Data ProtectionGDPR

Changes in data protection and the importance of risk analysis

🕑 4 minutes read

Risk analysis and data protection

General Data Protection Regulation, GDPR, data protection laws or whatever we call you one way or another, lately everyone has heard that in May the Data Protection Act… Changes!

And yes, it does change. And also in a deep way. Without going into technical or legal details, the most important thing now is:

  • Citizens are going to be much more protected. There are new rights that protect us, including the famous “right to be forgotten” that is so fashionable on social media.
  • It increases the transparency of companies, as they will be obliged to report security incidents (not all, but important ones).
  • It increases surveillance over companies, as proactive compliance with legislation will be required.
  • Technical and legal obligations are growing. On the one hand, a risk analysis will be required, and on the other hand companieswill be required to obtain the express consentof the interested parties when processing their personal data.
  • The company is given the freedom to propose, based on the outcome of the previous risk analysis, what additional security measures it already has to implement. In this sense it should be noted that the Basic, Medium and High levels disappear, and it is the company itself that will base everything on its risk analysis. See ISO 27001 and ISO 31000.

They are simple projects, where the most important thing is to map the different personal data that are managed in the organization ̧ to locate them within each department and know which information systems (hardware, software, etc.) support all of the above. With all this, we will be able to analyze whether a data processing has a significant risk or not. Only for those who pose a high risk, you will have to do what is known as Privacy Impact Assessment, or as almost everyone calls it, a PIA (Privacy Impact Assessment).

We insist, they are simple and limited projects in time and effort, but require prior experience in risk analysis. That might be the only difficulty.

Applicability: applies to all organizations, public and private, as well as self-employed organizations. This is nothing more than the consequence or reflection that we all currently process personal data.

And the latest big news: no audits to be done! Well… The truth is, this isn’t entirely true. It is true that they are no longer required, but the regulation speaks of a periodic verification of the model. That is, without having the need to do a formal audit every two years as currently required by the Law, it does make it clear that the data protection system needs to be reviewed. In addition, with the significant increase in fines, few organizations will risk not having as up-to-date as possible, either through formal audits or documented reviews.

Also, to comply with all of the above, be proactive and show adequate traceability in compliance with Data Protection Regulations, It seems essential to us to have software tools that help us comply with the regulations and that also serve as proof of diligence and proactivity in said compliance.

GlobalSuite® Data Protection

GlobalSuite – Data Protection (GDPR) will undoubtedly be an essential software in this compliance, for experience, for robustness and for the constant adaptation it makes to this and other regulations also mandatory.

In what can you help us in a summarized way:

  • Implementation of PIA and risk analysis
    • Templates of a predefined Methodology.
    • Catalogues of Risks and Predefined Measures.
    • Possible parameterization of the Risk Calculation.
  • Risk identification
    • Identification of risks by treatments.
    • Configurable Data Processing Risk Catalog.
    • Risk Proposal from the catalog.
    • Publication of Risk Surveys.
  • GDPR management
    • Management of Employees, suppliers.
    • Control over assignments and orders for data processing.
    • Incident Management.
    • Media Management.
    • Provision of Service.
  • GDPR Compliance and Audit
    • Gap analysis.
    • Generation of a Compliance Plan.
    • Audit Management.
    • History of reports and current situation.
    • Traceability of all associated information in the system.
  • Risk analysis
    • Selection of data processing to be analyzed.
    • Analysis of the risks of data processing.
  • Historical Analysis and Risk Management
    • Visualization of all the points of a historical analysis.
    • Comparison between the different historical ones.
  • Data processing
    • Definition, classification and assessment of data processing.
    • Orientation to the organizational structure.
    • Configuration of categories and dimensions of the elements.
  • Risk assessment
    • Risk Map (or Heat Map).
    • Different graphical representations to show results.
    • Identification of Impactful or Dependent Risks.
    • Management of action plans derived from risk analysis.
  • Rights management
    • Management of Rights Files.
    • Answering Models.