We have just over two weeks until the new regulations on the protection of personal data enter into force. Adopted by the European Parliament in April 2016, the General Data Protection Regulation, known as the General Data Protection Regulation (GDPR), will come into force on May 25, 2018.
Lawyers actively support their clients in adjusting formal requirements to the new regulations. However, the preparation of appropriate templates of information clauses, questions for consents to the processing of personal data and contracts for entrusting or sharing data is not everything. It is important to adapt the technical infrastructure to the new realities along with formal and legal activities. And here a question often arises that lawyers are not able to answer: "what requirements must the IT infrastructure meet to be considered compliant with the provisions of the GDPR"? This problem stems from the fact that, unlike the "old" Act on Personal Data Protection, the new regulations do not indicate specific technical requirements. In the entire Regulation, there are only general conditions relating to the safety of infrastructure. So how do you adapt to them? We will try to help you find the answer to this question.

So what are these general requirements? Article 32 of the GDPR, which specifies that the personal data administrator implements appropriate technical measures to ensure a level of security corresponding to the risk, is the most relevant to this topic. It asks, inter alia, attention to solutions such as:

• Personal data encryption
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• The ability to quickly restore the availability and access to personal data in the event of a physical or technical incident
• Regularly testing, measuring and evaluating the effectiveness of technical measures to ensure the security of processing

Continue ...

In the period from September to November, UpGreat takes part in three IT conventions (Wielkopolskie, Mazowieckie and Śląskie) - cyclical events organized for employees of offices and public institutions. During these meetings, issues related to the adaptation of local government institutions to the requirements of legal regulations concerning, inter alia, computerization, personal data protection or the National Interoperability Framework. The meetings are also attended by UpGreat experts in the field of ICT security, personal data protection, audits and security policies. Our consultants advise IT specialists from public institutions on how to adapt their systems to the requirements of the KRI regulation related to, inter alia, with the implementation of the Information Security Management System. We discuss issues related to the implementation of information security policies as well as risk estimation and analysis. We also answer questions regarding the amended Personal Data Protection Act and the obligations of the Information Security Administrator.
We pay special attention to security audits and penetration tests, which are an indispensable element of security management in any organization.