What is GDPR?

EU Regulation 2016/679 on the protection of personal data. It has replaced the previous law no. 122/2013 Coll. on the protection of personal data. The Regulation has come into force on 25 May 2018. It concerns all entities that process their customers' personal data, use this information to monitor and evaluate their behaviour, use the data obtained for marketing purposes or operate an e-shop.

 

What is the difference between the Act No. 122/2013 Coll. on the protection of personal data and GDPR?

• The range of personal data is extended to include data of technical character (e.g. IP address, cookies, e-mail addresses, location data);
• The rules for granting and demonstrating consent to the processing of personal data are more strict;
• The rules on the processing of personal data of persons under 16 are more strict;
• There is an obligation to take appropriate technical and organizational measures (pseudo-authentication, encryption, timely recovery of data availability, policies and guidelines, etc.);
• The obligation to appoint a responsible person (DPO) is introduced;
• There is an obligation to keep records of the processing of personal data;
• An obligation to report security incidents to the Data Protection Office of the Slovak Republic is also introduced to data subjects;
• There is an obligation to analyse the effects of processing operations on the protection of personal data for defined entities;
• The right of erasure and the right to transfer personal data shall be established.

How can LYNX help you?

The first step of the personal data processing controller entity is a thorough analysis of the documents used (forms, contracts, business terms, conditions of personal data protection, etc.) and the setting of internal procedures (e.g. camera system configuration, attendance system administration, client records).

 

1. Analysis and assessment of the existing situation

The scope and understanding of some of the GDPR provisions is quite challenging and comprehensive; the most effective way of assessing risks and identifying the necessary changes is to have an independent risk analysis and impact assessment carried out on the protection of personal data. We recommend performing the scope of risk analysis in the following steps:

• Identification and classification of assets (or complex classification of information with general identification of information assets in the customer's information systems),
• Identification of threats and vulnerabilities,
• Risk assessment,
• Identification and evaluation of security measures implemented so far,
• Comparison of the current safety status with the requirements of ISO / IEC 27002: 2013,
• Design of possible security measures to minimize identified risks,
• Evaluation of the measures used and suggestion of measures for identified vulnerabilities are recommended in accordance with ISO / IEC 27002: 2013.

2. Methodological assistance in solving problems regarding personal data protection

The next step after the analysis is to propose procedural measures to eliminate impacts and prevent risks:

• Participation in mapping of personal data flow
• Revision and legal assessment of documents or contracts,
• Development of new contracts, policies and directives promoting the protection of personal data,
• Identification of information systems and preparation of records on processing activities,
• Ensuring support in the execution of supervision over the protection of personal data and supporting the activity of the responsible person (DPO) or its outsourcing,
• Assistance and support in communication with the Office for Personal Data Protection of the Slovak Republic and legal representation in the Office's controls,
• Legal assessment of issues arising from individual specifics of processing of personal data in a particular company (legal issues requiring interpretation of GDPR, law or decrees),
• Design and elaboration of recovery and continuity plans (DRP, BCM).

3. Support for the implementation of privacy measures

We will carry out consistent and high-quality implementation of technological tools for data protection, support and / or operation of these devices (systems for data leak prevention, encryption, equipment protection, etc.). Services include:

• Proposal of technical measures solution, preparation of their implementation plan and implementation of technologies resulting from the plan,
• Data Loss Prevention systems to prevent personal data leaks,
• EndPoint Security data encryption tools and personal anonymization / pseudonymization tools,
• Data management and access control tools
• Strong authentication tools
• Comprehensive archiving, backup,
• Solutions to ensure high availability of systems and its monitoring,
• Comprehensive solutions for infrastructure security and protection against external and internal threats (IDS / IPS, FW, WAF, DLP, etc.)
• Security incident management solutions,
• Security audits, penetration testing and vulnerability testing.

We also provide other services in the area of GDPR according to customer requirements. In case of interest, please contact us.