GDPR Compliance Project

Data search, identification and classification and employee GDPR training

  • Do you have business information on your computers and servers?
  • Do you know where they are and whether they are only there where you think they are?
  • Have you grouped  the data according to their importance?
  • Can everyone access confidential data or just authorised personnel?
  • Do you restrict external access to confidential data? Is the data protected from unauthorised access? Is it encripted or protected by a different data protection technique? Is the data encripted upon creation?
  • Are the employees aware of the importance of data protection?
  • Are the employees trained in processing data in compliance with the GDPR?

Assigning permission to employees

  • Are the user access permissions clearly defined?
  • Is it clearly defined what each employee’s responsibilities in compliance with the GDPR requirements are? Who is accountable for managing the exercise of natural persons’ individual rights guaraneed by the GDPR?
  • Do you know who is accountable in the event of data loss?
  • Are any of your employees in charge of monitoring data access activities?
  • Are the persons responsible for monitoring and auditing confidential data (DPO and CISO) well resourced to be able to easily control, report back in a timely manner and prevent the incidents from happening?

Monitoring employee efficiency and loyalty and the efficiency of data flows

  • Do you know how efficient your employees are? When did they start working, what did they do during working hours, who did they communicate with and how? Do they need assistance when performing tasks?
  • Do you know each employee’s work performance at the the end of the month?
  • If your employee is  demanding higher salary, do you have mechanisms to ascertain whether this is realistic or not? Do you have mechanism to reward your employees?
  • Do the employees make comments about the company matters on social networks or blogs during working hours? Do they post negative comments in public?
  • Do you control data flows both within and outside your company? Does network congestion occur? Can you efficiently identify and resolve network congesion?
  • Is work from remote locations an option for your employees? Is it safe? Do you supervise employee’s working activities, communication channels, access to confidential data, and respond in a timely manner to prevent any incidents?

Monitoring communication channels

  • How do your employees exchange information among themselves? And with business associates outside the company?
  • Are your employees allowed to use social networks and messinger in your business environment? Do they comply with this regulation?
  • Is it possile to respond in a timely manner if an employee accidentally starts sending an email to a wrong address?
  • Do you track the flow of your data (emails, social networks, external devices, etc.)?
  • Have you ever considered in which other ways, apart from a tête-à-tête private conversations, can confidential data be shared and disclosed? For example, via IP telephony system or a conference call app. By posting information on social networks. Writing a blog or chatting over a cup of coffee with colleagues from another companySending an email with or without documents in attachment. Printing out a document. Storing your data in the cloud. Either business or private, secure or non-secure. Downloading or uploading data from storage units. Copying the data on a USB or an external disc. Or simply, while in a hurry to finish work for the day, you forget that you have left important data on your computer’s local hard drive.
  • Do you monitor all these communication channels?

Business communication archiving, using gathered evidence for legal purposes

  • Does your system have a suitable digital archive of events that makes reconsrtuction possible?
  • Is such an archive admissible as evidence in the court?

Preventing internal and external incident and analitical investigation of the event sequence

  • Do you own a tool that enables you to block actions by using AND/OR functions? Can you clearly define who can do which actions, without worrying whether these demands are put into practice?
  • Can you check which employee and when searched the data of natural persons by certain parameters (ID, address, telephone number, email, bank account, medical history, etc.)?
  • Do you use sophisticated tools that enable you to reveal fraud attempts committed by changing the extention file or using synonyms when sending documents?
  • Can you prevent copying of confidential data? Can you establish who tried to do it?
  • Does your system warn you in case of unauthorised access?
  • Are you equipped with tools that warn you against any illegal activity without undue delay?
  • Can you prevent an employee from copying data on an external device, eg.a USB? Or from uploading the data into the system?
  • In the event of loss, alteration or unauthorised access to the data, do you know how it occured?

