Changes in data protection and the importance of risk analysis
Alejandro Delgado, Business Director and Partner at GlobalSUITE Solutions
General Data Protection Regulation, GDPR, data protection laws or whatever we call you one way or another, lately everyone has heard that in May the Data Protection Act… Changes!
And yes, it does change. And also in a deep way. Without going into technical or legal details, the most important thing now is:
- Citizens are going to be much more protected. There are new rights that protect us, including the famous “right to be forgotten” that is so fashionable on social media.
- It increases the transparency of companies, as they will be obliged to report security incidents (not all, but important ones).
- It increases surveillance over companies, as proactive compliance with legislation will be required.
- Technical and legal obligations are growing. On the one hand, a risk analysis will be required, and on the other hand companieswill be required to obtain the express consentof the interested parties when processing their personal data.
- The company is given the freedom to propose, based on the outcome of the previous risk analysis, what additional security measures it already has to implement. In this sense it should be noted that the Basic, Medium and High levels disappear, and it is the company itself that will base everything on its risk analysis. See ISO 27001 and ISO 31000.
They are simple projects, where the most important thing is to map the different personal data that are managed in the organization ̧ to locate them within each department and know which information systems (hardware, software, etc.) support all of the above. With all this, we will be able to analyze whether a data processing has a significant risk or not. Only for those who pose a high risk, you will have to do what is known as Privacy Impact Assessment, or as almost everyone calls it, a PIA (Privacy Impact Assessment).
We insist, they are simple and limited projects in time and effort, but require prior experience in risk analysis. That might be the only difficulty.
Applicability: applies to all organizations, public and private, as well as self-employed organizations. This is nothing more than the consequence or reflection that we all currently process personal data.
And the latest big news: no audits to be done! Well… The truth is, this isn’t entirely true. It is true that they are no longer required, but the regulation speaks of a periodic verification of the model. That is, without having the need to do a formal audit every two years as currently required by the Law, it does make it clear that the data protection system needs to be reviewed. In addition, with the significant increase in fines, few organizations will risk not having as up-to-date as possible, either through formal audits or documented reviews.
Also, to comply with all of the above, to be proactive and to show proper traceability in compliance with the Data Protection Regulations, we find it essential to have software tools that help us to comply with the regulations and that also serve as a test element of diligence and proactivity in such compliance.
GlobalSUITE® Data Protection
GlobalSUITE – Data Protection (GDPR) will undoubtedly be an essential software in such compliance, by experience, by robustness and by the constant adaptation that makes this and other regulations also mandatory.
In that you can help us in summary GlobalSUITE – Data Protection (GDPR)
- Implementation of PIA and risk analysis
- Templates of a Predefined Methodology
- Risk Catalogues and Predefined Measures
- Possible risk calculation setting
- Risk identification
- Identification of Treatment Risks
- Configurable Data Processing Risk Catalogue
- Risk Proposal from the catalogue
- Publication of Risk Surveys
- GDPR management
- Management of Employees, Suppliers,
- Control over assignments and data processing orders
- Incident Management
- Support Management
- Service Benefits
- GDPR Compliance and Audit
- GAP Analysis,
- Generation of a Compliance Plan.
- Audit Management.
- Historical reports and current situation,
- Traceability of all associated information in the system
- Risk analysis
- Selection of data processing to be analyzed
- Analysis of the risks of data processing
- Historical Analysis and Risk Management
- Viewing all the points of a historical analysis
- Comparison between different historical
- Data processing
- Definition, classification and valuation of data processing
- Orientation to the organizational structure,
- Setting up categories and dimensions of items
- Risk assessment
- Risk Map (or Heat Map)
- Different graphical representations to show results
- Identification of Impacted or Dependent Risks
- Management of action plans derived from risk analysis
- Rights management
- Rights Records Management
- Answering Models
- Managing personal data in schools
- Changes in data protection and the importance of risk analysis
- The figure of the Data Controller and Data Processor in the GDPR
- Protecting personal data in the coronavirus crisis
- What is it and how to develop a Record of Processing Activities, risk analysis and impact assessment?