Regulation of the European privacy protection regulations GDPR
GDPR (European Privacy Protection Regulations), are the acronyms of GENERAL DATA PROTECTION REGULATION. Similar to Israel, there is also regulation in Europe. GDPR is the privacy protection regulation of the European countries. The European regulations entered into force on May 25, 2018, when the goal of these, similar to Israel, is to protect the personal information of all citizens of the European Union by imposing certain obligations and various instructions on companies and organizations that collect personal information about citizens belonging to the European Union, storing it in databases and process it. The GDPR returns the control of the personal information exposed on the digital network to every European citizen.
It is important to know that the regulation will also apply to controlling owners and data processors whose company is located outside the borders of continental Europe, if the business includes information about EU residents or if it is a business that monitors the behavior of the European customer through an application or website.
The GDPR regulations apply to data controllers and/or data processors whose seat is not within the borders of the European Union if they perform one of the following:
Process information of data subjects who are in the union by offering paid or free products or services.
Monitoring the behavior of subjects who are in the European Union.
GDPR regulations on the collection of private information
The regulations define private information as information concerning a private person (not an organization or corporation) that can be identified directly or indirectly through an identifier such as: name, location, social security number, physiological, economic, socio-cultural and other characteristics.
Regarding the rights of the subject of the information (the person about whom the information was collected), the public interest or the contractual agreement must be preserved, in accordance with the following rights:
- The right to basic information – the privacy notice must provide relevant information in simple and clear language.
- Right of access – the subject of the information has the right to receive all the details regarding the information about him free of charge and at any time he requests.
- Right of correction – the subjects of the information may request to make changes to the information due to errors.
- The right to delete (“the right to be forgotten”) – the subject of the information has the right to demand the deletion of the information about him at any time.
- The right to limit the processing – the right of the data subject to ask to stop the processing operations carried out on his information.
- Right to receive notice of deletion, correction or restriction
- The right to object to processing – the right of the information subject not to consent to the processing operations carried out on his information.
- The right to transfer the information – the subject of the information has the right to receive all the information provided by him to the controlling owner and transfer it to another party.
- Right to object to processing for direct marketing purposes
- Right to object to processing for scientific, historical or statistical purposes
- The right not to be evaluated “to receive a grade” based on automatic processing – the right of the subject of the information to make decisions, which are made based on the information about him, by a human being.
- The right to be notified of the information breach – the data subjects must be notified within 72 hours of the date of the hacking or damage to the information, if there is a risk to their rights and freedom.
- The right to withdraw the consent at any time – the right of the information subject at any time to withdraw his consent to the provision of information.
- The right to file a complaint with the supervisory authority
- Right to compensation – the right of the data subjects to receive financial compensation for the violation of their rights or freedom.
- The right to an explanation of data processing – data subjects have the right to receive a clear, unambiguous and accurate description of the processing of their personal data.
The implementation of GDPR privacy protection regulations is still in the planning stage
The regulation of the privacy protection regulations GDPR, states that the organizations must protect the privacy already from the design phase of the product / Privacy by design service and throughout its life.
The organization that controls the information is obliged to plan and implement process and technological controls for the protection of personal information, the organization that processes the information is required to ensure that the information is kept properly, by it and by other information processors that provide it with service.
GDPR details in detail the tools and processes required to protect personal information in accordance with information security, including protection of confidentiality, integrity and availability of information, and ensuring the ability to recover in the event of a disaster:
Those in control of the information are required to report any hack to the authorities within 72 hours of its detection
Databases whose breach poses a high risk of breach of privacy are required to carry out a survey to assess information security risks
Organizations that handle a large amount of sensitive information are required to appoint a DPO (“Data Protection Officer”) with extensive powers.
GDPR defines private information as information concerning a “natural” person (that is, a private person and not an organization or corporation) that can be identified directly or indirectly, through reference to an identifier such as name, ID number, location information, internet identifier, or through physical, physiological, genetic characteristics , mental, economic, or cultural-social identifiers of that person.
