How to Meet GDPR Requirements
Effective protection of personal data in ABRA Gen will not only meet GDPR requirements – it offers advanced tools to precisely determine who has access to the selected data and how he / she handles them.
Menu
Does your Information System Protect Personal Data in Accordance with GDPR?
If it does, it can:
- handle the GDPR issues across the entire company – it will not add more work to you, but it will make it easier
- distinguish and protect personal data, even by pseudonymization
- control who accesses the data and how he / she handles them
- generate the necessary extracts, archive the requests of the persons and, if necessary, enable complete deletion of the data
- monitor and archive all data handling, including their display, and find out what happened with the data anytime
- take into account the granted consents and handling of information on the basis of contracts or law
- protect personal data across different processes, whether it’s wages, finance, marketing or CRM
ABRA Gen information system protects personal data according to GDPR. So ABRA Software provides an effective tool which will help you handle personal data in accordance with GDPR.
Advanced protection of personal and sensitive data in the ABRA Gen system:
New generic system for protecting personal and sensitive data beyond GDPR needs
Tools allowing protection of any item of any object class in ABRA Gen, including user-defined ones
Tools for making excerpt, export, or deletion of the data and overview of the requests for these tasks, including the slutions
Encrypted communication between the client and the application server (https)
New Definition of Data Protection agenda, protected by adjustable access rights and related Permission to Data Processing for Personal Data agenda
Different level of user privileges granting access only to authorized users and only for the period for which the consent was granted or for which there was a legal reason
Logging of data processing – including their viewing / displaying
In the basic version, system items in the company and person directories are protected.
Effective protection of personal data in the ABRA Gen system will not only meet GDPR requirements – it offers advanced tools to precisely determine who has access to the selected data and how he /she handles them.
We reply to your questions.
Are you starting with GDPR? Do not forget anything important and create an action plan.
Even the best software does not prepare your company for GDPR by itself. Every businessman has to analyze and, if necessary, change corporate processes that work with personal information.
What needs to be done?
Note: Check the steps you need to take, choose the date by when they need to be done, and save the event to your calendar.
- Perform process analysis using FREE form.
- Start obtaining GDPR consents (ABRA Gen can save consents from the current version)
- Consult with a legal adviser (adjusting contracts with customers, suppliers, employees, adapting internal guidelines, etc.)
- Changing business processes based on analysis and consultation.
- Collect all personal data carriers and schedule their destruction, archiving, or overwriting.
- Revise technology and information systems – Schedule the implementation of changes (replacement of used SW, linking of individual systems and their correct setting).
- Make the necessary changes to data security, including IT systems alterations, or select a GDPR-compliant system. 497/5000
- Employee training, including training for the proper use of information systems. Set up data security against leakage and ensure all necessary records.
- Other steps according to business conditions (e.g., assigning the DPO position).
You can also use our PDF form, where you can write important terms and notes.
Any changes to business processes should be consulted with a legal counselor .
GDPR in Detail
What is GDPR
The General Data Protection Regulation (GDPR) is a regulation of the European Parliament and of the Council of the EU governing the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It was adopted in April this year, is binding for all member states and will enter into force on 25 May 2018.
This regulation aims to protect the rights of citizens against unauthorized handling of their sensitive and personal data. These rules respect citizens’ right to data protection regardless of their nationality or residence.
Who Is Affected by GDPR
The protection provided by this Regulation applies to the processing of personal data of natural persons. The protection of natural persons applies to both automated and manual processing of personal data, if such data is stored or is to be entered into record. Data protection principles apply to all information relating to an identified or identifiable natural person.
The Regulation applies to companies, institutions and individuals across all sectors who handle personal data of employees, customers, clients or suppliers.
GDPR also addresses the protection of citizens’ digital rights and includes entities that track or analyze user behavior on the web.
In the event of a serious breach, companies can face penalties and heavy fines (up to €20 million or up to 4% of global annual turnover).
Major Changes Introduced by GDPR
- Citizens have the right to erasure, which extends to the right to be forgotten, i.e. in such cases, the controller must erase all personal data unless there is legal basis for further processing.
- Citizens must be able to access their collected data, ideally directly online.
- Citizens have the right to object to the processing of personal data. On the basis of such an objection, the controller will not be able to process the data further unless it has demonstrable grounds for doing so.
- Personal data now also includes technical parameters such as email, IP address or cookies on the user’s device. A category of genetic and biometric data has also been added.
Obligations Imposed by GDPR on Institutions and Companies
The new GDPR extends and clarifies existing legal standards on the protection and security of personal data. While the basic principles remain unchanged, the following new obligations are imposed on businesses:
- to process personal data only for legitimate purposes and only for as long as necessary
- to secure personal data from unauthorized persons
- to ensure a that the subject is notified in case a data leak is detected
- to provide ensure the data subjects have the right to:
- a data extract
- data erasure (the right to be forgotten)
- data portability
- to keep records of the processing of personal data, to cooperate with the supervisory authority and to make these records available to the latter on request
- to carry out a data protection impact assessment (DPIA)
- in selected cases, to introduce pseudonymization – to process personal data in such a way that it cannot be attributed to a specific person without the use of other information which is stored separately
- to report personal data breaches to the Data Protection Authority and data subjects
- in certain cases, to appoint a Data Protection Officer (DPO)
Basic GDPR terms
What are personal information?
Any information about an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is a natural person that can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, the social identity of this individual.
DPO
The GDPR regulation creates an entirely new position- the Data Protection Officer, whose establishment will be mandatory for some subjects. The main task of the DPO will be to monitor the compliance of the processing of personal data with the obligations arising from the regulation. The DPO carries out internal audits, staff training, and overall internal data protection agenda management.
DPIA
A Data Protection Impact Assessment is an expert judgment that must be made by an administrator if it is likely that a certain kind of processing, especially when using new technologies, taking into account the nature, scope, context and purpose of the processing, will be high risk to the rights and freedoms of individuals.
Data subject
The physical person to whom the personal data relate.
Privacy Manager
Any company, office, or institution that collects, processes and stores personal or sensitive data during its activity.
Personal Data Processor
Any natural or legal person or other entity processing personal data. The processor is anyone who has access to personal data.