The GDPR describes organizational and technical measures that companies must meet to ensure the adequate protection of personal information stored and processed on information system. On the other hand, as is often the case with regulatory and legislative frameworks, the Regulation does not clearly specify the way how specific requirements should be met.
The lack of clear guidelines on the measures to be implemented towards GDPR compliance is a serious challenge for companies, and this issue is even more prominent in the segment of technical measures.
Although GDPR primarily deals with privacy and the protection of personal data, part of the regulation relies heavily on aspects of information security, that is, aspects of personal data protection from unauthorized activities and misuse. An example of one of the basic requirements of GDPR that deals with privacy from the perspective of information security is Article 32 cited below, although there are also other parts of the regulation that handle the same or similar topic.
It is precisely this area where INFIGO IS, with its knowledge and many years of experience in the field of information systems security, both from an organizational and technical perspective, helps clients to align their information systems with GDPR requirements.
An added value to our services is also the rich experience in the field of information systems compliance with different regulatory frameworks and standards, i.e. defining procedures that will enable the compliance of information systems with the company's business goals as well as with the available budgets.
INFIGO IS offers to its clients the following services in the area of GDPR consulting:
|Planning and development of information system documentation necessary to achieve GDPR compliance|
|In addition to establishing appropriate processes in the organization and implementing appropriate technical measures, GDPR compliance requires also the development of appropriate information systems documentation. The purpose of this documentation is to define frameworks and rules related to the way of collecting and processing personal data, as well as the mechanisms for their protection. By establishing the appropriate documentation, organizations set the foundation for achieving GDPR compliance and confirm their initiatives and focus on privacy and personal data protection. When creating this documentation, INFIGO IS assures for it to being adequate, complete, practically applicable and compatible with existing organizational frameworks.|
|Privacy Impact Assessment|
|For all systems and applications that store and/or process personal data, which are exposed to an increased risk of privacy, GDPR requires the implementation of a Privacy Impact Assessment. The purpose of this analysis is to allow organizations to identify and evaluate in a timely manner all the risks that may be detrimental to the privacy of personal data and to take risk mitigation measures in accordance with the conducted analysis.|
|Planning, designing and implementing security controls to raise the information security and to achieve GDPR compliance|
As a company with years of experience in the field of information systems protection against unauthorized activities and misuse, INFIGO IS offers to its clients the expert assistance in planning, designing and implementing controls aimed at protecting personal data from internal and external threats, thus achieving GDPR compliance. INFIGO IS has particularly an ample experience and expertise in the following domains:
|Performing penetration tests to detect security failures and shortcomings where personal data is stored|
|Planning and conducting targeted penetration tests helps companies to proactively and under controlled conditions identify security shortcomings and failures that attackers can use for unauthorized access to the system and personal data theft. By timely detecting and removing information systems vulnerabilities, companies reduce the risk of penalties caused by theft of the personal data that they store on their information systems.|
|Analysis of procedures for collecting and processing personal data with the aim of detecting GDPR non-compliance|
|The way in which a company collects and processes personal data andhow it shares them with third parties is one of the most critical parts of GDPR. Detailed analysis of these activities and evaluation of their compliance with GDPR requirements enables organizations to proactively identify potential issues and implement the necessary improvements. In addition, special attention is paid to the method of collecting customer consent and the use of personal data within different business processes of the company. Identified nonconformities are documented and improvements are planned to achieve additional compliance.|