The path to compliance with GDPR
Agic Technology solution

The path to compliance through GDPR
What to do?

First of all it is necessary to understand if  to understand if your company has gaps in relation to the GDPR and then identify the actions to be taken to implement the regulatory provisions.

The analysis must be carried out considering both the organizational and regulatory aspects as well as the security measures.

Starting a structured and contextual path, aimed at promoting the transition to GDPR and maintaining the features required by the law over time.

• Identify&Assess
  Carry out a personalized analysis of the reference context, aimed at identifying gaps in the GDPR and drawing up an action plan
• Protection
  Implement the action plan identified in the "Identify & Assess" phase in order to implement organizational and technical measures to implement the provisions of the GDPR
  
• Maintain
  The implemented measures are subjected to periodic checks to prevent any critical situations or incorrect behavior in data processing. The training in privacy and security supports over time the effectiveness of the interventions adopted

Insight & Agic Technology
12 tips on GDPR

1. Identify personal data you deal with
Be aware of which personal data you are dealing with. Identify their source, the reasons why you are dealing with them and if it is actually essential to keep them.

2. Keep only personal data useful for processing purposes
Check whether the retention period of personal data you are processing matches the purposes for which it was collected or with other applicable legal obligations. Identify personal data whose storage is no longer necessary and adopt measures that protect you from carrying out “not due” treatments.

3. Adopt an “organizational model” to manage the obligations envisaged by the GDPR
Define an organization structure of your company that identifies roles and responsibilities, both internal and external, to manage the regulatory obligations of the GDPR.

4. Update the policies and procedures for the protection of personal data
Map roles, responsibilities and operating procedures for managing data security within organizational policies and procedures. Ensure that these documents are accessible to recipients and that they have been adequately trained on the contents of the aforementioned documents.

5. “Privacy by design” as a fundamental principle
The protection of personal data is a crucial aspect that each and every company must face from the design phase of a service and therefore has an inevitable impact on both its own processes and on the information systems.
Adopt appropriate organizational and technical measures to ensure that, by default, only the personal data necessary for each specific processing purpose are actually processed.

6. Prepare to handle “data breach” cases
The GDPR introduces the obligation to notify the supervisor authority about personal data breaches you become aware of within 72 hours, if considered that from this violation any risks might income. There is also the obligation to notify the parties involved if the violation might cause a high risk for their rights and fundamental freedoms.
Develop technical and organizational measures suitable for detecting and reporting any violations of personal data.

7. Prepare to manage the rights of the parties involved

There are many rights recognized by the GDPR. In particular:

1. the right of access entailing the right to receive a copy of the processed data;
2. the right to be forgotten, that is the right to delete data, which provides that the parties involved can request the cancellation of their data even after the withdrawal of their consent;
3. the right to limit the processing that applies even if the parties involved requests data correction or opposes their processing;
4. the right to the data portability that applies in presence of the consent of the parties involved or for the fulfillment of contractual obligations and limited to the data provided by the parties involved.

Develop technical and organizational measures for managing the rights of parties involved.

You are responsible for demonstrating the reason for the storage, processing and integrity of personal data.

8. Greater responsibility: are you ready?
Principle aimed at empowering the data controllers, to make them adopt approaches and policies that take into account the risk that a personal data process may represent for the rights and freedoms of those ones concerned.
This is a big news for data protection as it is entrusted to the data controllers to decide autonomously the methods, guarantees and limits of the processing of personal data.

9. Designation of the Data Protection Officer (DPO)
A new figure introduced by the GDPR. It is a professional with the tasks of informing and providing advice to the data controller, monitoring compliance with current legislation, as well as the policies of the data controller, providing - if requested - an opinion on the impact assessment on data protection, cooperating with the supervisory authority and acting as a contact point for the supervisor authority for matters related to processing.
Check if your company has the obligation to designate a DPO and if so, formalize your appointment.

10. Perform whenever a “Privacy Impact Analysis” is required
Each data controller must carry out an impact assessment on data protection in the cases envisaged by the law. This implies the need to preliminarily assess the impact, from the privacy point of view of each data processing operation that will be carried out.

11. Prepare and update the Register of treatment activities
In the cases envisaged by the GDPR, companies must keep a record of the processing activities carried out.
Ensures the preparation of the document and its update.

12. Be transparent to the parties involved
Reading the GDPR at the article 5, letter (a) in the first paragraph, the GDPR requires that personal data need to be treated in a transparent manner towards the data subject. Transparency is therefore a fundamental and constitutive element of the responsibility of the data controller.