Documentation: 39 sections out of the 99 sections of GDPR explicitly require evidence to be kept that proves that the organization meets the regulatory requirements. GDPR regulations apply to the sale of products and services to data subjects located in the Union.
Violation of GDPR regulations
The European privacy regulation provides severe sanctions in the form of fines of millions of euros. Also, any body that does not meet the conditions of the European standards is aware that it will not be able to work with European bodies. The rules of the GDPR apply to any data controller or business that processes data and is located within the borders of Europe.
In the event of a violation of the GDPR regulations, the regulator imposes a heavier financial penalty than ever before: 4% of turnover or 20 million euros (whichever is higher).
Who is GDPR for?
GDPR is intended to protect every citizen whose personal information is in this or that database, intended for all owners and managers of databases of any kind. The GDPR regulations apply to government entities, businesses, public companies and private companies, even if these companies are not located in the territory of the European continent, but they process data related to the European Union.
GDPR compliance process information security?
After checking and reaching a conclusion regarding the relevant level of security of the organization / company / body in your possession, all GDPR regulations relevant to that level of security must be applied, the process of complying with the regulations:
1. Mapping the organization’s information sources
2. Understanding the organization’s technological processes
3. Preparing a gap survey according to what exists in the organization versus what is required by the regulations.
4. Monitoring and assistance in correcting the gaps
5. Appointment of DPO – data protection officer – by senior management of the organization.
6. Senior management responsibility
7. Preparation of documents (details below).
1# – Mapping the organization’s information sources
Mapping the data relevant to the regulations in the company’s information systems and databases. You are required to register a definition document that refers to everything related to your database, such as a general description of the operations performed on the information in your database. The purpose of using the personal information in it, a one-line description of the personal information contained in it, it is important to note whether the information is transferred in full or in part to various entities or parties abroad, whether a third party uses the data in your database and for what purpose, what are the risks to which the personal information is exposed, How the organization deals with these risks and all the full details of the information security officer of the database, the manager and the owner of the database holder. This document must be updated once a year if any change is made in the organization or a security incident occurs.
#2 – Understanding the organization’s technological processes
Are there self-developed information systems, what other information systems does the organization have? locally and in the cloud. In which cloud environments is the development carried out (Aws, Azure, GCP). Get to know the product the organization has, how the architecture of the product is built, what encryption is used (if any), how the information flows, where PHI PII is stored, etc.
3# – Preparing a survey of gaps, risks and information security
Gaps are divided into 3 categories (DEV, PROCEDURE, TECHNICAL) – development, procedures, technical – we prepare a gap survey for the client by understanding the existing situation in the organization compared to what is required.
4# – Monitoring and assistance in correcting gaps
Administrative gaps – preparation of a set of procedures subject to GDPR such as DSAR, PERSONAL DATA SECURITY PROCEDURE and the like.
Technical gaps and development – instructing the customer what he should do according to the regulations such as collecting logs, encryption, installing anti-virus and the like.
5# – Appointment of DPO (Information Security Officer)
Another action that you are required to perform in accordance with the GDPR if your organization owns or holds five databases is to appoint a person responsible for information security in your organization. It is important to note that this only applies to public bodies, banks, companies dealing with credit rating, credit assessment and insurance companies.
Appointment of Data Protection Officer:
As part of the project, an information protection officer will be appointed in the organization appointing a DPO (data protection officer), to allow the client to exercise the “right to be forgotten”, managing secure databases and documenting the legal / legal basis that allows the use of information, for example the active consent of a client to send advertising messages.
#6 – Senior management responsibility
Management implements an information security policy and allocates the resources required to manage the company in accordance with regulatory requirements, while holding periodic management survey meetings. Also, the management will appoint a data protection officer. It is the representative’s responsibility to ensure that management policy is followed in an orderly manner.
Increasing employee awareness of information security issues, integrating information security requirements into employee absorption processes, increasing employee awareness of information security issues. Records control Rules will be defined for the management of the company’s information security records.
The work will be carried out and supervised by a senior professional team for standardization and regulation.
The project team has extensive experience and international certifications in information security and the implementation of regulation in organizations!