News, tips and practical examples

Blog

denis-tea
July 3, 2019 | Author: Span PDP

Why Span Personal Data Protector is the right solution for helping you find your way out of the GDPR labyrinth?

Most organizations made good use of the first few years of GDPR: they’ve asked all the right questions, established compliance teams, kept records of personal data processing activities, adopted specific organizational and technical security measures, and drafted required documentation.

By developing a specialized and proprietary cloud-based solution, Span has taken a unique position on the Croatian market as the only company offering a comprehensive, end-to-end GDPR service to customers.

Span GDPR Team experts reveal why Span Personal Data Protector is the right solution for helping you find your way out of the GDPR labyrinth in the new print edition of Mreža (07/2019).

We made the entire article available to anyone who wants to learn firsthand about Span Personal Data Protector.

Safely exit the GDPR labyrinth

Most organizations made good use of the first few years of GDPR: they’ve asked all the right questions, established compliance teams, kept records of personal data processing activities, adopted specific organizational and technical security measures, and drafted required documentation.

Denis Tomić and Tea Čonč are part of Span’s GDPR Team – tasked with continued development of services and Span Personal Data Protector.

The importance of awareness of protecting personal data has been acknowledged by both sides of the “GDPR coin”. Citizens became aware that personal data is their property, and organizations became aware of which and whose personal data they are processing as well as how, and to whom is such data being transferred.

Important questions about storage also popped up, which had not been mentioned before. With whom do we share personal data? Where is this data physically stored at each stage of its life cycle and is it suitably protected wherever it is being kept and accessed?

Empowering the data protection officer

Data protection officers are responsible for consulting and overseeing organizations that process personal data. Our hands-on experience has shown that most DPOs successfully braved emerging conceptual tasks such as clarifying the dilemma “where do we stand and what does GDPR mean to us”, and are well-versed in handling everyday challenges such as providing prompt answers and advice to colleagues who are not sure if they should do this or that.

Management support is of the utmost importance, followed closely by understanding and cooperation of colleagues, especially owners of personal data and all those who work directly with clients. The myth that DPOs “own GDPR” and all personal data collected by the organization is slowly fading away, which we consider a significant step in the right direction.

Reread the regulation and use common sense

In addition to all we’ve already mentioned, it should come as no surprise that the DPO’s function is gradually getting more and more professionalized within larger organizations, serving as a natural upgrade to legal and/or IT backdrops.

Information and data sources are paramount for this emerging professional community (!). Should any uncertainties arise and the “reread the regulation and use common sense” method fails, you should visit the supervisory authority’s website; Span’s GDPR experts recommend having a look at websites of the United Kingdom supervisory authority – Information Commissioner’s Office (ICO), French Commission nationale de l’informatique et des libertés (CNIL), Isle of Man Information Commissioner and the current Article 29 Working Party. Croatian clients should also check out information provided by the Croatian Personal Data Protection Agency (DPA).

We have created SpanPDP Web with the goal of showcasing Span’s GDPR-related portfolio, but also sharing our first-hand experiences, giving “general practices” tips and advice, as well as providing answers to specific questions and topics as means of contributing to the public debate on GDPR.

Understanding GDPR and its practical application is a path that the professional community and the public are only just starting to thread – from initial discussions on consent and video surveillance, sharing data with third parties and explicit rights of data subjects, to the relationship between the controller and the processor and further on to legitimate interest assessments (LIA) and data protection impact assessments (DPIA). GDPR is starting to lose its mystique.

Spanpdp helps organizations with compliance

Span Group is a market leader engaged in the design, development and maintenance of information systems based on advanced technological solutions. We’ve created the gdpr2018.eu portal at the start of 2017 with the goal of raising awareness of organizations and the general public on the impact that GDPR will have on the way we do business.

As part of this campaign, we’ve also held a series of informative and educational workshops and consultation sessions aimed at organizations from both the private and public sector. These were followed by more than 20 commercial GDPR-related projects involving process, legal and technical compliance, including the implementation of relevant security solutions.

Our services are tailored to specific needs of each client, while fully understanding the responsibility of managing and ensuring business continuity. By developing a specialized and proprietary cloud-based solution – Span Personal Data Protector – Span has taken a unique position on the Croatian market as the only company offering a comprehensive, end-to-end GDPR service to customers.

SpanPDP is a solution for managing business processes that use personal data and a tool that helps DPOs supervise and educate colleagues. Customers require no additional IT support since SpanPDP can be accessed via a web interface from the Span Azure Cloud.

Let’s cut the long story short

Span has been helping organizations get their business operations in line with GDPR for a few years now. We’ve applied the know-how and experience acquired in working with our customers when designing SpanPDP and accompanying GDPR services according to market demands.

Our experts monitor global and local trends and actively contribute to the public debate on GDPR. You can learn how to find your way out of the GDPR labyrinth by visiting our new website.

Frequently asked questions

I need a “solution for GDPR”. What can you offer me?

There is no magical one-stop “solution for GDPR”. GDPR compliance has to involve all legal, organizational and technical aspects, preceded by an analysis that will form the backbone for creating an action plan – a series of steps required for ensuring better compliance.

This action plan may also entail deploying specific software solutions – either for recording processing activities, managing consent, or providing security. Organizations can achieve continuous compliance by having a clear perception and understanding of their own business processes and knowing how personal data fits into current (and all future) processes, and by adopting special procedures for ensuring compliance with GDPR requirements.

What are records of personal data processing activities and how are they created?

A list of business processes (or subprocesses) that use personal data classified according to the categories and requirements prescribed by GDPR. These records cannot be successfully created nor kept without firstly looking into and analyzing business processes.

The first step is to identify such processes, then to find relevant process owners responsible for providing the legal basis and determining the purpose of a particular processing activity. This is followed by breaking down the purpose of processing, creating a list of personal data and data subjects whose personal data is being processed, considering transfers to third parties and/or third countries, duration of processing and retention of data, and so on.

What is valid consent and how to decide when it is needed?

Consent is just one of several possible legal grounds for processing personal data. If said processing is not covered by legal regulation, contractual obligation or public interest, and is not important enough for an organization to declare (and defend) its legitimate interest, it will most likely require obtaining consent.

When you’ve settled on using consent as the basis for processing, make sure you have appropriate mechanisms in place to terminate processing should the data subject withdraw his/her consent.

How to strengthen the security of our information systems?

As always, start with an analysis that can be carried out by internal or external experts who have a complete insight into your IT systems. This analysis will reveal weak points where your systems are most vulnerable, highest risks, and offer recommendations for strengthening security and mitigating risk – by deploying specific solutions for classification of documents, database protection, preventing data leakage, monitoring, etc.