Since the beginning of the year, we have observed an increase in requests regarding GDPR implementation, coming from both existing clients and potential new ones. These requests are related to GDPR application both online and offline – an essential question.

Initially, it was unclear whether this sudden interest was due to a wave of fines and inspections or if mature businesses were starting to emerge from “survival mode” and paying attention to compliance and digital security gaps. From the discussions we’ve had, it turned out to be a mix of both: some institutions have tightened regulations and started to enforce them more strictly, and at the same time, growing companies are beginning to take compliance more seriously.

What is the solution?

1. Global Approach: Security intersects with three major factors: people (qualified, authorized, and responsible personnel) + procedures (clear, efficient, applicable, and safe) + technology. GDPR implementation should be based on these three areas.
2. Internal Assessment: If you are handling GDPR within your company, you need to assess the effort required for rigorous implementation, minimizing risks. Some companies choose to conduct a summary assessment and implement minimal procedures and measures, demonstrating good intentions in the face of a possible inspection. For example, you might opt for external audits by an ISO 27001 certified expert.
3. Outsourcing: If you do not wish to manage GDPR internally, you can collaborate with an external Data Protection Officer (DPO). The DPO will:

• Audit internal processes and technology and make necessary changes.
• Analyze physical and cybersecurity risks.
• Review data processing policies, third-party contracts, and develop new procedures if needed.

What an external DPO offers:

• Liaison with regulatory authorities if necessary.
• Administration of the data processing records.
• Other relevant services.

1. Final Responsibility: According to the law, the primary responsibility lies with the data controller (the client or beneficiary). However, the controller can hold the DPO accountable for breaches according to the Labor Code, negligence, etc. Therefore, a professional and well-prepared DPO will consider all these aspects when providing a commercial offer (not just work hours, but also responsibility, risks, post-implementation availability, and ad-hoc consultancy).
2. Online: For websites, GDPR involves measures such as: secure server, limited file access, anti-spam filter, antivirus scan, IP evaluation, website security (from HTTPS to two-factor authentication), attack monitoring, backup, etc.

The digital space is extremely dynamic and integrated, making it difficult to be completely isolated from cyber threats. However, a goal should be to have a minimal checklist across the three areas of interest (users + procedures + technology) to create a “blueprint” of the ecosystem and manage risks for each component.

If you want to learn more, you can contact us by phone or email for a discussion with a Xprimia consultant. In the meantime, keep your data closer than your selfies.