GDPR Compliance and Software Consulting

Be GDPR compliant

Get to know all features about GDPR that every european company should adopt

The General Data Protection Regulation (GDPR) is thetoughest privacy and security law in the world. It includes hundreds of pages’ worth of new requirements for organizations around the world.

N

All european companies must be GDPR compliant.

N

In Spain, you must be both spanish data protection law (LOPD) and GDPR compliant.

N

Update your data protection policies and best practices with us.

GDPR Compliance and Software Consulting
Is my company obliged to comply with the GDPR?

LOPD is Spanish data protection law, while GDPR is the European law. Both must be applied in Spain, until LOPD update that includes new GDPR features is published.

Is my company obliged to comply with the GDPR?

GDPR compliance is mandatory since May 25th, 2018, and applies to the total or partial processing of personal data by data controllers or processors established in the EU, as well as those not established in the EU, if they perform treatments intended for EU citizens.

Spanish companies that process personal data are obliged to comply with this new regulation and must correctly adapt to the new features and obligations it establishes.

Although a Data Protection Law already existed in Spain, the GDPR introduces some new obligations and, therefore, both regulations must now be applied.

Our experience with clients who handle highly protected data allows us to offer the best and most complete solution to easily adapt to current legislation.

What are the penalties for GDPR non-compliance?

As one of the key new features, GDPR strengthens the penalty regime, establishing fines of up to 4% of the company’s global turnover or 20 million euros, with the higher of the two amounts being applied as a fine.

Fines can reach 20 million euros or 4% of the company’s global turnover, whichever is higher.

What are the penalties for GDPR non-compliance?

Do you need further assistance?

Tell us about your company and regulatory questions you may have to interview. We'll study your case to assess whether your company is compliant.

What do you get with our GDPR consulting services and software?

Company’s Security Document creation, review or update.

First step is to review current company’s data protection policy, if there is one. After the study, only the essential updating tasks will be carried out, so that it requires minimum investment for your company.

Establish legal clauses to be included in the documents in which the company requests data.

For the purpose of adapting them to the obligation to obtain the consent of the affected party (customers and staff of the entity). We will analyse, from a legal point of view, the operations that may constitute the transfer of data and the incorporation of confidentiality and purpose clauses with external parties with access to company data limiting the use and processing of such data to the indications and uses authorised by the company.

Implementation of Security Measures

Our technical services will advise the system administrator on best practices for implementing measures to improve security and comply with the law.

Data Controller’s training

We train, if requested, company’s Data Controllers and other employees involved in the management of the implementation of the related measures in the Security Document, to ensure all data protection requirements compliance within the company.

Appointment, if applicable, of the Data Protection Officer (DPO)

GDPR allows DPO to be internal or external to the company, being able to contract the service with natural or legal persons outside the organization. At Edorteam we are qualified to act as DPO, which is mandatory for authorities and public organizations or according to the type or volume of data that a company deals with.

Conducting DPIA (Data Privacy Impact Assessments)

Also known as data protection impact assessments, its function is to assess the origin, nature, particularities and risk to which personal data are exposed.

After GDPR policies implementation, manage everything online

LOPD Online is a cloud app from where you will manage all the documentation regarding your company’s data protection policy.

Featured features

i

Manage the Security Document

~

Generate confidentiality agreements and other contracts

s

Quickly report about security issues

Z

Always keep the record of I / O media up to date

GDPR software advantages for your business

100% online service, documentation always updated and available

v

Direct communication with your Edorteam GDPR expert consultant

Regular audits and training by our specialists

R

The safety of being GDPR compliant

Keys about GDPR regulation and its compliance

Below, you will find a selection about the most important GDPR articles and what we propose to fulfill your obligations.

Keys about GDPR regulation and its compliance

Article 7

Consent obtained prior to the date of application of the European Regulation (25/05/2018) will only remain valid if it has been obtained in compliance with the criteria set out in the Regulation itself (free, informed, specific and unambiguous).

"

Edorteam's solution

Change of consents and revision of contracts on behalf of third parties and data processors to adapt them to the new regulations.

Article 28

Contract with data processors that have adhered to data protection compliant certifications, mechanisms or codes of conduct.

"

Edorteam's solution

Creation of codes of conduct specialised in data protection regulations.

Article 31.1.d

Regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure data protection security.

"

Edorteam's solution

Carrying out audits to verify security measures compliance.

Articles 30 and 32

Management and administration of users, control of equipment and maintenance of an activity log.

Set up of data recovery systems and regular backups of equipment.

"

Edorteam's solution

Setup the IT equipment with ET Seguridad and ET Backup software, if other solutions with same features are not available.

Article 32.2

Assessment of the risks presented by data processing, in particular as a result of accidental or unlawful destruction, loss or alteration of data, or unauthorized disclosure of or access to such data.

"

Edorteam's solution

Study and implementation of risk assessments in treatments by means of evaluations from a personalised point of view, taking into account the different specifications.

Article 34

Obligation on companies to report any leakage of personal data within 72 hours.

