GDPR Bogeyman

Does Your Current System Suits the New Legislative?

Unclear Interpretation, High Sanctions. Great Combination, isn´t it?

Do you belong to those companies that handle personal data of your employees and customers? How would you not be, you can´t imagine a field, in which is this situation not current. There is not much time left and according to the growing number of queries from our customers and the number of training that take place by us, it looks like, that people are starting to be interested, what kind of changes is waiting for them in the next year. 


New regulations of European Parliament and European Council (EU) No. 201/679 on the protection of personal data, alias General Data Protection Regulation (GDPR) enters into force on 28 May 2018 and as it seems, many people are confused and doesn´t know what to do with their personal data o their employees and customers. One is clear if a mistake or fulfilment of the legislative occurs, a danger of sanction in the high of 20 000 000 €, or in the case of a company, in the high of 4% of its worldwide annual turnover, appears. To say it clear, this is far beyond one´s budget.

To defend us all, that are involved in this, other interpretative opinions were already published by the European organs, but these are still really inadequate and in praxis for us, not usable documents. What should we imagine under the term GDPR?

First, Lets define the Processes

How does it look in praxis? On most websites, a few-page description of GDPR problematic with different references to individual legislative regulations, EU Bulletins with a huge bold highlighted date when GDPR enters into the force, but what they will never say to you and what you do not read anywhere is: Identify your business processes! You would be surprised, how many companies still work with Office tools. Multi-page sheets, that are being sent from Nancy to Peter by email, unlocked and unprotected with duplicate data, without any order and concept.

In today's modern world, when ERP doesn´t cost a fortune, really anyone can afford a smart information system. Security certificate, access only for users who have to be in touch with this kind of information, the level of permission, and especially PROCESSES. Why should you let the operator of the production machine look into the orders or CRM, where are all sensitive data served on a silver platter? Simply, why bother with this?


Security

It is in the regulation itself, that it is possible to fairly required by companies just that, what is for them in the case of security possible. That means, if you have a vegetable shop and your annual turnover is just a few hundred thousand Czech crowns, no one will ask you for an investment which would exceed this value. When security and within your possibilities.

An ideal solution, in this case, is to go to Cloud. The provider that owns Cloud guards its services very well. In the majority of cases, Data are better secured, doesn´t matter how you have the security on our servers solved. The advantage of Cloud services is that servers, storage, services, and applications, are available for users over network or internet.


Employee Education

How we already mentioned before, the process setting is in the first place. The awareness of employees and, in general, of all people who are in touch with personal data about this problematic, is right after, because, although the system will be perfect, precisely and carefully secured, nobody can prevent a thief from coming and taking. It can be a cleaning woman or just a draught.

Yes, Yes, Yes

Just like by the altar in a church, where you promise loyalty, even here you need the agreement of the other party. A sufficiently specific one! “I agree with the processing of the data” is not enough. It is needed to get from you employee an explicit agreement to which sensitive data the agreement is given. What is sensitive data?

In the case of the hot topic of incorporation of the allowance with the processing of personal data in VOP in your web sides, if the agreement is expressed the written way in statement regarding other reality, it must be distinguished from other realities at the first sight, for example, on the separate page of the document or on separate checkbox. And watch out for minor kids when the allowance has to be made by parents (in praxis, there is no way how to make this and GDPR this ambiguity didn´t nail them down).

Anonymization

Anonymized data are those that do not indirectly subject to the identification of the certain person and aren´t connectable to him. Measures associated with should consist in mineralisation of processing of personal data, in their quicker pseidonymization, in transparency with regard to the purpose and processing of personal data and in enabling of citizen´s access to their data.

Pseudonymization means processing of personal data the way when it is impossible to assign data to a specific person without additional information which are preserved separately and protected against repeated allocation to original data.

This doesn´t count on information which is absolutely necessary stored according to the Czech legislature. For example, personnel and wage agenda, information for the conclusion of the contract of employment, the Employment Agreement, Activity Agreement kept in the employee´s personal profile which contains employment contract, salary, proof of education etc.

Summary

Firstly, find an information system which serves you perfectly and satisfies your needs. It doesn´t have to be an ERP system, DMS or CRM system is enough. Choose wisely considering your needs and aims.

If you want an advice, let us know. We have great Odoo system.

Whether you have an ERP system or not:

  • find out with what kind of information you come in touch with your company,

  • where you store information,

  • who is working with them and who has access to them.

Create a map of information flow in your company including people who have access and then:

  • set term and conditions, provisions on you websides and make it creal in your business termns and conditions,

  • create an authorisation structure for you employees,

  • make a briefing about possible FDPR difficulties or send them to us for GDPR training,

  • ensure allowances for the processing of personal data,

  • make an evidence (or better find a system that will make it for you) about who is working with the data and where are they now.

It isn´t just a few things that need to be done for the fulfilment of the new legislation. But this is enough for the basic overview.
If you are more interested in the GPR topic and you would like to discover more about the possibilities of information systems, let us know. We´ll be glad to help.

Kristýna Bártová

Give us your phone number and we will call you back.