Protection of data and information managed and manipulated by a business system is slowly becoming a security imperative, and has been supported in the Republic of Serbia by the Law on personal data protection and new legislation prescribed by the European Union, i.e. GDPR (General Data Protection Regulation). The mentioned regulation will come into force on May 25, 2018 and will be mandatory for Member States of the European Union, but also for companies outside EU which do business transactions with Member States.
What accelerated issuing such a regulation was the fact that more than 80% of security incidents in which data are lost occurs due to negligence, ignorance and lack of security culture of employees. The existing damage can be prevented by adequate and constant education as by other procedural and prevention measures, which is often the step which most companies and organizations skip.
The regulation of the European Union on personal data protection presents new balance which should gain its legislative sense, so it is necessary to point out that the new legislative creates the need to revise business models and strategies in many European and out-European companies which offer their goods and services in the EU. Legislative changes brought by the GDPR on personal data protection refer to change of traditional security accesses and legal institutes, but also to new business rules and improved security strategies.
One of more controversial facts related to GDPR is that each subject doing business operations or having a registered address on the territory of the European Union is subject to this legislative. In practice, this means that any person in contact with user information (from an e-mail address to credit card data) is under obligation to adjust to the GDPR provision. What is new in this regulation is that the user will regain its right to its own information, using the possibility to request its data to be erased from all digital services of a company or institution to which he/she has given their information.
In compliance with the applicable legislative, a legal entity is required to obtain written consent from a natural person to process and handle his/her personal data, which include: name, personal identification number, passport number or identification card number, e-mail address, bank account, address or other characteristic of physical, spiritual, economic, cultural or social identity.
In the event personal data of a client are compromised and direct responsibility of a company is determined, sanctions for errors are extremely high, even up to 4% of annual turnover. In that respect, business operations may be jeopardized, because a budget of a small or medium-sized company can rarely survive such an incident.
The GDPR regulation primarily refers to:
- Keeping and storage of user data and personal information;
- Use of personal devices (mobile phones, external memories, USB sticks, social network profiles, and the like) on the business network;
- Business correspondence (e-mail communication with verified and unverified contacts);
- Introduction of security procedures and protocols which will regulate the manner of handling and processing user data within a company;
- Permanent education of employees on various topics such as cyber risks, cyber security, data keeping and applicable legislation;
Improvement and internal promotion of security culture as the best prevention measure.
Our services include:
- Revisions and assessments of compliance and legal harmonization;
- Advisory and consulting services for implementation of GDPR;
- Services of quick response, damage report and remedy of consequences;
- Data Protection Officer (DPO);
- Provision of software which monitors compliance with GDPR;
- Implementation of privacy impact assessment (PIA);
- Implementation of data protection measures and procedures;
- Special Access Request (SAR);
- Management of incident and security policy violations;
- In- and Outhouse training;
- Industrial and business codes and best practices.
Our professional team will offer you support not only for development, but also for adoption of business codes and practices for personal data management, and for periodical testing of the system resilience to potential threats and perils.