The General Data Protection Regulation (GDPR) is a set of rules and requirements aimed at protecting the personal data available to businesses and other organizations. The GDPR will harmonize the privacy rules in all 28 EU countries from May 25.

This regulation relates to all small and medium enterprises as well as large companies that process personal data such as accounting, lawyers, banks, health authorities, etc. as it is extremely frequent for a company to have and process some form of personal data, whether it is the data of its employees or the data of its customers.

The new rules strengthen the role and powers of data protection authorities, recognise additional rights to the persons to whom the data refer (mainly logos, to each individual), reinforce any fines and penalties and define additional requirements for personal data protection organisations. These requirements include, inter alia, the implementation of certain policies and procedures, the development of an effective internal data protection management system and the appointment of responsible data protection.

In general, the GDPR protects the personal information of people residing in the EU, but it also has legal references in the countries of the European Economic Area (EEA). Only information on natural persons falls within the scope of application, while corporate data is outside the scope.

The GDPR will affect every organization and company in Europe, which manages in any way any personal data in any form. Furthermore, it will affect any company trading in the territory of the European Union. The rules are very complex and the requirements for non-compliance very strict(they can reach up to 20 million euros).

The GDPR also significantly increases the possibility of higher fines and penalties on non-compliant companies. It contains a list of different violations with maximum limits. Businesses should understand their exposure to risks while the management of their data protection will be at the centre.

Data protection will be the main risk for businesses, taking into account in particular the potential defamation risks they face as a consequence of data breaches or mismanagement of personal data.

Regulation 2016/679 lays down a series of restrictions and new obligations on undertakings relating to:

• the processing of personal data throughout their lifecycle, from their collection to their destruction,
• the possibility of transporting them to other countries,
• the protection of the rights of natural persons, in particular in relation to their access to their personal data;
• the security (confidentiality, integrity, availability) of personal data and
• the disclosure actions that the company must take in case of infringement.

In case of violation of the provisions of the regulation, significantly increased deadlines are foreseen, reaching up to 20 million Euros or 4% of the global annual work cycle of the company.

The most important and complex new change is the right of the data subject to be “forgotten”, according to which he can ask a company to delete his personal data. Companies should put in place procedures to locate the data and comply with these requests, although it may not be simple to delete a single data file that may have been copied into multiple databases, collected or shared in a third part.

Another important challenge of compliance with the GDPR is the new requirement to notify the authorities of the existence of a violation of the data within 72 hours of their appearance. This has implications for risk management.

Companies should put in place appropriate procedures and systems to identify the data affected and improve internal cooperation before informing the regulator. Successive violations will lead to greater sanctions and stricter regulatory monitoring.

They must clearly understand the personal data they process, that is, what information is stored and with whom it is shared. If the company finds that the activity of data processing will create a “high risk” to the requirements of the GDPR and the “rights and freedoms” of individuals, it should conduct and document a detailed assessment of the impact on privacy, having in mind what is or is of the data subject, and not the company, which generally determines who falls within the scope of the GDPR.

Authorities are more likely to “punish” companies that are not well prepared and do not face violations according to best practices.

Cyber insurance can help you with compliance. Insurance, for example, often includes consultancy and incident planning services, as well as anti-infringement services.

If a company suffers a breach, it will need the help of experts, such as lawyers, IT specialists and crisis management consultants. The insurance provides immediate access to these experts and helps to prove to the authorities that the company has taken immediate and appropriate measures to reduce the impact of data breach, but also to comply with regulatory requirements and deadlines.

Approaching the requirements of the GDPR with due diligence will increase cybersecurity, improve the process by increasing awareness and often increase the budget in order to implement additional security measures.

Ransomware attacks, where criminals enter the business network, encrypt all data and then demand money in exchange for the decryption key, use special attention. And it’s not just the immediate cost of ransoms that one has to worry about. There are the costs of investigating and terminating the infringement, the cost of legal and public relations, the damage to the value of the business and the price of the share, as consumers and customers lose confidence. According to the Center for Strategic and International Studies, the estimated annual cyber crime losses climb to $400 billion.

Today, the business can be protected from adverse economic losses in the event of personal data leakage. Contact us in order to offer you the study of personal data security free of charge.

TO WHOM IT IS ADDRESSED

The two-day seminar on the GDPR Technical Standard of A-Cert is addressed to Processors or Controllers, Processors, Internal and External Auditors, Internal and External IT Auditors, Business Consultants, the Manager and the Executives of the Company’s IT Operations, as well as the Management and the Involved Executives in the Personal Data Protection and IT Systems Planning and generally to each Executive who wishes to be informed about modern practices in all Data Control issues for GDPR Compliance.

