GDPR, Information security
GDPR, information security
On 25 May 2018, European data protection legislation came into effect, setting a new global benchmark for personal data, security and compliance. This was followed by the harmonisation of Hungarian laws, including the Act CXII of 2011.
The General Data Protection Regulation - GDPR - is all about protecting and enabling the protection of individuals' data. The Regulation does not set out specific measures, only expectations (with the prospect of sanctions), so it is necessary to examine data management individually and determine the necessary responses from the organisation.
According to the Hungarian Data Protection Authority (NAIH), companies should review their data protection systems every time there is a change in the way they handle personal data, but at least every 3 years.
The most common approach to information security is to develop a secure operation of IT solutions, which includes information security strategy, policies, data asset inventories, business continuity plans (BCPs), and disaster recovery frameworks and plans.
Who is affected by GDPR?
Contrary to popular belief, the GDPR regulation is not only aimed at large and multinational companies.
The Data Protection Regulation affects all businesses that process personal data of employees or customers. Personal data is defined as any data that can be used to identify someone. This means that almost all organisations are affected, and the penalties can be as high as 2-4% of annual turnover.
How can we help you with GDPR compliance?
Assessment, implementation and training
- Data protection mapping, data table, legal basis determination
- Tracing the flow and storage of personal data, data protection impact assessment
- Action plan to improve inadequate practices
- Developing a data protection policy
- Design of information forms concerned
- Data protection incident management, drafting a complaints procedure
- Additions to subcontracts, partner contracts
- Modification of related procedures, training and workshops on demand
- Alignment with other organisational regulations
Data protection audits and system monitoring, DPO services
- Regular internal audits to review the operation of the system
- Regular information on NAIH resolutions and proposed actions concerning the system
- Regular consultations on data protection
- Data protection training for new entrants and staff
- In the event of a complaint or incident, we will help you identify actions to be done from the organisation's side.
- Making recommendations for continuous improvement, improvement measures, legal support if needed
When is it necessary to employ a Data Protection Officer?
The GDPR requires the appointment and use of a Data Protection Officer (DPO) in certain cases. Our company undertakes providing DPO or even operating, maintaining and supervising GDPR systems and data protection processes.
A DPO is mandatory in the following cases:
- processing is carried out by public authorities or other bodies with public-service mission, except courts acting in their judicial role;
- the main activities of the controller or processor involve processing operations which, by their nature, purposes, require systematic and systematic large-scale monitoring of data subjects;
- the main activities of the controller or processor involve the processing of large amounts of data relating to special categories of personal data within the meaning of Article 9 and to decisions on criminal liability and criminal offences referred to in Article 10.
Tasks of the Data Protection Officer:
- provide information and technical advice to the controller or processor and their employees on their obligations under data protection law
- monitors compliance with all data protection legislation, including audits, awareness-raising activities and training of staff involved in data processing operations;
- advises on the data protection impact assessment and monitors the conduct of the impact assessment;
- acts as a contact point for data subjects who contact it in relation to the processing of their personal data and the exercise of their rights;
- cooperates with data protection authorities and acts as a contact point for the authorities on matters relating to data processing.
Information security and audit
In the field of information security, we work broadly along the following steps, which of course depends on the systems and processes operating at the Client:
- IT security situation assessment
We will review existing IT security policies as well as unregulated, practice-based IT security processes. Interviews and documenttion will be conducted as part of the situation assessment.
- Defining and developing IT security policy and strategy
We define the organisation's information security objectives in the light of current legislation, the place and role of the information security area in the organisation, and the strategic methods for achieving these objectives.
- Preparation of an information security policy
We document the policies that comply with the requirements of Act L of 2013 and related regulations and other relevant legislation.
- Preparation of an IT Business Continuity Plan (BCP)
We define the organisation's business continuity processes.
- IT Disaster Recovery Framework and Plan (DRP)
We will develop the IT tasks to be performed by the organisation in case of a disaster, assess the disaster recovery plans already developed for the services provided by the organisation and attach them to the framework DRP.