GDPR, ALGOSYSTEMS and PRIORITY. It’s time to meet your GPDR Challenge!
The new GDPR Regulation enables the Data Protection Authority to impose extremely large fines on organizations that violate the regulation, which is why businesses need to comply.
The new European Regulation [European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Prtection Regulation) that entered in full force in May 25th 2018], is a complex legal text of 88 pages, 99 articles and 173 recitals, which affects to a greater or lesser extent all enterprises and public organizations in European and wider region. The regulation is guided by the logic "that every person has the right to the protection of personal data concerning him/her", which in free translation means that personal data do not ultimately belong to the companies that collect them but they borrow them from natural persons with which they transact to perform a specific transaction or contractual obligation.
The GDPR therefore clearly (if not obviously) affects most activities of practically all businesses in three main dimensions: a) legal, b) organizational and processes and c) technological.
- A) It affects the legal dimension because the processing of all organization's personal data (whether customers, customers’ customers, employees, subcontractors, or suppliers) must be checked and transformed under the new regulation. For example, contracts with subcontractors of an organization need to be changed insofar as they come into contact with corporate personal data or, for example, more difficult, all the organization's personal data processing should be checked for their lawfulness to start with. It is useful, here, to add that for GDPR "processing" includes: collecting, digitizing, organizing, structuring, storing, adaptating or alteraing, retrieing, searching, useing, disclosuring by transmission, dissemination or any other form of distribution, associateing or combining, restricting, deletIng or destructIng.
- B) It affects the organizational and processes dimension, because all processes that involve personal data must be properly controlled and transformed, for example by following the "proportionality principle", which foresees that any processing of personal data should not exceed what is required for the achievement of the scope target. In other words, if it is, in principle, legally correct, for the organization, in the context of a process, to collect personal data, for example, of its clients, these should be the least possible, undergo the least possible processing (in the broad sense that we have previously explained), be accessible by the least possible number of employees, have the least possible distribution to third parties, be kept for the shortest possible time, etc.
- C) It affects the technological dimension, especially in information and communication technologies, because these are the technologies involved in the mass processing of personal data when it happens. This is because, through these technologies, personal data are circulated inside or outside the organization, and most data breaches occur, but also because these technologies can help significantly an organization to meet the new requirements of the regulation. Requirements such as e.g. the consent of natural persons, the well organized and complete data security and data safety approach including business continuity, prompt information of the authority in data breach cases, analytical accountability, necessary provability, etc. Also, the new rights given in natural persons, such as the right to be forgotten and the right to portability, require a review of the current technological approaches of the organizations.
An interesting point is that regarding Information Technology, beyond the changes that an organization's current ICT infrastructure needs to undergo, at network level, database level, the necessary continuous monitoring & assessment, access control, device control, web sites etc, IT also empowers the organizational and process dimension of a company 's compliance. And this, thanks to technologies such as Data discovery, workflow control, Document Management, privacy protection, risk assessment and management, etc.
Algosystems is able to offer, along with its strategic partner, PRIORITY QUALITY CONSULTANTS SA, an integrated approach to customer GDPR needs. Algosystems can, with expertise and flexibility, cover the "Technology dimension" of privacy protection, ICT security and data safety, security monitoring and disaster recovery as it has been offering these services to its customers for years. At the same time, PRIORITY, as one of the most successful business consultants in the Greek market, can accurately, efficiently and reliably cover the "Legal" and the "Organizational-Processes Dimension" of the Regulation, as has successfully completed in many GDPR projects, until today.
The two companies offer exactly what their customers need to approach the GDPR successfully: completeness, reliability, reasonable approach within what is feasible, minimal disruption to the current business activity, and ultimately offering knowledge and high added value service centered to achieving the goal for which they have been called - their customer's compliance with the GDPR regulation!