"

Edorteam's solution

Preventive folders and documents encryption with ET Encrypt or similar software. The use of encryption on personal information removes the obligation to notify those affected that a security breach has occurred.

Register access to your computer equipment with ET Seguridad

Protect stored data with access logging and prevents unauthorized use of computer equipment.

Encrypt files and USB drives with ET Encrypt

ET Encrypt is a powerful and safe encryption tool, your data will be protected even if you send files by e-mail.

What new features does the GDPR introduce with respect to the LOPD?

Specific consent

Consent must be free, informed, specific and unambiguous. The requirement of consent is reinforced by an unequivocal manifestation or a positive action, and cannot be inferred from silence or inaction. This establishes the obligation to have systems in place to record consent so that it can be verified in the event of an audit.

Specially protected data

Consent shall be explicit for the processing of sensitive data.

Specially protected or sensitive data:

  • Ideology
  • Religion and beliefs
  • Union membership
  • Related to: beliefs, racial origin, health and / or sexual life.
  • Relating to the commission of criminal or administrative offenses

GDPR adds:

  • Genetic data (DNA analysis)
  • Biometric data (fingerprint or eye iris)
Privacy notices

The legal basis for the data processing, the length of time the data will be retained, as well as informing data subjects that they can address their complaints to the data protection authorities should be explained. All this information should be included in the web pages or in the communication channels available.

Guardianship rights
  • Right to portability, oblivion and transparency.
Active responsibility

Companies need to take steps to reasonably ensure that they are in a position to comply with the principles, rights and safeguards of the new regulation. It is understood that acting only when an infringement has already occurred is insufficient as a strategy, so a set of measures is envisaged:

  • Data protection from the point of view of risk analysis in data processing
  • Data protection by default (from the start)
  • Security measures
  • Maintenance of a treatment record
  • Conducting Data Protection Impact Assessments (DPIA)
  • Appointment of a Data Protection Officer (DPO)
  • Codes of conduct and certification schemes promotion
Conducting Personal Data Impact Assessments (DPIA)

Data protection impact assessments are required to be carried out only when the use of advanced technologies, the volume or type of data processed (specially protected data) may entail a risk to the rights and freedoms of the persons concerned.

The Regulation considers that a DPIA has to be carried out to assess the origin, nature, particularities and risk to which the personal data are exposed. The controller shall seek advice from the Data Protection Officer in carrying out the DPIA.

The Spanish Data Protection Agency is responsible for publishing lists of the types of processing operations that require impact assessments.

Appointment of a Data Protection Officer (DPO)

Among DPO functions, we monitorize the correct applying of measures to reduce risks and advice your company data processors.

GDPR allows the DPO to be internal or external to the company, being able to hire the service to natural or legal persons outside the organization.

This figure is mandatory in:

  • Organizations and public institutions.
  • Controllers or processors whose main activities include processing operations requiring regular and systematic observation of data subjects on a large scale.
  • Controllers or processors whose main activities include the large-scale processing of sensitive data.
Data Security Breach Notifications

Obligation on companies to inform the national data protection authority and also the affected parties themselves if any personal data is leaked within 72 hours.

The use of encryption on personal information removes the obligation to notify those affected that a security breach has occurred, in which their personal data has been exposed.

Strengthening the sanctions regime

Regulation strengthens the sanctioning regime: fines can reach up to 4% of the company’s global turnover or 20 million euros, wherever is higher.

One Stop Shop

The “One-Stop-Shop” aims to reduce bureaucratic hurdles by making it possible for all procedures affecting Data Protection to be addressed to a one-stop-shop that resolves cases at European level.

The management will be carried out by the national authority (developing an intermediary role), having to inform the interested party of the final outcome of the complaint or denunciation.

Data processor and person in charge of the treatment

The person in charge must be extremely careful and regularize the contracts in accordance with the requirements and the necessary documentation.

Right to compensation and liability and extension to damages that may have been caused by those in charge of the treatment, establishing joint and several liability between the controller and the person in charge of the treatment.

Security measures
  • Pseudonymisation and encryption of personal data.
  • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • Ability to restore availability and access to personal data quickly in the event of a physical or technical incident.
  • Process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing.
  • Assessment of the risks presented by data processing, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data.
  • Contract with data processors that have adhered to data protection compliant certifications, mechanisms or codes of conduct.
  • Notify the authorities in the event of a breach of security of personal data.
Security measures to comply with the GDPR

What do the security measures of the European regulations mean in practical terms?

N

Mandatory file encryption.

N

Management and administration of users, controlling access to the equipment containing the data.

N

Carrying out audits to verify security measures compliance.

N

Review of contracts for third party data processors and adaptation to the new regulations, if required.

N

Activity log setup.

N

Appointment of a Data Protection Officer in the specified cases.

N

Carrying out a risk assessment that especially contemplates the analysis of CV and payroll files, when dealing with sensitive data.

N

Establish mechanisms of action and foresight to deal with security breaches.