Reports and graphic representation of gathered data

  • Do you own a tool that informs the security department about incidents in real time?
  • How do you report about security matters on a daily/ weekly/ monthly basis?
  • Do you need a tool that graphically represents all the interactions your employees have with others during working hours and all the apps that were used?

A flexible modular solution

With more companies offering work from different locations, and not just the office, employers face some new demands and challenges. We present you with a software solution that enables you to monitor the work of your employees who do not work on company premises, but in a different city, country or different continent. SecureTower allows you to not only monitor data flows but also timely prevent either deliberate or accidental alienation of your data. It notifies you promptly about any incidents and provides further investigation of the events that presented danger to your company. All this allows your employees to feel safer in their working environment, as they now know there is a technology that can rectify potential mistakes and warn them of danger, both internal and external.

This software was developed primarily for data leak protection, but it also efficiently monitors staff performance, and in this way stimulates the staff to achieve better results because evaluation of their work performance is objective. Monitoring data flows within network infrastructure makes it possible to identify network bottlenecks and, by fixing them, enhance work efficiency.

In addition to the staff in digital security departments who receive notifications in real time and the employees in charge of compliance of business with legislative norms, different graphic reports that are sent on a daily basis enable higher managment staff to realistically see the situation in the company and react in a timely manner in the event of anomalies.

It should be stressed that SecureTower is a software solution based on a client-server platform which guarantees that the gathered data about staff performance does not leave the company’s information and communication system.

Finally, this is an option that enables you to distribute you budget rationally: SecureTower is a flexible modular solution that can be partially implemented, depending on the real business requirements. The users just need to clearly define their requirements based on the functionality of the software and and will soon realise what a powerful tool they have got.

Managing Personal Data Governance and Accountability
  • Do we take responsibility at all levels of the organization, for complying with the GDPR and understand the associated business/personal impacts and risks?
  • Do we monitor compliance with our own data protection policies and regularly review/update them for effectiveness?
  • Do we have effective processes in place to ensure our staff are aware of and know how to comply with data protection policies and procedures?
  • Do we maintain records and documentation related to all of our data protection and processing activities?
Data Protection by Design and by Default
  • Do we integrate data privacy and protection into all business processes, from beginning to end?
  • Do we take proactive measures to ensure that personal data is protected by default in any IT system, from its creation to its destruction?
  • Do we only collect and process personal data that is sufficiently adequate and relevant to fulfill our specified business purposes?
  • Do we minimize the amount of personal data we hold and periodically delete any data we don’t need?
  • Do we have effective processes in place to ensure the accuracy of any personal data we create or obtain?
Data Protection Impact Assessments (DPIA)
  • Do we understand when we must conduct DPIAs and have processes in place to perform them?
Lawful Bases for Processing Data
  • Do we have identified, documented, and communicated our lawful bases for processing personal data?
  • Do we have effective processes in place where consent is our lawful basis, to ask for, obtain, and record initial consent for a specific processing purpose, and to manage ongoing consent?
  • Do we can show where legitimate interest is our lawful basis, that the processing is necessary to achieve it and that it is balanced against individual interests, rights, and freedoms?
  • Do we have legal or official authority when we process criminal offense data?
  • Do we have identified and documented at least one of ten required conditions for processing per the GDPR Article 9 when we process special category data?
Data Protection Officers (DPO)
  • Do we have appointed a sole DPO voluntarily and/or because we understand that the type of data processing we conduct requires us to do so?
  • Do we have defined the reporting structure and tasks of the DPO according to the GDPR requirements?
  • Do we have published the contact details of our DPO and provided them to the appropriate supervisory authority?
Processor Contracts
  • We have written contracts in place with any processors we use that include the specific details and terms required by the GDPR?
Considerations for Children
  • Do we have designed all of our GDPR compliance processes so that a child (and the child’s parent or guardian) can easily understand their rights and any risks to their personal data, if we provide services directly to children?
  • Do we have processes in place to mitigate any risks to children gaining access to our services, if we do not provide services directly to children?

