GDPR - WHAT TO DO TO COMPLY WITH THE REGULATION?
GDPR: what to do
The question many will be asking at this point is: what do you need to do to comply with the GDPR regulation? To what extent does it affect my company? Firstly, a distinction must be made between public and private entities. The former are 100% interested for obvious reasons (being "public" they are required to comply with the new data protection rules). The degree of involvement of private organizations varies according to the type of service offered. But be careful: it is wrong to think that organizations in which the processing of sensitive information plays a marginal role are exempt from the adoption of the regulation. So what to do?
3CiME Technology considers the use of legal advice to be fundamental at least in a preliminary phase, so as to have a clearer picture of the obligations and be able to have a real perception of what to really do and how to move. This is a non-compulsory but highly recommended step.
GDPR: what is required to make
The measures established are:
- DPIA drafting (Data Protection Impact Assesment): it is the drafting of a document aimed at preparing the preliminary assessment of the impact on the protection of personal data (DPIA) of the data processing that requires it, based on art. 35 of the GDPR.
- Establishment of the figure of the DPO: it is a single figure or a multi-disciplinary team, which can also be identified outside the owner's organization and governed by a service contract. It is important to know that the manager is always the owner.
- Ethical Hacking: if we consider the security life cycle as circular, in the face of each action / inaction, we must evaluate its effectiveness. For this reason, a periodic check, which we call the security plus service, aimed at monitoring external and internal security, and the organizational integrity of the Active Directory (network status, users, password, domain).
- Data encryption: there is no obligation but must be considered as a measure to be implemented to strengthen accountability, and we insert it by default among the things to do. In fact, in the case of violations of personal data that have been previously encrypted, there is no obligation to notify the Guarantor of any data breach; otherwise the notification must be made within 72 hours of the occurrence of the event, with a sort of self-declaration. It doesn't seem like a nice business card ...
- Anti Ramsomware: ramsomware are not viruses and are becoming pervasive: what to do to eradicate them? In principle, specific modules are needed to reduce the risk of unwanted data encryption.
- Secure cancellation of data: 3CiME Technology offers products or services to solve the problem definitively. We must have in hand a certificate that proves, in an opposable way to third parties, that the data has been permanently deleted from our media, and it is time that we stop polluting the planet with computer garbage. We want to go green and donate, with the Anglo-Saxon formula of "charity", computers and servers to schools or non-profit associations that do not have the economic resources to buy them. It is time to reverse the course.
- Disaster recovery: DR is not only an obligation, it is necessary for the good sense of entrepreneurial activity. Not only earthquakes, therefore, but also other misfortunes can impact our data. But be careful: DR and data backup are two distinct things!
- Business continuity: it is a substantial cost saving because the machines stop and break, but organizations must be able to work with values of 99.999%. Conversely, non-business continuity involves a risk of loss and damage to data, and is therefore a substantial obligation in our opinion.
- What to do instead when you migrate something to the cloud? In accordance with the guidelines of the Italian Guarantor and the EU Commission, those who use the cloud (Amazon, Microsoft, Lepida, Google, companies that manage data centers) are asked to have a copy of the data "in the hands" of the owner, with various purposes including which the exit strategy.
GDPR: what we recommend to do
There are other aspects whose application is not to be considered mandatory. However, they can help, also due to the complexity of the matter: IT security is such a delicate and difficult to manage area that the adoption of certain "precautions" can certainly facilitate. In particular, here is what we recommend to do:
- Security management: it is an outsourcing service that manages security at the perimeter level, through the complete management of the firewall and its features.
- Backup and managed backup: company backup should be simplified and perhaps outsourced. Too often it is not checked, hoping that everything will be fine. 3CiME already offers this service to many customers.
- Federated authentication: we have seen the Active Directory replicate in Azure. It is like giving the keys to our data externally. So what to do to avoid the danger? Much more consistently, it is possible to federate business authentication systems with external ones, for example Office 365-Azure, Amazon or Google.
GDPR: what to do optionally
There are other points worthy of attention because they could ease the already burdensome process of managing a problem related to the processing of personal data. So let's see what to do optionally.
- Cloud: we have seen cloud contracts on the verge of illegality, more than non-compliance with the provisions of the GDPR today, and the Italian legislation before. The consultant prepares and / or checks the contracts from the "privacy" and GDPR point of view.
- Security monitoring: connect your network to our NOC because we can help you monitor threats.
- GDPR compliance management: the use of a software that allows you to manage all the fundamental requirements of the GDPR, including: treatment log, DPIA, data breach, management of info and consents, etc. Can help in not "forgetting something".