The General Data Protection Regulation is an EU regulation concerning the data protection and privacy of EU citizens’ personal information. To this end, guidelines have been defined for entities that collect or process personal information.
Personal information is all details about an individual (not a corporation) that enable his/her identification, for example, name, I.D. number, location information, genetic information, financial information, cookies ID, and IP address. The purpose of the regulation is to protect citizens in all matters related to the processing and disclosure of their personal information. The goal underlying the guidelines is to return control to the citizen regarding the disclosure and use of his personal information.
For whom is the regulation intended?
The GDPR imposes strict guidelines on any entity that processes, stores, and uses information of European citizens, even if it does not operate from within the EU territory.
Therefore, any entity engaged in marketing products or providing services related to the personal information of E.U. citizens is subject to the GDPR, whether it owns the database (controllers) or only processes the data (Processors) for the owner of the information. Consequently, whenever a controller chooses the services of a third party to process the information, they must sign that third party on a DPA – Data Processing Agreement.
What are the advantages of the certification?
- It enables compliance with the requirements of the European market.
- It facilitates CCPA preparations for the U.S. market.
- It prepares well for the requirements of the Israeli Privacy Protection Law.
What are the test highlights?
Whether you are the database owner (controller) or just processing the information for others (processor), you must examine the organization from the legal and information security aspects. The solution will include the following topics:
- Preparing the legal paperwork that befits the organization.
- Formulating inter-organizational controls.
- Examining how to work with suppliers and verifying Data Processing Agreements (DPAs).
- Drafting appropriate procedures.
- Inspecting the company’s computer infrastructure and information systems where personal information is processed to ensure they are protected and secured as required.
GDPR assessments are not trivial. They are complex assessments at both the legal and technical levels. Madsec cooperates with a senior law firm, and together we offer our clients a complete and accurate legal solution and professional advice in the field of information security of the relevant systems.