data protection process information
DESCRIPTION
PROCESS OF IMPLEMENTATION OF PERSONAL DATA PROTECTIONTRANSCRIPT
www.yourlegalconsultants.com
Data protection and security
Process information
IMPLEMENTATION PROCEDURE: KEY ISSUES Free information
1. CONCEPT OF PERSONAL DATA PROTECTION
2. ANALYSIS AND DETECTION OF PERSONAL DATA PROCESSING
3. IDENTIFICATION OF THE RESPONSIBILITIES OF THE DIFFERENT DEPARTMENTS
4. CLASSIFICATION OF FILES
5. CREATION OF AN INTERNAL COMPANY POLICY
6. IDENTIFICATION OF THE PROCESSING OF PERSONAL DATA BY THIRD PARTIES
7. IDENTIFICATION OF THE NEED TO TRANSFER DATA BETWEEN COMPANIES
8. SECURITY DOCUMENT, NOTIFICATION, FILE REGISTERS AND CERTIFICATION OF CORRECT IMPLEMENTATION
DOCUMENTS FOR THE IMPLEMENTATION OF DATA PROTECTION Payment required
9. PROCEDURE DOCUMENTS
10. COMPLEMENTARY AND IT GOVERNMENT DOCUMENTS
11. SECURITY AND AUDIT DOCUMENTS
www.yourlegalconsultants.com
PERSONAL DATA PROTECTION
Free information
www.yourlegalconsultants.com
1. CONCEPT OF PERSONAL DATA PROTECTION
Concept
The protection of personal data is governed by Organic Law 15/1999, of 13 December, on the protection of personal data, and its regulations. Personal data is all numeric, alphabetical, graphic, photographic, acoustic or any other type of information concerning identified or identifiable natural persons
It is classified into three levels:
BasicMediumHigh
We must make a special mention of personal data in relation to health: Information on the present, past and future physical or mental health of an individual. In particular, information referring to a person's percentage of disability or genetic information is considered health data.
www.yourlegalconsultants.com
2. ANALYSIS AND DETECTION OF PERSONAL DATA PROCESSING
The processing of personal data may be conducted internally or outsourced:
A. Internal processing
Examples:
1. Marketing- Mailing of sales information, etc.2. Human Resources – Receipt of CVs, the carrying out of psychological assessments, etc.3. Quality – Processes associated with personal data4. Legal – Contracts, debts, audits, etc.
B. Processing of data by third companies
1. Accounting firms2. Lawyers
It is important to bear in mind that the security manager should give clear instructions to subcontracted companies with regard to security measures.
www.yourlegalconsultants.com
3. IDENTIFICATION OF THE RESPONSIBILITIES OF THE DIFFERENT DEPARTMENTS
It is important that each department is aware of its responsibility with regard to the protection of personal data:
A. Each type of data to be processed requires the adaptation of instructions to each department in the company
Examples:
1. Marketing- Was the data subject’s consent obtained for sending sales information?2. Human Resources – Is the information that is received for job applications used only for this purpose?3. Quality – Can the information associated with processes be simplified so that it can be classified as basic level data?4. Legal – In what cases is it necessary to obtain the data subject's consent?
B. What are the advantages of appointing a personal data coordinator in each department?
1. Supervise interaction with other departments2. Approval of processes to avoid complaints
It is important to centralise information in accordance with the instructions of the systems manager.
www.yourlegalconsultants.com
4. CLASSIFICATION OF FILES
Personal data is protected through the use of security measures appropriate to the nature of the data (basic, medium, high)
If the three types of data are stored in the same file, high level data security measures apply
It is advisable to classify files on the basis of the nature of the data contained therein in order to provide the appropriate security measures
The systems or security manager plays a vital role in this classification
Nevertheless, it is important that the different databases or files that might be organised separately are unidentifiable
It is important to know when the systems can be designed according to these criteria or, alternatively, the files can be classified according to their applicability. For example: (contacts in internal information systems, psychological assessments, etc.)
www.yourlegalconsultants.com
5. CREATION OF AN INTERNAL COMPANY POLICY
A very effective tool for ensuring that company policy with regard to personal data is known and observed by all employees is to include several clauses in the policy to prevent possible data leakage, just to mention an example.
