Data Protection Portfolio
Nowadays, information security is the most important security/defense issue with respect of the business processes of organizations.
The culture of data protection is rather slow in catching up with the accelerating development of technology and the related challenges. Even such basic questions as who the data controller or the data processor is within an organization, what counts as personal information or what the source of information is are sometimes difficult to answer. The situation is further exacerbated when we start looking into whether there is a legal basis for data management, whether there is justified purpose for processing the data, whether those affected by the management of data are adequately informed or whether the information was transmitted abroad in accordance with international law.
By now, the protection of information has become such a complex specialty that it requires special expertise for preventing and fixing issues or complying with the laws in force.
Organizations handling personal data must comply with the applicable Hungarian legislation, namely Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: the “Information Act”). In addition, the European Union has promulgated the new EU data protection regulation, “Regulation (EU) 2016/679 of the European Parliament and of the Council” (hereinafter referred to as: GDPR). EU regulations are mandatory in our country as well. Although the regulation enters into force only in May 2018, organizations handling personal data need to start preparing for the new, unified requirements right now.
Under the GDPR, to provide further incentives for complying with the regulation, the independent supervisory authority is entitled to launch investigations and warn the data controller or the data processor if its data processing activities violate the provisions of the regulation.
Furthermore, the supervisory authority has the right to instruct the data controller or data processor to align its data management operations with the requirements of the regulation, in a defined manner and within a specified deadline. If data processing is not carried out in accordance with said regulations, the supervisory authority reports on a breach of data protection and instructs the data controller or data processor to inform the data subject. By virtue of its powers, the supervisory authority may temporarily or even permanently limit data management. Under the current Information Security Act, in case of non-compliance, organizations handling personal data are required to pay an administrative fine imposed by the data protection authority ranging between HUF 100,000 and 20,000,000.
As specified by provisions contained in the GDPR, the supervisory authority is entitled to impose an administrative penalty of up to EUR 20,000,000 or up to 4% of the affected organization’s annual turnover on the worldwide market in the previous financial year.
Data protection solutions
KÜRT’s Data Protection Competence Center provides solutions for minimizing data protection risks
and ensuring safe and efficient organizational operation.
1. Data protection counseling
KÜRT Ltd.’s data protection specialists are available to solve any issue related to data protection.
They undertake to help prepare for the statutory audit of the organization by the competent authority (NAIH) and other audits related to data protection.
The solution package also covers issues related to domestic and foreign data management (GDPR), policies as well as the preparation of declarations and documentation.
We pay special attention to:
- for the regulations related to the deletion of personal data,
- for handling public credentials, and
- the execution of data protection impact assessments (DPIA).
If any type of data management, with due regard for its nature, scope, and purpose, is likely to pose a high risk to the rights and freedoms of natural persons, the data controller will carry out an impact assessment before the data is managed as to how the intended operations affect the protection of personal data.
2. Data protection situation analysis:
The impact assessment developed according to the methodology proposed by the European Commission’s Data Protection Working Group helps our clients in illustrating the following parameters of the data they manage:
- the current data protection conditions within the organization,
the expected or proposed data protection requirements as well as administrative and technical protection measures.
The execution of impact assessment is required for legal compliance. It helps to prevent or detect data privacy abuses. As a result of the situation analysis, we propose a more effective data protection strategy for the organization.
Impact assessment can reduce financial losses resulting from abuses, help avoid fines resulting from non-compliance with statutory requirements and safeguard the company’s good reputation.
Data protection situation assessment makes the organization more transparent.
3. Using the SeCube GRC software for supporting compliance with European Union legislation (GDPR)
The SeCube GRC software is a modular information security management system. By using the software, compliance with European Union (GDPR) regulations can be supported and clients are given a tool for maintaining their duties and data, in the following manner:
- In the Inventory module, the client may create a record of data management activities and personal data ranges, linking them to IT systems and business processes.
- The client may conduct detailed GDPR conformity situation analysis with respect to more than 200 control requirements and an action plan can also be devised for discrepancies.
- The client may perform data protection impact assessment (DPIA) and data security risk analysis as well as generate reports.
4. Data protection – design and implementation of IT developments
The responsibility of organizations is to ensure the protection of information stored electronically. However, the current economic situation requires that, in addition to safety parameters, the rate of return on investment, efficiency gains through the application of resources and costs savings be taken into consideration when designing systems and planning development.
Through its knowledge and experience accumulated in the field of information security and the management of IT developments, KÜRT Ltd is able to help in the implementation of adequate data protection measures as early as the design phase. The quality assurance plans developed by our experts are guaranteed to meet the legal and organizational expectations and contribute to the success of the project.
When designing and developing services and applications, the right to the protection of personal data must be kept in mind at all times, and data controllers and data processors must meet their current privacy obligations. For new IT systems, it is recommended that the requirements of built-in and default data protection are considered as early as the design and procurement phases, as required by law.
5. Data protection training
Developing awareness in those who come into contact with information, such as employees, data controllers, customers etc., is the most effective solution to improving data protection at any organization. We recommend the regular execution of data protection training courses and the verification of acquired knowledge in order to keep the data protection culture up to date.
6. Assignment of a Data Protection Officer
Certain organizations are required by law to employ a Data Protection Officer. Such organizations:
- data controllers and data processors who handle or process national official, labor or criminal records;
- financial organizations;
- electronic communications and utility providers; and
- organizations employed more than 250 employees per organizational unit.
We offer a cost-effective solution through an agency contract for fulfilling the position of the Data Protection Officer.