GDPR

Vision

Offer

Scenarios

Frontier Technologies

Roles

Tilt

GDPR

A process to be ruled according to new perspectives

GDPR (General Data Protection Regulation) is the regulation that disciplines, in a homogeneous way at an international level, the way to collect and process personal data of European citizens. It becomes law on May 25th2018 and starts revolutionizing the way in which businesses and consumers interact, by introducing two essential notions: informed consent – according to which every individual must be aware of the use destination of its personal data – and accountability – according to which every company has to be able to demonstrate the right application of the requirements of the regulation. The adjustment to GDPR is something that goes beyond a simple legal obligation to comply. It’s a real process to be ruled, an evolution that involves culture and company infrastructures and that can reveal to be an extraordinary opportunity to give a new value to data held by the organization. But it is quite evident that, before starting systematizing databases and redefining the roles of the holder of information processing, it is necessary to create the condition to satisfy the regulation requirements. Teroema drew up ten commandments, a short handbook that tracks the essential steps of this management transformation that, depending on the point of view, offers to top management different incentives, missions and challenges.

  1. Each company must have the explicit consent for data processing from all its contacts, in a clear and unequivocal way, with the obligation to reduce or definitely delete the information that are not necessary for the purposes described in the report.
  2. Data collection can be made only according to precise legal purposes and protecting in each moment data from distribution, loss, elaboration and divulgation. IT tools, from sentry software to data protection and auditing processes, are essential.
  3. Companies will need a DPO (Data Protection Officer), an external or internal advisor with specific professional qualities in legal and informatic field, that will report directly to the company’s highest business charge and will have the task of monitoring the respect of regulations, acting as a point of contact with supervisory authority in case of investigation and auditing processes.
  4. Data transfer to third parties is possible, also outside EU, as long as it respects specific protections.
  5. According to the accountability principle, it is fundamental to be able to demonstrate the compliance to GDPR, implementing a constant check of the levels of business protection and starting cyclical procedures of risk and impact assessment.
  6. If the organization counts more than 250 employees, it is necessary to store – in writing or in electronic format – all the documentation rlated to data processing activity. The register containing this information must be available to supervisory authorities during the control phase.
  7. In any moment, each European citizen can request the companies that have their data, clarifications related to methods of use and storage of data, as well as a free copy in electronic format and even the immediate cancellation.
  8. In case of data breach, the company must be able to inform every object involved in 72 hours from the verification of the violation. The supervisory authority notification must be forwarded only if the violation represents a risk for the rights and freedom of physical persons.
  9. It is a good practice that all the software installed and used are GDPR compliant: systems with known vulnerabilities and that are not receiving safety patches anymore, expose data to possible intrusions.
  10. Complying with GDPR is not a choice, it is a law: the non-compliance exposes the company to fines up to twenty million euros and the 4% of the annual global turnover.
GDPR SEEN FROM THE PERSPECTIVE OF

CEO

General Data Protection Regulation can be read as a new “process” to be ruled. And each CEO must activate him/herself without wasting time. A greater transparency on how data are processed and managed needs to be considered, and it is important to focus the attention on the processes and to ensure that the informative systems are suitable to the correct data procession, by naming ad hoc figures – starting from DPO – to safeguard these fulfilments and establishing clear directive and business tasks.

GDPR SEEN FROM THE PERSPECTIVE OF

CMO

Under the profile of the requirements imposed by GDPR, the Marketing office is involved in all the management processes of auditing activities. The old consent formulas won’t be enough anymore: companies will need a documented consent that is valid, explicit, revocable, and that puts data safeguard and protection at the center of the activities, integrating them both in products and in services. CMO will work in close contact with DPO, receiving information related to the obligation deriving from processed data and using her/his ability to organize and decline processes according to the new directives.

GDPR SEEN FROM THE PERSPECTIVE OF

CTO

For a CTO, GDPR means adapting companies’ infrastructures to correctly respond to legal provisions. In reality, the infrastructures idea itself needs to be re-thought: also software and processes are infrastructures. As well as the structure than can give value to data, protect them, but also expose them to risks. For this, the GDPR adaptation process can be the right opportunity for the companies to finally think to a Cloud strategy. Thinking of the integrity of processes and the integration of correct hardware, software and services procedures means having available applications and operative systems that are updated and supported, and having a plan for the management of the application lifecycle for the moment in which they won’t be supported anymore, and obviously for those still in use but already not supported.