In recent years, the European Union has begun the largest process of modernising the regulatory framework in the areas of Privacy and Data Protection.
With the General Data Protection Regulation (GDPR),in force since 2016 and with direct application since May 2018, the protection of natural persons with regard to the processing of personal data and the free movement of such data has been regulated.
New e-Privacy regulations are also under discussion, which updates existing legislation in accordance with the new challenges arising from constant digital developments and an exponential growth in new technologies in trade – Digital Single Market.
The new regulation is of some complexity, representing a challenge for all companies and organisations, public and private, who will have to implement control tools and specific procedures for the management and protection of customers and employees.
But conforming an organization to the GDPR (General Data Protection Regulation) can be much more than applying the new Privacy and Data Protection rules.
With the right mindset and a tailor-made process, it is possible to move towards a consolidated view of risk management and further quality of internal processes; a vision that we stand for for all organizations.
To support you in this desiderato, we have gathered a set of experts and partners with experience and know-how in the area of Privacy and Data Protection to make this complex process simpler by supporting your organization across the procedural line with a turnkey package, summarized here in four phases of design.
Diagnosis & Gap Analysis
The audit for impact analysis and gaps should be based on two vectors of essential focus. In a first line of work to be developed is a phase of survey, analysis and evaluation, to which a second phase of implementation and implementation reinforcement should be followed.
In the first phase of analysis, it is essential to know the organization, its information flows, and existing tools, in order to identify the information repositories covered and the security controls applied to them.
After collection and analysis, there will be identification of any gaps in compliance with privacy requirements in 4 distinct steps:
- Organizational context – at this stage the external and internal context of the organization is analyzed in relation to the protection of personal data.
- Mapping information – at this stage all the organization’s business processes, as well as their computer applications and business support data repositories, in order to identify areas of collection, processing and safeguarding of personal data.
- Privacy Impact Assessment – at this stage, business processes and their support systems are analyzed to validate compliance with privacy principles.
- Gap Analysis and Warnings – at this stage the organization’s exposure areas are the greatest risk of non-compliance, with risk mitigation actions proposed.
The Gap Analysis report should include detailed timing of the implementation phase, depending on the identified findings and gaps, namely:
- Measures and recommendations, timed and planned, for elimination and mitigation of risk, classified by its criticality and urgency, aligned with the organization’s information security policy, but also of its business models, culture organisational organisational and budgetary availability.
- Recommendation of Governance policies for the organization, from the outset Codes of Conduct, training plans, monitoring structure and support to the Data Protection Officer, including function profile, definition of support tools and training.
- Suggestion of implementation of the necessary contractual and documentary processes, depending on the recommended measures for risk elimination and mitigation, and the legal and regulatory requirements identified in the audit process.
Support and monitoring in the implementation of actions aimed at compliance with the GDPR includes:
- Definition and writing of internal privacy policies.
- Formalization of Governance issues (policy and procedure manuals, codes of action, statutes, etc.).
- Definition of consent mechanisms.
- Review of contracts with subcontractors.
- Monitoring systems and controls.
- Definition of responsibilities and DPO functions.
Monitoring and monitoring compliance with the GDPR is essential to ensure a continuous mechanism for managing and improving processes:
- Exercise of the external DPO function.
- Regular audits on compliance with the provisions of the GDPR (compliance audit).
- Assess impact of new types of data processing.
- Regularly test and identify intrusion and data access vulnerabilities, which allow you to measure prevention mechanisms.
Get to know our value proposition in the Area of Risk and Compliance