Company policy is an internal document that sets out codes of conduct and aims to prevent conduct that could lead to the dismissal of employees. It is a very effective tool for the Human Resources Department when it comes to defining possible offences.
For the IT Department, it is a tool that prevents misuse of internal and external communication systems.
For the Legal Department, internal company policy is useful for the prevention of intellectual property offences. When defining company policy, it is important to enlist the cooperation of the company’s senior management and, when applicable, company associates.
www.yourlegalconsultants.com
6. IDENTIFICATION OF THE PROCESSING OF DATA BY THIRD PARTIES
It is necessary to draw a distinction between the communication and disclosure of data
The communication of data does not entail the processing of personal data by third parties, but it does involve the use of the data to perform specific functions. (The development of a Web project, etc.) The disclosure of data, however, involves the processing of personal data for the development of services (the carrying out ofpromotional campaigns by third parties, the payment of wages by third parties, etc.)
When services that are outsourced to third parties require the communication of data, when the project has been completed, the data should be returned or destroyed, and this obligation should be set out in writing.
When services that are outsourced require the processing of data, the security manager should take account of a number of instructions that ensure the security of the data, and which should be conveyed to the persons concerned.
It is important to sign the appropriate documents for each situation.
www.yourlegalconsultants.com
7. IDENTIFICATION OF THE NEED TO TRANSFER DATA BETWEEN COMPANIES
There are two different situations, but with the same objective:
A. There is a group of companies that will probably share data
B. There is a transfer of data to another company with which the company has a business collaboration relationship.
In both cases, the data is transferred, but the scope of the transfer requires that this be organised in different ways and the security manager has various alternatives available.
It is important to define the situations before signing the documents governing the transfer of data between companies.
www.yourlegalconsultants.com
8.SECURITY DOCUMENT, NOTIFICATION, REGISTERS AND CERTIFICATION
The security document sets out the appropriate security measures and indicates the security level (basic, medium, high) of files that have already been registered in the Data Protection Agency or Competent Supervisory Authority register.
Any changes to a file registered in the Register must be communicated to the Data Protection Agency register.
It is advisable to design information systems in accordance with criteria that guarantees the nature of the personal data processed, ensuring the quality, safekeeping and availability of the data.
The information systems manager or information services manager should make every effort to ensure implementation of the proposed security measures and inform the security manager accordingly.
Nevertheless, it is vital to adequately segregate information systems on the basis of the nature of the personal data to be processed.
It is important to certify information systems if substantial changes are made that affect the security thereof. In this way, we can be sure that information systems are properly supervised and that the security document is current and up-to-date.
www.yourlegalconsultants.com
DOCUMENTS FOR THE MANAGEMENT OF PERSONAL DATA
Payment required
www.yourlegalconsultants.com
9. PROCEDURE DOCUMENTS
List of issues to be taken into account in the implementation of data protection
Recommendations for the implementation of data protection
www.yourlegalconsultants.com
List of issues to be taken into account in the implementation of data protection
Recommendations for the implementation of data protection
10. COMPLEMENTARY AND IT GOVERNMENT DOCUMENTS
Internal company policy
Document for the processing of personal data by third parties
www.yourlegalconsultants.com
Internal company policy
Document for the processing of personal data by third parties
11. SECURITY AND AUDIT DOCUMENTS
Customer databases and Employee data management databases
Security document
www.yourlegalconsultants.com
Document for the transfer of data between companies
Security document
Certificate of compliance
Data protection: Certificate of compliance
Thank you for your interest
[email protected] personal queries, please contact:
www.yourlegalconsultants.com