Choose language:
Pratite nas:

GDPR professional services

The GDPR describes organizational and technical measures that companies must meet to ensure the adequate protection of personal information stored and processed on information system. On the other hand, as is often the case with regulatory and legislative frameworks, the Regulation does not clearly specify the way how specific requirements should be met.


The lack of clear guidelines on the measures to be implemented towards GDPR compliance is a serious challenge for companies, and this issue is even more prominent in the segment of technical measures.

Although GDPR primarily deals with privacy and the protection of personal data, part of the regulation relies heavily on aspects of information security, that is, aspects of personal data protection from unauthorized activities and misuse. An example of one of the basic requirements of GDPR that deals with privacy from the perspective of information security is Article 32 cited below, although there are also other parts of the regulation that handle the same or similar topic.

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

    • the pseudonymisation and encryption of personal data;
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

    • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

  2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.


It is precisely this area where INFIGO IS, with its knowledge and many years of experience in the field of information systems security, both from an organizational and technical perspective, helps clients to align their information systems with GDPR requirements.

An added value to our services is also the rich experience in the field of information systems compliance with different regulatory frameworks and standards, i.e. defining procedures that will enable the compliance of information systems with the company's business goals as well as with the available budgets.

INFIGO IS offers to its clients the following services in the area of GDPR consulting:

Planning and development of information system documentation necessary to achieve GDPR compliance
In addition to establishing appropriate processes in the organization and implementing appropriate technical measures, GDPR compliance requires also the development of appropriate information systems documentation. The purpose of this documentation is to define frameworks and rules related to the way of collecting and processing personal data, as well as the mechanisms for their protection. By establishing the appropriate documentation, organizations set the foundation for achieving GDPR compliance and confirm their initiatives and focus on privacy and personal data protection. When creating this documentation, INFIGO IS assures for it to being adequate, complete, practically applicable and compatible with existing organizational frameworks.
 
Privacy Impact Assessment
For all systems and applications that store and/or process personal data, which are exposed to an increased risk of privacy, GDPR requires the implementation of a Privacy Impact Assessment. The purpose of this analysis is to allow organizations to identify and evaluate in a timely manner all the risks that may be detrimental to the privacy of personal data and to take risk mitigation measures in accordance with the conducted analysis.
 
Planning, designing and implementing security controls to raise the information security and to achieve GDPR compliance

As a company with years of experience in the field of information systems protection against unauthorized activities and misuse, INFIGO IS offers to its clients the expert assistance in planning, designing and implementing controls aimed at protecting personal data from internal and external threats, thus achieving GDPR compliance. INFIGO IS has particularly an ample experience and expertise in the following domains:

  • Implementation of data leakage prevention systems (Digital Guardian DLP)
  • Implementation of security information and event management systems ( Splunk SIEM)
  • Implementation of vulnerability management systems (Qualys Vulnerability Management)
  • Implementation of a system for detecting, classifying and protecting personal data in databases, clouds, file systems, etc. (IBM Guardium)
 
Performing penetration tests to detect security failures and shortcomings where personal data is stored
Planning and conducting targeted penetration tests helps companies to proactively and under controlled conditions identify security shortcomings and failures that attackers can use for unauthorized access to the system and personal data theft. By timely detecting and removing information systems vulnerabilities, companies reduce the risk of penalties caused by theft of the personal data that they store on their information systems.
 
Analysis of procedures for collecting and processing personal data with the aim of detecting GDPR non-compliance
The way in which a company collects and processes personal data andhow it shares them with third parties is one of the most critical parts of GDPR. Detailed analysis of these activities and evaluation of their compliance with GDPR requirements enables organizations to proactively identify potential issues and implement the necessary improvements. In addition, special attention is paid to the method of collecting customer consent and the use of personal data within different business processes of the company. Identified nonconformities are documented and improvements are planned to achieve additional compliance.