Skip to main content

Protection of personal data – GDPR has become a security imperative to which the Law on Personal Data Protection (“Official Gazette of RS”, No. 87/2018) and the new legal framework of the European Union, the GDPR Regulation, the General Data Protection Regulation ) which started with the implementation on May 25, 2018 and is binding for the member states of the European Union, but also for companies outside the EU that do business with member states.

What has accelerated the adoption of such a regulation is the fact that over 80% of security incidents in which data loss occurs due to negligence, ignorance, and lack of security culture of employees. The damage prevented by adequate and continuous education as well as other procedural – preventive measures, which is often a step that most companies and organizations overlook or skip.

What do the Personal Data Protection Act and the GDPR regulation bring?

The Law on Personal Data Protection and the Regulation of the European Union on Personal Data Protection – GDPR, represent a new balance that has gained its regulatory meaning and it is necessary to point out that this regulation creates a need to revise business models and strategies of European and non-European companies. its services and goods in the EU. Regulatory changes brought by the GDPR Regulation on Personal Data Protection relate to changes in traditional security approaches and legal institutes, but also to the introduction of new business rules and improved security strategies.

One of the most controversial facts related to the GDPR is that every entity that operates or has a registered residence in the territory of the European Union is subject to this legislation. In practice, this means that anyone in contact with user information (from email address to credit card information) must comply with the provisions of the GDPR. What is new in this regulation is that the user regains the right to his own information, through the possibility of requesting the deletion of his data from all digital services of the company or institution to which the data entrusted for safekeeping.

Pursuant to the legal regulations, a legal entity is obliged to obtain the written consent of a natural person for processing and handling his personal data, which includes personal name, unique personal identification number of citizens, passport or ID card number, email address, bank account, address and other characteristics, psychological, religious, economic, cultural or social identity.

In case of compromise or complete loss of personal data of clients and direct responsibility of the company established, the sanctions for omissions are extremely high and range up to 4% of annual turnover. Therefore, further business may be in question, because it is rare that the budget of a small or medium enterprise can survive such an incident.

Personal Data Protection Act – GDPR regulation primarily refers to:

  • Storage and warehousing of user data and personal information.
  • Use of personal devices (mobile phones, external memories, USB sticks, social network profiles, etch) on the business network.
  • Business correspondence (e-mail communication to verified and unverified contacts).
  • Introduction of security procedures and protocols that will regulate the way of handling and processing user data within the company.
  • Constant education of employees on the topic of cyber risk, cyber security, data storage and current regulations.
  • Improvement and internal promotion of security culture as the best preventive measures.

Our services include:

  • Audits and assessments of compliance and legal compliance.
  • Advisory and consulting services for the implementation of the ZZPL / GDPR regulation.
  • GAP analysis and mapping of personal data
  • DPIA (Data Protection Impact Assessment)
  • Data Protection Officer (DPO).
  • Implementation of organizational – technical measures and procedures for data protection.
  • Security Incident and Violation Management.
  • Rapid response, damage reporting and remediation services.
  • Training, education, and testing of employees in the field of ZZPL / GDPR.
  • Providing software for monitoring compliance with the GDPR regulation.
  • Industrial-business codes and best practices.
  • Assessment of the impact of processing on the protection of personal data.

Personal Data Impact Assessment (DPIA) is primarily a process of assistance and support in identifying personal data processed by the Operator for whom he is not sure to what extent they put him at risk and what consequences they may produce. by persons subject to processing, but also their own business, which must harmonize with legal regulations. Once it has been determined which personal data the controller is processing or plans to process, it is desirable, and situations mandatory, to assess the impact of data processing on the protection of personal data.

Assessment of the impact on the protection of personal data must performed in the case of:

  • systematic and comprehensive assessments of the condition and persons the number of natural persons, which performed by means of automated processing of personal data, including profiling, and based on which decisions made that are important for the legal position of an individual or in an analogous way significantly affect him.
  • processing of special types of personal data or personal data related to criminal convictions and criminal offenses on a large scale.
  • systematic monitoring of publicly available areas to a considerable extent.
  • processing of personal data of children and minors for the purpose of profiling, automated decision-making or for marketing purposes.
  • the use of modern technologies or technological solutions for the processing of personal data or with the possibility of processing personal data used to analyze or predict the economic situation, health, preferences or interests, reliability or behavior, location, or movement of individuals.
  • processing of personal data in a manner that includes monitoring the location or behavior of the individual in the case of systematic processing of communication data generated using telephone, internet, or other means of communication.
  • processing of biometric data for the purpose of unique identification of employees by the employer and in other cases processing of personal data of employees by the employer using applications or systems for monitoring their work, movement, communication, and the like.
  • processing personal data by crossing, linking or matching matches from multiple sources.
  • processing special types of personal data for the purpose of profiling or automated decision making.

This certainly does not mean that operators who not recognized in any of the above cases should not make an assessment, on the contrary. Best practice indicates that the impact assessment of processing operations performed continuously for each record or project that includes data processing, because it provides revision during each change in the method of data processing, which significantly minimizes risk and prevents all inconsistencies.

Assessing the impact of processing operations on the protection of personal data is a multidimensional view of the data processing process, the causes of processing, risks that may arise for persons whose data processed, and measures taken or to take to reduce these risks. One of the goals of conducting an assessment is that the controller can balance between his interests in data processing and the privacy interests of the person whose data processed. When mapping data, the controller can easily determine that there is a legitimate interest in a particular processing, but only by considering the risks that such processing entails can he see whether the controller’s interest balanced against the interest of the data subject. The higher the risk for the person, the more “serious” legitimate interest of the operator needed. Otherwise, the controller could not invoke a legitimate interest as the legal basis for data processing.

It is especially important to emphasize that there is no data processing that does not carry any risk, which is often the first excuse of companies embarking on a harmonization project. Whatever risk assessment methodology is used, the risk can never be quantified by zero, ie it cannot be determined that the risk does not exist. After determining the risk, it is necessary to determine adequate technical and organizational measures to reduce that risk to the minimum. Which specific measures will apply depends on number of factors, including financial, but what is important in determining them is that they are suitable to reduce the risk of processing to an acceptable level?

The need for regular verification and review of data processing impact assessments also arises due to the rapid progress and development of technology, because of which certain technical data protection measures may quickly become obsolete and ineffective in relation to innovative technologies. Operators should also pay attention to the technical and organizational measures applied by the processors they have hired to process the data. Both our local law, as well as the GDPR, stipulate the obligation of processors to assist controllers to extent in assessing the impact of data processing.

Only with the data map and assessment of the impact of data processing can the regulation of data processing regulated, the rules of conduct for persons who meet personal data be determined, as well as the preparation of adequate information for data subjects.

What is important to emphasize is that the assessment of the impact on personal data protection conducted before processing, which can cause an elevated risk for the rights and freedoms of individuals, or before processing, which is unfortunately not common in organizations with low security culture.

Our expert team will support you not only in the development, but also in the adoption of business codes and practices for personal data management, as well as in the periodic testing of the system’s resilience to potential threats and dangers.

Prepare your organization for the changes brought about by the Personal Data Protection Act and the GDPR regulation, thus avoiding negative consequences for your own security, company image and business success.

For consultations and cooperation, feel free to contact us.

5/5 - (11 votes)