You are regularly in contact with the customers. What are their needs in terms of GDPR?
The main request from our clients is to gain visibility, i.e. for them to understand precisely what they have in their Information System.
We therefore propose conducting an audit that will enable us to determine where their personal data are located* and to specify the exact nature of their sensitive data.
Very often companies are not aware of the security and traceability of their data; it is quite usual for our customers not to know how much of this type of data is stored in their Information System.
If you remember, the GDPR means that you have to declare a loss of personal data to the CNIL; this implies clear visibility on these elements in order to be able to communicate any loss within 72 hours.
The audit therefore responds to a twofold objective: it justifies to company management the actions to be put in place in order to comply with the law, and it also proves that the company has taken the first steps by committing resources in accordance with legal requirements.
For example, our customers may ask us to help them to classify their data. This is especially the case when they want to isolate certain data to secure them specifically.
Others go further and wish to review their security strategy in full to protect their sensitive and confidential data. This is a step from a need to identify to a need for control and protection by auditing access rights.
Once the audit is done, our customers ask us to help them to implement corrective solutions in order to control the data and to put some sort of monitoring in place, some continuous traceability on their systems.
Putting in a system of continuous traceability on the data makes it possible to know who is doing what and who has access to what and optimise the rights and behaviours. These actions lead to the establishment of recurrent reports and alerts which address the need to declare any loss to the CNIL.
Others may ask us to intervene regarding data encryption. This option is really important because non-recoverable data is not part of the GDPR law. Indeed, if data are encrypted, the company is not required to report any incidents of data loss in the 72 hours.
On a final note, all these points lead to a desire for better efficiency. In this context our customers discover the need to reorganize their storage systems according to the classification needing to be carried out, to be in accordance with the law.
Optrium is involved throughout the process, from audit to solution integration, with continuous support to help customers get compliant.
(*name, email address, IP, NI number, etc.; anything that can be traced back, directly or indirectly to a person).
|
|
You regularly help Optrium's clients with issues related to the GDPR, what findings do you make during these interventions?The problem is different depending on the size of the company.
In large companies, everything is often fragmented, and no one has global visibility. Small businesses suffer from a lack of methodology. The Information System’s features are poorly managed in terms of security (in the GDPR sense) or compliance.
GDPR/RGPD regulation presents new responsibilities by adding constraints at legislative and financial level, but can also be seen as an opportunity for companies.
Optrium offers its clients the opportunity to take advantage of the transition to the GDPR law to solve previous problems. We bring a methodology and a new way of doing things by making a new aspect of the Information System work: data governance guarantees the value of information and gives better protection.
To be in compliance with the GDPR, you have to work on processes. The technical audit responds to the need for visibility, revealing not only the flaws but also where, among other things, the so-called sensitive data are located. It is from here that Optrium is able to start the necessary processes for remediation and security.
The functional tools provided by companies do not offer any traceability, whereas the solutions proposed by the ad hoc publishers allow it to be based on new and more efficient technologies that do more and better. The audit carried out by Optrium is this type of solution.
The audit is always followed by a written and oral account allowing the client to decide an action plan, both to comply with the GDPR and to remedy any faults detected.
Optrium will also propose carrying out any necessary remediation through professional services or through training on the appropriate solution once acquired by the company.
In some cases, the answer to the audit will be purely down to the methodology. As a result, the company will have to change its behaviour. But the solution can also be technological and once acquired, it is part of the process of resource control.
If the necessary daily interventions cannot be done by IT, for lack of training or resources, Optrium can offer a contract through outsourcing which can administer and maintain in operational conditions the management of safety and GDPR compliance.
|
