How to Meet GDPR Requirements

Effective protection of personal data in ABRA Gen will not only meet GDPR requirements – it offers advanced tools to precisely determine who has access to the selected data and how he / she handles them.

ABRA fully supports GDPR

Does your Information System Protect Personal Data in Accordance with GDPR?

If it does, it can:

  • handle the GDPR issues across the entire company – it will not add more work to you, but it will make it easier
  • distinguish and protect personal data, even by pseudonymization
  • control who accesses the data and how he / she handles them
  • generate the necessary extracts, archive the requests of the persons and, if necessary, enable complete deletion of the data
  • monitor and archive all data handling, including their display, and find out what happened with the data anytime
  • take into account the granted consents and handling of information on the basis of contracts or law
  • protect personal data across different processes, whether it’s wages, finance, marketing or CRM

ABRA Gen information system protects personal data according to GDPR. So ABRA Software provides an effective tool which will help you handle personal data in accordance with GDPR.

Advanced protection of personal and sensitive data in the ABRA Gen system:

New generic system for protecting personal and sensitive data beyond GDPR needs

Tools allowing protection of any item of any object class in ABRA Gen, including user-defined ones

Tools for making excerpt, export, or deletion of the data and overview of the requests for these tasks, including the slutions

Encrypted communication between the client and the application server (https)

New Definition of Data Protection agenda, protected by adjustable access rights and related Permission to Data Processing for Personal Data agenda

Different level of user privileges granting access only to authorized users and only for the period for which the consent was granted or for which there was a legal reason

Logging of data processing – including their viewing / displaying

In the basic version, system items in the company and person directories are protected.

Effective protection of personal data in the ABRA Gen system will not only meet GDPR requirements – it offers advanced tools to precisely determine who has access to the selected data and how he /she handles them.

We reply to your questions.

This is not the case, a properly functioning information system is just one of many points that needs to be addressed before the European regulation comes into force. It is necessary to get the necessary conesnts, adjust the contracts, internal guidelines, train the employees, and set up the used information system properly with regard to the specific processes in the company. All the steps you need to manage GDPR succesully are summed up for you on our site.

No, like any information system, ABRA Gen needs to be set up and used correctly – if, for example, if there is a personal number in an item that is not intended for processing of personal numbers (eg in the IČ item) or the consent is not processed, data protection will not be guaranteed. In the beginning, it is necessary to analyze the processes in which personal data are processed and, in due course, to adjust everything that needs to be adjusted. Then the system offers a high level of security.

It will not be possible to process personal data without a legal reason. Consent is one of them. Other reasons may include, for example, contract or legal requirements (for example, archiving of contracts, statutory guarantees, etc.). In the ABRA Gen system, it will be possible to record the legal basis on which the data can be handled, whether, for what purpose and for how long consent has been given, or by what legal period it is possible or necessary to delete the data. For specific settings and data handling, it is advisable to first analyze all types of data and consult the optimal course of action with a legal counsel.

Defined patterns will be created that users will be able to use to work with personal information or use them for custom settings. However, it will be necessary to set the data to be protected from the outset, to determine the level of entitlement for different persons (eg other data will be seen by the salary accountants, another by the owner of the company) and to consider in advance any necessary modifications of the system according to their specific needs. For this purpose, it is best to first analyze all business processes that deal with personal data. In the basic version of ABRA Gen, the specified protection group items will be available for free, more advanced security can be addressed within an extended version of the system or customized.

Data protection will be organically growing through the whole ABRA Gen system, it can be set to all defined fields with personal data and will work the same way in the cloud or through the API.

Are you starting with GDPR? Do not forget anything important and create an action plan.

Even the best software does not prepare your company for GDPR by itself. Every businessman has to analyze and, if necessary, change corporate processes that work with personal information.

What needs to be done?

Note: Check the steps you need to take, choose the date by when they need to be done, and save the event to your calendar.

