The new General Data Protection Regulation of the EU (GDPR) will be applicable as of May 25, 2018 in all EU countries, replacing or complementing the personal data protection regulations that already existed in each country. This regulation aims to protect the processing and storage of personal data of EU citizens by granting or expanding a series of rights that improve their decision-making and control over them, regulating new obligations that companies must comply with in this area, and toughening the sanctions for their eventual non-compliance.
This post is not intended to be a guide to implement the regulation, but an informative document about the current capabilities of RPS, and those that are planned in the short term, to facilitate companies to comply with and adapt to the new regulation.
With the GDPR, companies must adapt to the new regulation by reviewing their information systems in the field of security and the privileges of access to personal data, but for GDPR it is especially relevant also, the duty of companies to adapt their procedures and internal regulations for obtaining, documenting, managing, storing and protecting the data.
SECURITY AND PRIVILEGES
Regarding security and access privileges, RPS currently provides enough tools and utilities to facilitate the company’s compliance of the regulation. Although the method to be followed is not specified in detail in the regulation, RPS proposes the following functionalities:
- Access to the data through a secure username and password. The system administrator must ensure that all users are defined by requiring password policies and requiring password expiration.
- Through the security of RPS, users and roles could be defined, assigning different access permissions to personal data, either through menu accesses or screen personalization, in such a way that they only have access to personal data by legitimate users for processing and not by any other user.
- Documents of the Document Manager that contain personal data could, through the security of RPS, have access rights granted only to users legitimated for processing and not any user.
- In RPS, data and documents are accessed exclusively through the application server, that is, users do not have direct access to the database (ODBC, Excel, etc.) nor to the file folders. Those users of RPS who have client / server access, 2 layers, could be at risk of vulnerability and should review it. In most cases, it would be enough to eliminate the direct shortcuts to the database or file folders.
- In RPS, the “Entity tracking” function could be enabled over those entities and personal properties. In this way, the system would record an audit of users who create or modify personal data.
From the point of view of the internal procedures of the companies, they must identify the personal data they store, what are the objectives of storing this data and what processes apply to them. They must also define the internal procedures that will be applied to request consent for the processing of personal data to a citizen and the procedure to be applied when a citizen exercises his rights of cancellation, rectification, elimination, etc.
In this area of internal procedures, RPS proposes with its BPM module, a tool to document the processes and sub processes of the company, it is a tool in the declarative scope of how these procedures should be deployed, as well as improvement actions.
Additionally to BPM module, and with the aim of further facilitating compliance with the regulation with RPS in the operational aspect, we announce the development of a series of utilities in the administrator layer to facilitate the company’s identification of personal data and procedures which should be applied to them:
- Definition of what entities and properties are personal data. In the standard these are: the employees, contacts of customers / suppliers, commercial agents and the customers / suppliers themselves that are not companies but physical persons. Additionally, it must be taken into account that RPS also has a customization tool that allows adding properties and personalized entities in each installation and therefore this identification of personal data must be able to be configured in each installation and always under the responsibility of the administrator user.
- Definition of what properties are identifying persons, ie the name and ID, perhaps the address and other information. This function must also be open to possible customizations made by administrators. This identification is necessary in the case of anonymization of personal data.
- For each of the entities of a personal nature, the following procedures are documented in different “memo” fields:
- Purpose / Purpose for which the company records this data and what type of operations are carried out.
- Informative text or template through which the person is informed of their cancellation and elimination rights.
- Description of the procedure for obtaining data, registering, notifying the person and the consent of the person.
- Identification of risks, as well as actions to minimize the probability of occurrence and actions to mitigate the impact.
These help tools for the RPS administrator can be installed independently in each installation, in RPS 2017 or 2015, and will be available before July 6, 2018 for customers with an active maintenance contract.
It should be remembered that this regulation is new, and although it was published in May 2016, its application began on May 25, 2018. There is no experience in its applicability and practicality. Taking this into account, and to the extent that it will be deployed, improvements in RPS will be incorporated to facilitate compliance if necessary.