Managing Personal Data Inventories
  • Do we have conducted a comprehensive information audit to identify, classify, and record the location of all personal data our organization holds, across all enterprise repositories on premises and in the cloud?
  • Has all personal data held by our organization been identified and classified by protection status (e.g., encrypted, masked, exposed)?
  • Do we have effective processes in place to identify, classify, and document any personal data that enters the enterprise?
  • Do we scan our data repositories on a regular basis to discover any personal data that is exposed or unprotected?
  • Do we are able to identify and assess potential risks to data security, privacy, or compliance based on the results of initial and recurring information audits?

Managing the Protection of Personal Data
  • Do we have defined data access and data protection policies that are appropriate for the nature/scope of our data processing activities?
  • Do we have effective processes in place to ensure the confidentiality, integrity, and availability of the systems and services we use to process personal data?
  • Do we encrypt personal data where it is appropriate to do so, whether upon creation, before transmittal, or after storage of the data?
  • Do we pseudonymize personal data where it is appropriate to do so, whether upon creation, before transmittal, or after storage of the data?
  • Do we proactively delete personal data when it is no longer needed?
  • Do we actively monitor personal data access activity and immediately alert data owners of any suspicious or unusual activity?
  • Do we have effective processes in place to restore access and availability to personal data in a timely manner in the event of a physical or technical incident?
  • Do we have effective processes in place to test the strength of our security measures and perform any required improvements (internal audits)?
  • Do we have effective processes in place to protect personal data as it is being shared or transferred (in-flight)?
  • Do we take sufficient measures to protect personal data that is transferred outside the European Union to be processed by others on our behalf?

Managing the Exercise of Individual Rights
Right to be Informed
  • Do we have effective processes in place to provide privacy information to individuals at the time we collect their personal data. This information includes: our lawful basis and purpose for processing the data, how long we will retain the data, and with whom we will share the data?
  • Do we have effective processes in place, if we obtain personal data from a third-party source,  to provide privacy information to individuals upon initial communication or within one month of obtaining the data.
Right of Access
  • Do we have effective processes in place to fulfill individual requests to access their personal data without undue delay and within one month of the request?
Right to Rectification
  • Do we have effective processes in place to fulfill individual requests to correct or complete any personal information we hold within one month of the request?
Right to Erasure (Right to be Forgotten)
  • Do we have effective processes in place to fulfill individual requests to have their personal data permanently erased or deleted within one month of the request?
Right to Restrict Processing
  • Do we have effective processes in place to fulfill individual requests to restrict the processing of their personal data within one month of the request?
Right to Data Portability
  • Do we have effective processes in place to fulfill individual requests to receive their personal data or have their data transmitted to another controller. We can provide this data securely in a structured, commonly used, and machine-readable format within one month of the request?
Right to Object
  • Do we have effective processes in place to respond to an individual’s objection to the processing of their personal data within one month of the request?
Rights Related to Automated Decision-making and Profiling
  • Do we have effective processes in place to document, justify, and restrict automated decision-making and profiling, as well as to provide individuals with related privacy information?

Managing Breaches of Personal Data
  • Do we have effective processes in place to identify a breach of personal data as soon as possible?
  • Do we have effective processes in place to assess the impact and scope of a personal data breach. This includes determining: what data was accessed, altered, destroyed, or exposed; how and when the accidental or unlawful activity occurred; the likely risks to individuals; and the measures required to mitigate adverse effects?
  • Do we have effective processes in place to resolve or mitigate the effects of personal data breach?
  • Do we have effective processes in place to notify affected individuals of a high-risk breach of personal data without undue delay?
  • Do we have effective processes in place to report a high-risk breach of personal data to the right supervisory authorities within 72 hours?
  • Do we have effective processes in place to document all breaches of personal data, regardless of risk level or need for notification?