GDPR Compliance Implementation: best practices

In the new digital age we face unprecedented times of wide opportunities. Internet is just about everywhere and can be connected to just about any device generating diverse forms of data circulation, exchange and accumulation. One can easily pay the bills, share documents, make a purchase and handle multiple daily tasks without passing the front door of their homes. This is how modern technology makes our lives more convenient. Yet it comes at a price. The price is our privacy.  As personal data are shared online, the predators feed on security flaws. The companies get infiltrated, while identities, funds, intellectual property stolen.

GDPR Compliance Obligations

The General Data Protection Regulation (“GDPR”) was enacted to close the loopholes in data privacy protection an outdated Data Protection Directive could no longer tighten. The GDPR imposes obligations on companies from 28 countries of the EU and regulates the way they manipulate data on the EU territory. Whether it’s storing, collecting or transferring data, GDPR requires that businesses exercise due diligence and comply with pre-determined data protection principles and conditions for data processing.   

As the GDPR directive proclaims, any information related to a person (name, photo, email address, bank details, location details, medical information, or even computer IP address, and updates on social networking websites) shall be reckoned as personal data and its secure processing must be warranted. 

Effective execution of personal data protection strategies is supported by corresponding GDPR principles enacting certain restrictions and requirements. The principles lay out responsibilities for companies to ensure: 

1. The subject gave an explicit legal consent for collecting and processing personal data for no other purposes but the legitimate ones. 
2. The subject is privy to all processing activities with their personal data.
3. Only necessary data required for specified and explicit purposes is collected. 
4. Data is accurate and updated.
   
5. Data is properly destroyed or deleted when no longer needed.
   
6. Data is protected against unauthorized or unlawful processing, loss, damage or destruction. 

GDPR Compliance Implementation Steps

With quite unlimited guidance that our experience of past projects provided, Agiliway had long as developed certain strategies and daily operations ensuring personal data protection of its customers. The strategies have worked well for some time already. Reviewing and updating Agiliway privacy policy in compliance with data protection legislation enforced by GDPR meant further reinforcing the existing strategies. To stay within the GDPR we took special care to revisit data processing operations in the following areas:

Access control of data processing premises

To prevent unauthorized access to the premises where data is processed Agiliway has implemented specified protective measures: 

• Entrance to the office building is allowed only with a personal smart card granting access to corresponding sections of the office, while keys from project rooms are obtained by employees upon fingerprint authentication. Access to the server room is restricted to authorized employees only. 
• Personalized smart card and the fingerprint record is removed when an employee leaves the company.
  
• The office is locked during night hours and connected to centralized police monitoring system.  Security guards are present on the territory 24/7. Corridors, stairs, entrance, parking lots are equipped with a video surveillance system.
  
• Visitors are not permitted without the prior approval of management or HR and unless accompanied by an employee. Guests have no access to the corporate network.

Access control of data processing systems

To ensure that data processing systems are not tampered with by third parties Agiliway has introduced the following protective measures:

• Access to project data is granted by management (CTO, COO, SysAdmin (network logs only)) and contingent on an employee’s role and position level.
  
• Internal systems (CRM, HR, accounting, project tracking, etc.) and client project folders are protected by the company password policy.  

• Configured router firewall controls incoming traffic.  
  
• Data processing is not outsourced to third party providers.
  

Data access control

Only data that is entitled to accessing can be collected and processed by Agiliway team in accordance with access rights granted by the data subjects. Personal data cannot be read, stored, copied, modified, transferred, deleted or shared with third parties without proper authorization. It’s accomplished by:  

• obtaining customer’s consent on data processing under the GDPR;
  
• signing NDA with every new employee before granting access to data;
  
• updating the access permission once an employee changes position, role or leaves the company;
  
• following Dismissal procedure which includes locking all accesses, returning documents/materials, reassigning active tasks, returning computer and other devices, disabling corporate emails, blocking; personal smart-key and removing fingerprints from the database, etc. 
• re-formatting data carriers no longer in use and destroying all unneeded documents with shredder machines; 
  

• encrypting hard-drives on all laptops to protect information;
  
• access to documents is closed as soon as the project or support/warranty period ends.
  

Separation control of data processing for different purposes

Personal data collected from different customers and for different purposes are processed separately, which is ensured by the following actions: 

• Access permission control is implemented to assign roles with access to the defined set of information.
  
• Data is stored in different areas. Normally, we do not transfer data from client servers, access is provided by the client to only those employees who are assigned to the project. 
  
• Production deployment is performed by the client’s in-house IT department unless the support of our DevOps have been solicited. 

Data transmission control

Under provisions in GDPR the controller or processor may only transmit personal data if appropriate safeguards have been offered. Agiliway warrants data protection during transborder data flows by:

• signing with the data subject a Personal Data Transfer Contractual Clauses to define conditions and obligations under which the data processor undertakes data processing operations;
  
• accessing and/or processing data on clients’ servers or document storage. Otherwise VPN and secure protocols SSL are used to download documents which contain personal data;
  
• transferring only electronic data by using secure connection VPN, SSL;
  
• appointing a data protection officer who monitors that the company remains compliant with GDPR.
  

Data availability control

Agiliway implements specific measures to ensure personal data are protected from accidental destruction or loss. The measures in place include:

• protecting data centers from service outages (uninterruptible power supply, air-conditioned server rooms, smoke detection system);
  
• auto start of new server/database from defined backup;
  
• using AWS, Azure cloud services with servers located in EU for hosting clients’ data and storing backups; 
  
• encrypting data backups. 
  

The moment GDPR came into effect, Agiliway reviewed its business processes to be compliant with personal data processing regulation and introduced necessary changes to stay vigilant against data breaches. By implementing appropriate technical and organizational measures, educating employees, updating contracts and securing environment, we assure our customers no malicious intent goes unnoticed.