The General Data Protection Regulation (GDPR) it entered into force in all member states of the European Union on 25 May. Made operational at the end of several years of work by the European Commission, it has a twofold objective:
- Give the user/customer the opportunity to fully control their own personal data
- Streamline the regulatory that companies had to follow slavishly in terms of personal data
As highlighted in the guide produced by iLitigation, management software point of reference for accountants, lawyers and labor consultants, the GDPR has established a series of rules to be followed in the protection and processing of personal data. Let's see what the main aspects are.
THE NEW PRIVACY INFORMATION ACCORDING TO THE GDPR
Every professional firm holds the obligation to present to clients a disclosure on personal data before proceeding with the actual treatment. The GDPR presents very significant changes to the information that must be provided within the document. Furthermore, the General Data Protection Regulation asserts that in this historical era, founded on the internet and on digital tools, this fulfillment is fundamental for the protection of customer personal data.
Under the typical conditions provided for by each type of information (data controller, purposes for which the data are collected, etc.) the GDPR has added an important novelty: there is an obligation to indicate the times and periods of conservation of the personal data. This is a fundamental innovation in an era where, thanks to Google Drive or iCloud for example, there is the opportunity to store data collected forever, at very low cost.
IDENTIFY THE LEVEL OF RISK IN THE PROCESSING OF DATA
The first step is to identify the more sensitive personal data and weigh the risk that the customer would run if there were an unauthorized disclosure of his data collected. In the workplace, exercising a profession on your own or in a studio inevitably implies the processing of sensitive data which, based on what is expressed in the GDPR, deserve enhanced protection.
These data, defined as "particular" by the GDPR, are related, for example, to the client's state of health, to minors or to legal proceedings or convictions.
THE MOST EFFECTIVE PROTECTIVE MEASURES TO AVOID AND MANAGE IT ACCIDENTS
Sometimes it is possible to encounter a cyber incident. These can materialize when you lose a USB stick that holds gods personal data or in the presence of a virus that damages the data collected present in the archive of a professional studio.
Il GDPR sets itself the goal of activating measures that foresee individual IT incidents and, if they occur, are able to protect the customer rights. This analysis must take into account the nature of the data to protect, the concrete risks that could take shape and the expected costs to activate the measures protection. The most concrete and dangerous risks concern the loss, modification or accidental destruction of data and unauthorized access to the same.
PROTECT SENSITIVE CUSTOMER DATA
To protect sensitive customer data, we proceed by following two distinct procedures:
- Pseudonymization of information
- Data encryption
La pseudonymization of information makes it impenetrable the data archive collected by the professional firm, except in the case in which the information is combined in a completely automatic way. There data encryptionInstead, it obscures them by creating a series of undecryptable data. These procedures are applied exclusively to those matters which, according to the GDPRdeserve specific protection.
Image credits: Thought Catalogue
