PwC Romania va prezenta principalele provocări cu care marea majoritate a companiilor din România se confruntă, lipsuri și nevoi identificate în urma unor procese complexe de audit.
De la concepte teoretice de bună practică, până la procese și funcționalități. De la conștientizarea angajatilor în privința răspunderii lor și până la punerea în aplicare a unor reguli de bază în securitatea informațiilor.
6. PwC 6
Internal processes and legal basis
Internal processes
Internal policies and
procedures regarding
personal data are
usually not formally
defined.
Purposes and legal basis
For the personal data
processing that is not based
on prescribed law and
legislation, there is no other
clearly stated legal grounds.
7. PwC 7
Poor data management,
missing Data Retention
Policy, lack of awareness
Data
minimisation
principle is not
being followed
The process &
functionality for
erasure of
personal data is
missing
A lot of
unnecessary
shared excels
are stored on
network
shared drives
Personal data
record is stored
in too many
locations and
formats
Lack of proper
data classification
and data leak
prevention
solution in place
8. PwC 8
Poor data management
Contracts
The contracts regarding processing of
personal data are not sufficiently
detailed and clear.
Restriction
The process and functionality for the
restriction of processing of personal data
is missing.
GDPR requirements
GDPR requirements for obtaining
consent prior to collection or processing
is not observed.
9. PwC 9
Poor data management
The process for notifications of personal
data breach is not defined
Organizations do not keep records of
personal data processing - they should log
main transactions
Last but not least - Insufficient employee
awareness
10. PwC 10
Data is stored, shared and
transferred in an insecure way
(FTP, clear text files (.CSV, .TXT,
.XLSX), and insecure
applications.
A periodic “data discovery”
process is not implemented.
Organizations are not aware of
the volume of personal data
spread and bad habits of using
and sharing.
Volume and storage – No Data
Retention Policy
11. PwC 11
Security and vendor support issues
There is no regular process of testing the security
posture of the organization
When client have some pre-existing tools (e.g. SIEM,
Firewall…) which could help, the monitoring and/or
calibration process is very often not optimal.
Databases and operating systems not
supported by vendors anymore
12. PwC
Project implementation issues
12
Lack of human recources
is evident. Clients strive to
implement some levels of
GDPR compliance,
however GDPR project has
just started with gap
assessment - and it will
not end as long as the
regulation exists.
Human
Resources
There is no clear overview
of the complexity of the
project, nor for real
budgeting for
implementation.
Complexity of
the Project
13. PwC 13
Legal teams and Technical teams need
to support each other
Successful GDPR is a team effort
Expertise - Legal teams alone (both
internal or external) do not realize the
complexity of IT systems and IT processes
involved, therefore they need technical
support. Valid for technical teams
regarding the legal aspects. They need
close legal advisors.
Legal basis - For personal data already
being processed, processing is often not
based on prescribed law and legislation
and very often there is no other clearly
stated legal grounds (e.g. contract
obligation, legitimate interest or written
consent) for personal data processing
14. PwC 14
Third party involvement
Clients do not keep track
of their external
connections (software,
hardware vendors ).
Third party IT vendors
have direct (unlimited,
unmonitored), access to
production and testing
environment.
In PRD environment
personal data are stored
in clear and unmasked
manner
And if they keep they
do not monitor these
activities
15. PwC
Please remember several solutions 1/2
15
Avaelgo GDPR Strategy for Compliance and Transformation - All rights reserved