data privacy policy must be updated in accordance with the new requirements of the legislation. A rating and processing scale for personal data should be defined. The company’s legal department should be involved in this process and this policy should include all information related to the current processing of the data, including its purpose.