  • Perform process analysis using FREE form.
  • Start obtaining GDPR consents (ABRA Gen can save consents from the current version)
  • Consult with a legal adviser (adjusting contracts with customers, suppliers, employees, adapting internal guidelines, etc.)
  • Changing business processes based on analysis and consultation.
  • Collect all personal data carriers and schedule their destruction, archiving, or overwriting.
  • Revise technology and information systems – Schedule the implementation of changes (replacement of used SW, linking of individual systems and their correct setting).
  • Make the necessary changes to data security, including IT systems alterations, or select a GDPR-compliant system. 497/5000
  • Employee training, including training for the proper use of information systems. Set up data security against leakage and ensure all necessary records.
  • Other steps according to business conditions (e.g., assigning the DPO position).

You can also use our PDF form, where you can write important terms and notes.

Stáhněte si interaktivní formulář Analýza zpracování osobních údajů pro potřeby GDPR (EN)

Any changes to business processes should be consulted with a legal counselor .

GDPR in Detail

What is GDPR

The General Data Protection Regulation (GDPR) is a regulation of the European Parliament and of the Council of the EU governing the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It was adopted in April this year, is binding for all member states and will enter into force on 25 May 2018.

This regulation aims to protect the rights of citizens against unauthorized handling of their sensitive and personal data. These rules respect citizens’ right to data protection regardless of their nationality or residence.

Who Is Affected by GDPR

The protection provided by this Regulation applies to the processing of personal data of natural persons. The protection of natural persons applies to both automated and manual processing of personal data, if such data is stored or is to be entered into record. Data protection principles apply to all information relating to an identified or identifiable natural person.

The Regulation applies to companies, institutions and individuals across all sectors who handle personal data of employees, customers, clients or suppliers.

GDPR also addresses the protection of citizens’ digital rights and includes entities that track or analyze user behavior on the web.

In the event of a serious breach, companies can face penalties and heavy fines (up to €20 million or up to 4% of global annual turnover).

Major Changes Introduced by GDPR

  • Citizens have the right to erasure, which extends to the right to be forgotten, i.e. in such cases, the controller must erase all personal data unless there is legal basis for further processing.
  • Citizens must be able to access their collected data, ideally directly online.
  • Citizens have the right to object to the processing of personal data. On the basis of such an objection, the controller will not be able to process the data further unless it has demonstrable grounds for doing so.
  • Personal data now also includes technical parameters such as email, IP address or cookies on the user’s device. A category of genetic and biometric data has also been added.

Obligations Imposed by GDPR on Institutions and Companies

The new GDPR extends and clarifies existing legal standards on the protection and security of personal data. While the basic principles remain unchanged, the following new obligations are imposed on businesses:

  • to process personal data only for legitimate purposes and only for as long as necessary
  • to secure personal data from unauthorized persons
  • to ensure a that the subject is notified in case a data leak is detected
  • to provide ensure the data subjects have the right to:
    • a data extract
    • data erasure (the right to be forgotten)
    • data portability
  • to keep records of the processing of personal data, to cooperate with the supervisory authority and to make these records available to the latter on request
  • to carry out a data protection impact assessment (DPIA)
  • in selected cases, to introduce pseudonymization – to process personal data in such a way that it cannot be attributed to a specific person without the use of other information which is stored separately
  • to report personal data breaches to the Data Protection Authority and data subjects
  • in certain cases, to appoint a Data Protection Officer (DPO)

Basic GDPR terms

What are personal information?

Any information about an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is a natural person that can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, the social identity of this individual.

DPO

The GDPR regulation creates an entirely new position- the Data Protection Officer, whose establishment will be mandatory for some subjects. The main task of the DPO will be to monitor the compliance of the processing of personal data with the obligations arising from the regulation. The DPO carries out internal audits, staff training, and overall internal data protection agenda management.

DPIA

A Data Protection Impact Assessment is an expert judgment that must be made by an administrator if it is likely that a certain kind of processing, especially when using new technologies, taking into account the nature, scope, context and purpose of the processing, will be high risk to the rights and freedoms of individuals.

Data subject

The physical person to whom the personal data relate.

Privacy Manager

Any company, office, or institution that collects, processes and stores personal or sensitive data during its activity.

Personal Data Processor

Any natural or legal person or other entity processing personal data. The processor is anyone who has access to personal data.

Do you have more questions about GDPR?

I am interested in a presentation [post_title] EN