What is General Data Protection Regulation (GDPR)?
Regulation (EU) 2016/6791, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
GDPR was adopted to replace the Directive 95/46/EC to implement a legally binding regulation that will be considered the EU data protection law and it is effective from May 25, 2018. It must be applied in its entirety across the EU in contrast the the previous legislation, which is a directive. GDPR also has extraterritorial applicability to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.
GDPR provides data subjects with a wide range of rights that can be enforced against enterprises that process personal data. These rights will limit the ability of enterprises to lawfully process the personal data of data subjects in many of the ways that were regularly employed in the past. These new rights can significantly impact an enterprise’s business model. The shift to a protection model that is focused on individual privacy represents a major transformation in the requirements for protecting the personal data of individuals throughout Europe.
Failure to comply with the new data protection rules can result in sanctions from EU Data Protection Authorities ranging from a warning, a reprimand to a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.
Given the significant financial penalties for noncompliance and evidently more proactive compliance efforts planned by the EU data protection supervisor, the GDPR truly compels action from not only all enterprises that are doing business across Europe, but also all enterprises with offices in Europe, workers in Europe (even if they are not located there permanently), and clients, customers, patients and any type of consumer in Europe.
Miadria approach to clients’ GDPR compliance
The road to GDPR compliance is threefold from legal, process and technical (ICT) perspective.
For example, one of the main duties imposed by GDPR to organizations-data controllers is only using data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR, have these commitments specified in a contract and measures reviewed and audited by third parties against international standards like ISO, SSAE16/ISAE 3402 and others.
Miadria are experts in implementing modern ICT solutions based on cloud technologies (with competencies and years of experience working with Google, Microsoft, Amazon, Cisco, IBM etc.), improving or remodelling business processes and managing change in organizations’ digital tools and processes, we’ve joined forces with legal experts specialized in data privacy.
Therefore Miadria is uniquely positioned to cover all three aspects of GDPR challenges – our team consists of:
- Lawyers specialized in privacy
- Business process consultants
- Technology and security consultants experienced and certified for working with leading cloud technologies that greatly ease compliance with GDPR requirements and reduce implementation costs versus trying to do the same with old on-premise or hosted systems
- Change management consultants to successfully implement and manage change of processes and tools in the organization
- Outsourced Data Protection Officer (DPO as a Service) – DPO appointment is mandatory for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
Scope of services related to GDPR compliance
1. Assessment services – Data Protection Impact Assessment (DPIA)
Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), a process for building and demonstrating compliance.
DPIA is an important tool for accountability, as it helps controllers not only to comply with requirements of the GDPR (A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals!), but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. The DPIA should be conducted before the processing
To conduct DPIA for GDPR, Miadria uses ISACA’s (Information Systems Audit and Control Association) framework established under ISACA 14 Privacy Principles: a uniform set of practical principles using existing principles from around the world, with addition of new principles for GDPR, to give guidance on planning, implementing and maintaining a comprehensive privacy management program.
Working closely with client’s team to understand their specific requirements and ensure that our delivery supports their objectives, Miadria will address all of the requirements that need to be assessed in a GDPR DPIA to determine the risk levels and progress with compliance.
Upon completion and analysis, Miadria presents the full DPIA report on a review meeting, with analysis and recommendations for your organization from legal, process and technical perspectives.
2. Implementing compliance program based on DPIA results
Legal perspective: Modify or create internal policies and procedures for gathering, processing and storing personal data. Create data processing consent compliance. Create 3rd party personal data processing policy or policies. Alignment with 3rd party personal data processing agreements. Consulting and documents on transfer of personal data to third countries.
Process perspective: Change non-compliant and/or inefficient processes touching personal data. Provide change management to employees. Educate, train and test the employees with access to personal data. Give short general lectures for all employees and contractual partners.
Technical perspective: Map and configure the right cloud technology solutions to policies and processes of handling personal data including Identifying, locating, cataloguing, pseudonymisation, encryption, deletion, rectification, transfer of, access to, and objection to processing of personal data. Transfer responsibility and risk to the Cloud provider as GDPR compliant data processor. Use security tools for data breach prevention and reporting. Generally build a secure environment.
3. Providing Data Protection Officer as a Service
Outsourcing of the DPO function (expert knowledge of data protection law and practices with no conflict of interest).
Informing and advising in relation to obligations under GDPR. Cooperation with the supervisory authority.
Acting as the contact point for the supervisory authority on issues relating to personal data processing.
4. Compliance audit services
Internal policies and processes compliance checks.
Simulation of inspection (by the supervisory authority).
Remediation based on the findings.
5. Representation in front of authorities
Communication with legal authorities.
Defense of rights and interests of the client in relation to personal data in official proceedings (including representation by attorney-at-law in formal proceedings upon request)