In addition to GDPR services like a gap analysis, risk assessment or privacy compliance program, we can help you fulfill some specific obligations:
An advisor to assist your Data Protection Officer or, if you don’t have one, assist your organization directly by providing some support, whether legal or security related.
Understand your posture through privacy gap assessments.
Help to develop a privacy compliance plan.
Improve your security posture to meet GDPR requirements through Managed Security Services.
If you process personal information using new technologies (taking into account the nature, scope, context, and purposes of processing), there is likely a high risk for data subjects that you will have to conduct a data protection impact assessment (DPIA). This includes a systematic and extensive evaluation of personal aspects relating to data subjects, such as with automated processing, as well as processing on a large scale of special data categories. Sophisticated marketing software, big data technologies, and artificial intelligence technologies usually trigger the need for the controller to perform a data protection impact assessment.
How can we help?
An independent expertise is often needed to assist the controller in evaluating the risks to the rights and freedoms of the data subject. This is because this assessment requires the controller to evaluate the measures taken to address the risks, such as the security measures and mechanisms. The data protection impact assessment requires both a legal and technical approach, which we can offer in an integrated fashion through our legal and security experts who work alongside such engagements.
Typically, these engagements are separated in 5 phases:
We can help you with any of these phases, or we can do all of these phases for you, together with the proper documentation.
Article 30 GDPR requires each controller to establish a record of processing (processors have a similar but more simple obligation). The record of processing has to include the legal purpose of processing, the description of the data categories, the categories of recipient, a general description of the technical and organizational security measures, and information relevant to cross-border data transfers. In addition, the model issued by various data protection authorities contains many other requirements to consider, such as the technologies that are used or a description of the risks that a mitigating measure is meant to address.
This is quite complex for organizations, and it requires a legal understanding of the conditions for processing sets forth in the GDPR. Therefore, data mapping is essential to effectively fulfill your other obligations. Our consultants can assist you in completing these tasks without a headache!
In case of a personal data breach, the controller is required to advise the Supervisory Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, must inform the Supervisory Authority of the personal data breach. The regulation also contains very specific requirements as to what the notification must contain, and a possibility, in certain circumstances, to provide some information in phases. In addition, the controller is required to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This document is critical for entities, as it allows the Supervisory Authority to evaluate compliance.
Recital 87 of the GDPR specifies that “it should be ascertained whether all appropriate technological protection and organizational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the Supervisory Authority and the data subject”.
To fulfill these requirements, you need the following items:
Hitachi Systems Security can assist with any of these requirements.
Based on article 32 GDPR, you are required to have appropriate measures in place “to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
While there are many ways to achieve this, a critical component of this is the implementation of a business continuity plan (“BCP”). A BCP enables critical services or products to be continually delivered to clients; it aims at ensuring that critical operations continue to be available.
A disaster recovery plan (“DRP”) deals specifically with recovering information technology assets after a disastrous interruption. Our experts have been doing these plans long before GDPR ever came into effect, and can assist you in creating a plan that is effective, as well as tested.
One of the most fundamental and critical aspects of the GDPR is the requirement of article 32 GDPR on the adoption of adequate security measures. Unfortunately, it does not state exactly what measures are needed; but it does give the parameters that must be taken into consideration when deciding which measures should be implemented.
Due to the regulation, you are required to identify all your processors, and establish a data processing agreement with each of them or amend the existing one. If you’re a processor, you need to flow down all of these requirements to your sub-processors. You also need to identify all the contract according to which data will leave Europe. This includes your cloud processors located in the United States, for instance. You also need to identify when these data will be re-transferred. For each of these cross-border data transfers, you will need to include one of the mechanisms set forth in the GDPR, and document these mechanisms. Meanwhile, you have to update many of your policies and you are receiving flow downs from your clients that you have to negotiate. Have you done everything from a legal standpoint?
Following all these steps can be challenging for organizations that don’t have privacy lawyers in-house or whose lawyers are already busy managing day to day contractual transactions.
Our legal experts can evaluate your privacy posture from a contractual perspective through a legal audit, and they can also help you complete any remaining tasks. We can also train your lawyers to develop some sensitivity around data privacy and ensure that contracts are negotiated and drafted according to best practices all while protecting your organization.
Privacy by Design is a concept which can be found at article 25 GDPR and was created in the 1990s by Dr. Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario, Canada.
The concept is known to refer to 7 foundational principles:
The GDPR is also demanding because it requires accountability from corporations. Under this regulation, you are required to prove that you are compliant, as opposed to having plaintiffs raised doubts as to your compliance. Being accountable is the basis of GDPR compliance.
To achieve this, you will need to have a number of policies in place to demonstrate your commitment:
Compliance with these policies is often validated through internal or external audits. All of this is referred to as “organizational measures” in the regulation.
Organizational measures are part of what we call corporate governance. In many cases, companies will have to adjust their ways of doing things, and we can assist in establishing, reviewing and recommending the right organizational measures.
Humans are typically the weakest element in any compliance or risk management context. You can implement all the technical and organizational measures in the world, but without training, it will be worthless. Training your people and raising awareness is a requirement of the role of Data Protection Officer (DPO), and it also translates from the spirit of the GDPR that this will be taken into consideration by the authorities. Training should be adapted to the role and position of the employee. We can provide trainings for executives, security professionals, and any type of employees.