Sincerus about the GDPR 'Delaying is no longer an option'
The GDPR is just around the corner. Currently we’re in the transition period, but from May 25, 2018, the new privacy regulation will come into effect. Sincerus: especially now that cloud computing has taken flight, it’s important that organisations take the right measures in time. It usually concerns personal data when processing data in the cloud, replacing servers and storing or outsourcing business processes. Precisely because cloud suppliers store or process this data, it’s important to make good agreements about aspects such as information security and also to test these agreements.
But what should an organisation be alert to in order to prevent fines and reputational damage? We asked Hans Meijer, Consultant Security at our partner Sincerus. Since 2004, this partner has focused on information security (IT Security) with high quality services to efficiently identify, reduce and prevent (technical) IT security risks.
How big is the impact of the GDPR?
“If companies have already implemented the Personal Data Protection Act (Wbp), the impact of the GDPR is not too bad. The purpose of the law is to better protect the privacy of citizens. They gain more control over what happens to their data. A new example is the right to forgetfulness and data portability. Organisations will have to get started with this. Precisely because data is now managed by various partners and suppliers, insight into the entire chain that deals with data is crucial. Organisations that process personal data must record which data is processed, for what purpose, what its origin is and with whom it is shared. And the Dutch Data Protection Authority will enforce all this more strictly.
Is the fear of high fines justified?
“Although I don’t expect that there’ll be any fines on 25 May 2018, an organisation must be able to demonstrate that they’re taking measures to comply with the GDPR. This applies, for example, to the processor agreement. Good information security plays a key role in this. Within the Data Protection Act, ‘adequate’ information security was still sufficient. Because an organisation itself is responsible for the data, even if it’s with a supplier, agreements must be clear, transparent and verifiable. So you have to check for yourself whether a cloud supplier meets the obligations. In addition, certifications such as ISO27001, ISO27002 and NEN7510 or BIR/BIG provide a foundation. Although there are different models, there’s still no widely supported standard for a processor agreement. In my opinion, standardisation is essential for the implementation of the GDPR. With this, aspects such as information security and liability can be arranged in a balanced way. Moreover, investments for large and small organisations will remain manageable. ”
What is the role of the data protection officer?
“Organisations that process a lot of personal data are obliged within the GDPR to appoint a Data Protection Officer (PO). They are responsible for the obligation to report incidents and has an independent position within the organisation. That independence is very important. At the same time, a PO can only function optimally if privacy is an integral part of the entire organisation. And so, is part of every process. All employees must be aware of this and take this issue seriously. Although the PO is independent, cooperation with the Security Officer is indispensable. Effective information protection is a precondition for privacy. Together they can and must safeguard privacy and information security and be active in all processes. In that respect, it’s a good thing that the new legislation forces organisations to properly review the business processes with regard to data and to take the right measures. Postponement is no longer an option.”
For a specialised party such as Sincerus it’s important to cooperate with parties that, like them, attach great importance to information security. “We know that with the ISO27001 and NEN7510 certification, Fundaments meet our security requirements and will be assessed on this annually. Moreover, we are assured of the fact that with Fundaments all data remains in the Netherlands. That’s why Fundaments is a good partner for us at Sincerus.”
Data in the Fundaments Cloud is guaranteed to remain in the Netherlands and the integrity of company or customer data remains guaranteed. That’s why we use a processor agreement with our partners and our data centres ISO27001 and NEN7510 are certified. Would you like to know more about this? Please feel free to contact us on 088 4227 227 or email us at email@example.com.