Guidelines for Achieving GDPR Compliance

Exciting times we live in! The digital age has opened up a world of possibilities like never before. The internet is nearly ubiquitous and can be connected to virtually any device, resulting in diverse data circulation, exchange, and accumulation.

One can easily pay expenses, share documents, make a purchase, and perform a variety of other daily duties without leaving their residence. This is how modern technology improves our quality of life. Our privacy comes at a price.

As personal information is exchanged online, predators exploit security vulnerabilities. Companies are compromised, and identities, funds, and intellectual property are taken.

Compliance Obligations with GDPR

The General Data Protection Regulation (“GDPR”) was enacted to close data privacy protection vulnerabilities that the obsolete Data Protection Directive was unable to close. The GDPR imposes obligations on businesses from 28 EU member states and regulates how they manipulate data on the EU territory. GDPR requires businesses to exercise due diligence and comply with predetermined data protection principles and processing conditions when storing, accumulating, or transferring data.

According to the GDPR directive, any information pertaining to an individual (name, photo, email address, bank details, location details, medical information, or even computer IP address and updates on social networking websites) shall be considered personal data, and its secure processing must be ensured.

The effective execution of personal data protection strategies is supported by GDPR principles that impose certain restrictions and requirements. The principles stipulate companies’ responsibilities to ensure:

• The subject gave unambiguous legal assent for collecting and processing personal data for legitimate purposes only
• The subject is aware of all personal data processing activities
• Only the information required for specified and explicit purposes is gathered
• The data is accurate and current
• When data is no longer required, it is destroyed or deleted properly
• Data is safeguarded against unauthorized or illegal processing, loss, corruption, or erasure.

Compliance with GDPR Implementation Steps

Most of companies have developed certain strategies within their day-to-day operations to ensure the privacy of their customer’s personal information for a considerable amount of time, based on the extensive guidance that our past project experience provided.

The strategies have been effective for some time now. Reviewing and revising privacy policy in accordance with GDPR’s data protection regulations necessitated a further strengthening of the existing strategies. To ensure compliance with the GDPR, for example, companies like Agiliway revisited data processing operations in the following areas.

Control of Access to Data Processing Facilities

Companies have  implemented the following security measures to prevent unauthorized access to the location where data is processed:

• Entrance to the office building is only permitted with a personal smart key that grants access to corresponding sectors of the office, while biometric authentication is required to obtain the keys to project rooms. The server compartment is only accessible to authorized personnel.
• When an employee departs an organization, their personalized smart card and biometrics record are deleted.
• The office is secured at night and connected to a centralized police surveillance system.  Guards are present on the premises around the clock. The entrance, stairwells, lobbies, and parking areas are outfitted with a video surveillance system.
• Visitors are not permitted unless authorized by management or HR in advance and accompanied by an employee. Guests do not have access to the enterprise network.

Control of Data Processing System Access

To prevent unauthorized access to data processing systems, they also implemented the following security measures:

• Access to project data is granted by management (CTO, COO, SysAdmin (network traces only)) based on an employee’s position and responsibility
• The company password policy protects internal systems (CRM, HR, accounting, project management, etc.) and client project folders
• A firewall configured on a router controls inbound traffic
• The processing of data is not outsourced to a third party.

Data Access Control

The team can only collect and process data authorized to be accessed per the access rights granted by the data subjects. Personal information cannot be accessed, stored, copied, modified, transferred, deleted, or shared with unauthorized parties. It is carried out by:

• Obtaining the consent of the customer for data processing under the GDPR.
• Before granting access to data, every new employee must execute a nondisclosure agreement.
• Modifying the access permission whenever an employee’s position, function, or departure from the company changes.
• Locking all accesses, returning documents/materials, reassigning active duties, returning computers and other devices, disabling corporate emails, barring personal smart-key, and removing fingerprints from the database, etc.
• Reformatting obsolete data carriers and eliminating all unnecessary documents with shredder devices.
• Encrypting all laptop hard drives to safeguard information.
• When the project or support/warranty period concludes, access to documents is restricted.

Control Separation of Data Processing for Distinct Purposes

The following actions ensure that personal data collected from various clients and for different purposes are processed separately:

• Access permission control is implemented to grant positions access to the specified information set.
• Data is stored in various locations. Typically, we do not transmit data from client servers, as only project-related employees are granted access by the client.
• Unless our DevOps are requested, the client’s internal IT department is responsible for production deployment.

Data Transmission Management

Under GDPR provisions, the controller or processor may only transmit personal data if adequate protections are provided. It ensures data security during international data flows by:

• Signing a Personal Data Transfer Contractual Clauses with the data subject to define the conditions and obligations under which the data processor performs data processing operations.
• Accessing and/or processing data on the client’s server or document storage. Otherwise, Secure VPN and protocols Download documents containing personal data via SSL.
• Transmitting only electronic data via VPN, and SSL.
• Appointing a data protection officer who monitors the company’s compliance with GDPR.

Data Availability Supervision

It takes specific precautions to secure personal information from accidental destruction or loss. The implemented measures include:

• Prevent service interruptions in data centers (uninterruptible power supply, air-conditioned server rooms, smoke detection system).
• Automatic server/database startup from a specified backup.
• Utilizing AWS, and Azure cloud services with EU-based servers to host client data and store backups.
• Encrypting data archives.

As soon as GDPR went into effect, companies reviewed its business processes to ensure they were compliant with the regulation governing the processing of personal data and implemented the necessary changes to remain vigilant against data breaches.

By instituting appropriate technical and organizational measures, educating employees, updating contracts, and securing the environment, we guarantee that no malicious intent will go undetected by our customers.