PURPOSE

An integrated approach to GDPR Auditing as described enables participants to:

• They design and implement an Audit of the GDPR System with completeness, in order to have a complete picture of the Compliance of their Business.
• Identify areas of deficiencies.
• With the tools provided to facilitate the design of the Corrective Actions.
• They monitor, using the same Tools to settle non-conformities.
• It further improves processes and systems.
• Reduce the associated risk of fines.
• Ensure more effectively the image and reputation of the Company

SEMINAR DESCRIPTION

Compliance with the GDPR Technical Standard of A-Cert for the Regulation 2016/679 for the Protection of Personal Data

This seminar focuses on Compliance Auditing methodologies and practices with the A-Cert GDPR Technical Standard for the General Data Protection Regulation (GDPR). Provides knowledge and special tools to the Executives of Enterprises and Organizations, for the Organization, Planning and Implementation of Compliance Checks on issues related to the Operation of the Personal Data Protection System in the most effective way. In addition, case studies from the GDPR Compliance Projects implemented by AQS are analyzed.

The aim of the seminar is for the Executives to develop the Audit experience and knowledge, in order to recognize and assess the Risks arising from the collection and processing of Personal Data within the Company, to examine the adequacy of the Audit Mechanisms and Procedures and to propose, where necessary, the appropriate Improvements.

To facilitate these Audits, our Company has designed Tools that allow the integrity of recording and monitoring corrective actions, which are given to the participants.

The Scientific Coordinator of the seminar is Dimitris Chouliaras, Accreditation and Development Manager of New Schemes of A-Cert, with 20 years of experience and international activity in the Certification of Management Systems and Accreditation of Certification Bodies.

The following e-books will be given to the participants of the seminar free of charge:

• The GDPR Technical Standard of A-Cert for the Regulation 2016/679 on the Protection of Personal Data.
• The EU Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
• Security and Data Privacy Audit Questionnaires
• Use Compliance Manager in the Service Trust Portal – Preview – Office 365
• 170919-LF-Risk-Assessment-ENG-online-final-for-GDPR
• FILLADIO GDPR
• GDPR –  Public Administration

SEMINAR MODULES TO CHECK COMPLIANCE WITH THE GDPR TECHNICAL STANDARD OF A–CERT FOR REGULATION 2016/679 FOR THE PROTECTION OF PERSONAL DATA

1. European General Data Protection Regulation (GDPR)

• Rights of individuals (oblivion, consent, etc.)
• Notification of Security Breaches
• Cross-border Transfer of Data
• Fines for non-compliance
• Principles of Data Quality
• Data Protection Officer Name

2. Introduction to GDPR Compliance Audit

• Causes of Business Control and Data Protection and Informatics
• Categories of Data Protection Control and Informatics
• Data Protection and Informatics Control System Objectives
• Data Protection and Information Technology Control Measures
• Data Protection and IT Control Benefits

3. GDPR Compliance Audit of Procedures, Systems and Infrastructures

• Process Completeness Audit in relation to GDPR requirements
• Control of the input and output of all Processes in order to evaluate how the resulting Personal Data is managed
• Hardware Systems Security Audit
• Security Control of Software Systems

4. Data Protection and Informatics Control Framework

• Data Protection and Informatics Control Standards
• Types of Data Protection and Informatics Controls
• Data Protection and Informatics Audit Methodology
• Internal Audit Procedure

5. GDPR Compliance Check for Data Subjects

Audit and Compliance Measures relating to the following articles:

• Article 5- 10 (Principles governing the Processing of Personal Data, Lawfulness of Processing, etc.
• Article 12 – Transparent Information, Communication and Arrangements for the Exercise of the Rights of the Data Subject
• Articles 13 and 15-22 (Information, Correction, Deletion, etc.)
• Article 34 – Communication of a Personal Data Breach to the Data Subject
• Article 88 – Processing in the context of employment

6. GDPR Compliance Control for Controllers or Controllers

Audit and Compliance Measures relating to the following articles:

• Article 24 – Responsibility of the Controller
• Article 25 – Data protection by design and by default
• Article 26-31 Joint Controllers, Processing Files, etc.
• Article 32- 34 Security of Processing and Notification of Data Breach
• Article 35 – Data Protection Impact Assessment
• Article 37- 39 Data Protection Officer
• Article 44 – 50 Transfer of Personal Data

7. GDPR Compliance Check for Processors or Processors

Audit and Compliance Measures relating to the following articles:

• Article 27 – Representatives of Controllers or Processors not established in the Union
• Article 28 – Processor
• Article 29 – Processing under the supervision of the Controller or the Processor
• Article 30 – Records of Processing Activities
• Article 31 – Cooperation with the Supervisory Authority
• Article 32- 34 Security of Processing and Notification of Data Breach
• Article 37- 39 Data Protection Officer
• Article 44 – 50 Transfer of Personal Data

SEMINAR COST

The cost of participation is 550 euros per person, while in companies with participation for many persons the prices are adjusted appropriately.

CERTIFICATION

Participants are given a certificate of DPO (Data Protection Officer) proficiency, after a score of at least 80/100.