On the following lines you will find 5 key points to address the changes in the best possible way and don’t get caught unprepared (or rather, preventing penalties of millions of euros!)
1. Awareness
It is useful to make a business “screening”, to identify possible vulnerabilities and weaknesses of systems (both internal and external). The aim of this survey is to get the full awareness about risks to which a company is exposed in order to facilitate the process of data protection and comply with the regulation.
2. Data mapping
“You cannot protect what you don’t know about”. The knowledge of data is at the basis of GDPR and the protection of sensitive ones is the main goal of the legislation. Therefore you need to identify and classify sensitive data to create a good mapping. (Sensitive data mean all the information that can make a person identifiable).
3. Monitoring
Any individual has the right to request track, correction, removal or transfer of personal data to enterprises. The activity of monitoring is essential in this respect, because the strictest penalties are about violations of the people rights, as the absence of a reply or a delay in providing the information requested by the citizen, who can disclaim even a financial compensation. Therefore companies need appropriate tools to demonstrate the timeliness of demands processing.
4. Security
The level of protection requested by GDPR is higher compared to the current Italian law. Companies have to adopt specific measures to guarantee data security, focusing in particular on risks posed by the treatment of data concerning the amendment, loss, destruction or unauthorized disclosure of personal data. Protection measures include:
– pseudonymisation and encryption of sensitive data
– ability to restore rapidly the access to data in case of incidents
– procedures to verify the efficiency of technical security measures
Besides, has been introduced the principle of “Data Protection by Design” which compel to check from one side, that the information tools can assure the correct level of protection, from the other side, the total absence of vulnerabilities of such systems, already in phase of design.
5. Notification
Violations of personal data must be reported promptly to the supervisory authority, not later than 72 hours after the incident, communicating the description of the violation, the type of data involved, the likely consequences and the measures adopted to remedy and to mitigate the negative effects.
So, are you ready to comply with GDPR?