Are you processing personal data within an IT system? Adjust it to GDPR - part 1
The General Data Protection Regulation, more widely known as GDPR, comes into force on 25th of May this year. It is a great change from the point of view of businesspeople. How should the companies processing the personal data of their clients in IT systems prepare for it? What should you require of your IT partner within that scope? [interview with Maria Zagożdżon, CEO of Programa™].
GDPR is currently the main topic among the Polish business community. Some people talk of revolution in personal data protection and others claim that the new law introduces very few changes. Meanwhile, the media intimidate us with penalties. What is the IT industry’s perspective on that?
I have been watching the debate on GDPR for a longer while. The media talk on the subject of changes in law mainly through the prism of multi-million penalties, because this is something that stirs imagination. I think that the objective of the legislator was rather to make both parties to this relationship - the business and the client - feel secure within it and to base this relationship on honesty. Also, to make sure that the business, IT business included, approaches the matter of privacy protection reliably.
What does “reliably” mean in this context?
I would like to refer the issue of reliability to the field that is close to me, focusing on collaboration with providers of IT solutions. It is very important for them to have knowledge on the changes that the GDPR introduces and to implement the appropriate procedures inside their organisation. Only then will they be able to adjust the systems of their clients to new regulations.
I can put forward a bold thesis that, to some extent, the degree to which an IT provider is prepared for GDPR determines the safety of business of their clients.
How can I check whether the IT partner I collaborate with approaches the issue of GDPR seriously?
GDPR is not a list of specific guidelines that have to be met one by one in order to adjust to the new requirements. However, it defines the framework for the businesspeople to move within.
In the context of software development companies, I would distinguish two main fields requiring verification. On one hand, I would check whether and how the IT provider prepared itself “internally” to GDPR, and on the other, I would analyse in detail its competences in adjustment of systems to new regulations and how it can help me with it.
What should one ask about, then?
How the provider cares for it and to whom it entrusts the personal data from my system. What security measures and procedures it applies in case of e.g. data leak. How it uses the equipment, both stationary and mobile, intended for working on my system.
It is better to be safe than sorry when a fire breaks out.
Should the provider have this information written down in an official document?
Up until now, the companies were obligated to have a Security Policy. At present, this document is not mandatory, but describing the data is secured in a form of a policy adopted is a very good practice.
Out of principle, a Security Policy includes information on the ways of personal data processing, as well as technical and organisational means ensuring protection of the personal data processed. In Programa, the standard practice is a written document that all the employees become familiar with and confirm that by signing it. Our clients require that from us.
Is a Safety Policy a sufficient document ensuring that an IT partner cares properly for personal data protection?
Not exactly. Personal data protection is a continuous process. It does not amount to single performance of specific activities, such as the attitude that “I have written down a Safety Policy in 2012 and that is enough”. The legislator is also aiming at making businesspeople approach the issue of personal data protection comprehensively.
At our company it looks like this: in every project, we designate a person responsible for protection of personal data and we also introduce appropriate data security measures and implement procedures related to protection of data. What is absolutely fundamental is the regular team trainings within the scope of personal data protection. What is important, we take data protection into account already at the phase of IT system design.
What about the system itself - how should we adjust it to GDPR?
That depends - mainly on the scope of data processing within the system. Systems differ, and every solution requires an individual approach.
It is best to choose one of the two ways – either write down on one’s own what kind of data processing activities take place exactly within the system and analyse what are the legislator’s guidelines within that scope, or commission an experience IT provider to carry out an audit and implementation of the changes required.
While caring for compliance of the systems with new regulations is an obligation of the entrepreneur, it would be great if the initiative to make changes came out of your IT provider, familiar with the vary basics of your system.
We knew that many of our clients lose sleep over GDPR, so early on we designated a team of engineers dedicated to analysing the compliance of our clients’ systems with the new regulations. Thanks to that, we have created a concept for development of systems, which - according to our own knowledge and that of our lawyers- meet the expectations of the legislator and support our clients in safe conduct of business. Many of these suggestions are already at the stage of implementation.
It seems that the success in adjustment of an IT system to GDPR depends heavily on the IT partner.
If you process personal data in an IT system, then it is true that the provider of IT solutions has a great responsibility related to providing protection of personal data on which the security of your business depends.
Thus, it is in your best interest to verify the degree to which your IT partner is ready for the GDPR regulation, as well as how well your IT system is adjusted to the new regulations.
[You will find the further part of this interview, where we discussed case studies related to provision of sensitive data security and pseudonymization, in the following articles belonging to the #GDPR series]
The interview with Maria Zagożdżon, CEO of Programa, was carried out by Patrycja Matuszak-Jastak.
-> Are you ready for GDPR? If you need help in adjusting your IT system to new regulations write a short email to email@example.com or call +48 577 196 681 - get to know us and let us know you!