Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

GDPR Additional Services
You are here: Home \ Professional Services \ GDPR Compliance \ GDPR Additional Services

GDPR Additional Services

Meet GDPR Obligations

In addition to GDPR services like a gap analysis, risk assessment or privacy compliance program, we can help you fulfill some specific obligations:

 

 

Disclaimer: The content on this page was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.

Need a quote for GDPR services? Contact us.


What Do You Need?

DPO

An advisor to assist your Data Protection Officer or, if you don’t have one, assist your organization directly by providing some support, whether legal or security related.

privacy assessment

Understand your posture through privacy gap assessments.

Prioritized-plan

Help to develop a privacy compliance plan.

GDPR

Improve your security posture to meet GDPR requirements through Managed Security Services.

Data Protection Impact Assessments

If you process personal information using new technologies (taking into account the nature, scope, context, and purposes of processing), there is likely a high risk for data subjects that you will have to conduct a data protection impact assessment (DPIA). This includes a systematic and extensive evaluation of personal aspects relating to data subjects, such as with automated processing, as well as processing on a large scale of special data categories. Sophisticated marketing software, big data technologies, and artificial intelligence technologies usually trigger the need for the controller to perform a data protection impact assessment.

 

How can we help?

An independent expertise is often needed to assist the controller in evaluating the risks to the rights and freedoms of the data subject. This is because this assessment requires the controller to evaluate the measures taken to address the risks, such as the security measures and mechanisms. The data protection impact assessment requires both a legal and technical approach, which we can offer in an integrated fashion through our legal and security experts who work alongside such engagements.

 

Typically, these engagements are separated in 5 phases:

  1. the declaration of high risks;
  2. the cartography of the data flow in the data processing that is affected by the assessment;
  3. the identification of adequate organizational and technical measures;
  4. the analysis of the risks based on the GDPR risk model; and
  5. a final testing to ensure that the suggested measures are adequate, especially when conducting a data protection impact assessment while building a new system or software, as there can be risks or challenges in the encoding phases that were unaccounted for.

We can help you with any of these phases, or we can do all of these phases for you, together with the proper documentation.

Record of processing

Article 30 GDPR requires each controller to establish a record of processing (processors have a similar but more simple obligation). The record of processing has to include the legal purpose of processing, the description of the data categories, the categories of recipient, a general description of the technical and organizational security measures, and information relevant to cross-border data transfers. In addition, the model issued by various data protection authorities contains many other requirements to consider, such as the technologies that are used or a description of the risks that a mitigating measure is meant to address.

This is quite complex for organizations, and it requires a legal understanding of the conditions for processing sets forth in the GDPR. Therefore, data mapping is essential to effectively fulfill your other obligations. Our consultants can assist you in completing these tasks without a headache!

Data breach notification procedures

In case of a personal data breach, the controller is required to advise the Supervisory Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, must inform the Supervisory Authority of the personal data breach. The regulation also contains very specific requirements as to what the notification must contain, and a possibility, in certain circumstances, to provide some information in phases. In addition, the controller is required to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This document is critical for entities, as it allows the Supervisory Authority to evaluate compliance.

Recital 87 of the GDPR specifies that “it should be ascertained whether all appropriate technological protection and organizational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the Supervisory Authority and the data subject”.

To fulfill these requirements, you need the following items:

  • Data breach notification policy
  • Data breach notification guidelines
  • Data breach notification standard operating procedures
  • Data breach notification templates
  • Data breach notification registry template
  • Understanding which Supervisory Authority must be notified
  • Training for employees

Hitachi Systems Security can assist with any of these requirements.

Business Continuity Plans and Disaster Recovery Plans

Based on article 32 GDPR, you are required to have appropriate measures in place “to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

While there are many ways to achieve this, a critical component of this is the implementation of a business continuity plan (“BCP”). A BCP enables critical services or products to be continually delivered to clients; it aims at ensuring that critical operations continue to be available.

A disaster recovery plan (“DRP”) deals specifically with recovering information technology assets after a disastrous interruption. Our experts have been doing these plans long before GDPR ever came into effect, and can assist you in creating a plan that is effective, as well as tested.

Security audits and testing

One of the most fundamental and critical aspects of the GDPR is the requirement of article 32 GDPR on the adoption of adequate security measures. Unfortunately, it does not state exactly what measures are needed; but it does give the parameters that must be taken into consideration when deciding which measures should be implemented.

Privacy by design methodology

Privacy by Design is a concept which can be found at article 25 GDPR and was created in the 1990s by Dr. Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario, Canada.

The concept is known to refer to 7 foundational principles:

  1. Be proactive, not reactive
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality: positive sum, not zero-sum
  5. End to end security
  6. Visibility and transparency
  7. Respect for user privacy; keeping it user-centric

Organizational measures

The GDPR is also demanding because it requires accountability from corporations. Under this regulation, you are required to prove that you are compliant, as opposed to having plaintiffs raised doubts as to your compliance. Being accountable is the basis of GDPR compliance.

To achieve this, you will need to have a number of policies in place to demonstrate your commitment:

  • employee privacy policy
  • destruction and retention policies
  • acceptable use of IT policies
  • cell phone policies, etc.

Compliance with these policies is often validated through internal or external audits.  All of this is referred to as “organizational measures” in the regulation.

Organizational measures are part of what we call corporate governance. In many cases, companies will have to adjust their ways of doing things, and we can assist in establishing, reviewing and recommending the right organizational measures.

Trainings

Humans are typically the weakest element in any compliance or risk management context. You can implement all the technical and organizational measures in the world, but without training, it will be worthless. Training your people and raising awareness is a requirement of the role of Data Protection Officer (DPO), and it also translates from the spirit of the GDPR that this will be taken into consideration by the authorities. Training should be adapted to the role and position of the employee. We can provide trainings for executives, security professionals, and any type of employees.