středa 18. října 2017

How Legal and IT Teams Can Work Together to Achieve GDPR Compliance

How Legal and IT Teams Can Work Together to Achieve GDPR Compliance
Článek najdete
na portálu, konkretně na adrese:
Autorem, je Chris Niggel - Director, Security and Compliance - Oct.17.2017
Cituji vybrané části textu:
"This article doesn’t constitute legal advice, and is provided for informational purposes only".
"While the GDPR can seem intimidating at first, thoughtful planning can help your organization efficiently maintain compliance."
"... And since the regulation can affect many parts of the enterprise, regular interdepartmental meetings will help ensure that each team is aware of any operational changes that are being made."
"The keys to getting ready for the regulation are communication, transparency, and accountability. Everyone involved in GDPR preparations needs to understand their role and be held accountable for ensuring compliance."
"The regulation strongly encourages encryption and requires that security measures are built into any system that is engineered to collect, process, or store personal data of EU individuals."
"What IT needs to gather for and from the legal and compliance teams."
"The IT department knows the nitty gritty of your enterprise’s data infrastructure in a way that the legal department may not, meaning that IT may need to outline much of that information for the organization’s legal and compliance teams."
"Mapping the personal data and avoiding unnecessary duplication is one of the key ways to help ensure compliance with the GDPR. Doing so makes it easier to comply with erasure and portability requests."
"Regular training about the GDPR requirements can also help IT better understand how personal data of EU individuals is subject to the regulation. IT will also need to work with the compliance and legal teams to understand if any IT processes for handling data needs to be changed to better comply with the regulations."
What compliance and legal teams need to know about IT
"A key role of an organization’s compliance and legal teams is to understand how their enterprise collects, stores, and processes personal data of EU individuals, and how the GDPR impacts the organization."
"While both the controller and processor are generally responsible for security of the data, each has different responsibilities that an organization’s compliance and legal teams will need to apprise them of."
"It may be important for compliance and legal teams to advise IT about whether new security solutions – such as identity and access management or a cloud access security broker – are needed to ensure personal data-handling is compliant with the GDPR."
"Encouraging two completely different departments to work together can be a challenge, but there are several ways to ensure smooth collaboration."
"They can communicate across departments to keep track of what each team is doing to get ready for the GDPR. It’s also important for teams to have a checklist with deadlines, and even more so to hold people accountable if they miss those deadlines."
"Bring teams together and visually map out roles and expected contributions to the end goal of GDPR compliance. Request input from teams on process improvements, to help them feel valuable and invested in the final outcome."
"Finally, leaders of all affected departments should hold regular meetings to know how far along they are towards achieving their GDPR goals."

úterý 17. října 2017


Posted on Monday, October 16, 2017
Článek najdete na adrese:
Cituji vybrané části textu:
"GDPR at its core has a large problem to solve. Remember, private and public organisations want to process personal data and many of them want to do this lawfully. International businesses who are processing or indeed storing European data subjects' data are impacted, so the implications are truly global.
The following four areas were concerns that the DPD didn't address, that are now addressed by the GDPR:
- Right to Erasure and other Data Subject Rights (Articles 15-21)
- Security of Processing (Article 32)
- Accountability – Security Breach Notification (Articles 33 & 34)
- Data Transfers (Articles 44-50)
It's critical that both information security and privacy professionals are aware of these changes and new articles, not simply from a regulatory perspective but also from a practical perspective. Putting aside for the moment the discussions, hype and media concern around potential fines and sanctions, Forcepoint has co-produced a practical whitepaper to focus on the four imminent areas of change."

neděle 15. října 2017

GDPR for small businesses: What it means for you

GDPR for small businesses: What it means for you
Joe Curtis - 27 Jul, 2017 -
Plné znění článku najdete na adrese:
Cituji vybrané části textu:
"We look at how the new data protection laws will impact SMBs"
"So what does GDPR mean for SMBs? Let's answer a few key questions addressing specifically how it applies to smaller organisations before you dive into our step-by-step guide to all the elements of the new data protection rules."
"The bit these guides seem to get confused about is Article 30, which in the final draft of the legislation states that there's a difference between the types of records SMBs and larger firms must keep."
"The regulation states that extra record keeping duties will apply to an SMB if "the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data ... or personal data relating to criminal convictions and offences referred to in Article 10."
"While an earlier draft of GDPR limited the appointment of a data protection officer to organisations with more than 250 employees, there's no such bar now."
"The "whichever is higher" is the key phrase for SMBs, who could be financially ruined by a data breach, meaning the risks are just as big - if not bigger - than for a multinational enterprise that could absorb the penalty in its next financial quarter without too much of an impact on its stock price."

sobota 14. října 2017

Microsoft - Náš smluvní závazek

Microsoft - "Náš smluvní závazek" Microsoft je údajně první globální poskytovatel služeb, který veřejně nabízí smluvní závazky k nařízení GDPR. Podívejte se na video, ve kterém Julia White vysvětluje závazek Microsoftu.
Video je součástí souboru informací, prezentovaných pod společným názvem:
Rychlejší splnění požadavků nařízení GDPR
Adresa videa je

Experts react to the security risks of GDPR and AI

Experts react to the security risks of GDPR and AI
Rene Millman - 15 Jun, 2017 -
Plné znění článku najdete na, zde:
Cituji vybrané myšlenky z textu článku:
"Over the last few months, security experts have had to contend with the GDPR, ransomware, and AI as the three most pressing IT issues companies have to face at present."
"Endless surveys and research suggest very few organisations are prepared for the rules. Although, to be fair, it is hard to be ready when the Information Commissioner's Office (ICO) itself hasn’t yet published its final guidance on certain aspects. Adhering to the eight data protection principles still appears to be the best way forward in order to be compliant with GDPR."
"If a company can demonstrate it is fully compliant, its reputation will be enhanced."
"Ilias Chantzos, Symantec's senior director of government affairs for EMEA and Asia, said there is no box that can “solve” GDPR problems."
"The more people take seriously the threat of hacking and cybercrime, the more people will be cautious about suspicious content."
"Another issue was the increasing use of automation within technology as well as its impact on IT security. With the internet now meeting the “classic definition” of a robot as far as it being able to sense, think and act, we are creating a world-sized robot without even realising it."
"Artificial intelligence as a basis for IT security also got a grilling from Giovanni Vigna, CTO of Lastline. Such technologies only really work when they have large data sets, and you can only learn from “things you know”.
"Machine learning could be used to reduce the number of security analysts needed and direct focus on more important issues." 
"Ultimately, artificial intelligence, machine learning, and deep learning cannot be used in a simple way, according to Vigna. Organisations need to start at breach detection events to teach such systems to look for similar patterns elsewhere."

Data Protection and Privacy Commissioners Issue Global Connected Car Guidance

Data Protection and Privacy Commissioners Issue Global Connected Car Guidance- Posted on October 5, 2017 -
Global Privacy and Cybersecurity Law Updates and Analysis
Plné znění článku najdete na adrese:
Cituji vybrané části z textu článku:
"Last week, at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong, data protection authorities from around the world issued non-binding guidance on the processing of personal data collected by connected cars (the “Guidance”). "

"Building on existing international guidelines and resolutions, the Guidance urges the automobile industry to follow privacy by design principles “at every stage of the creation and development of new devices or services.”
PDF soubor s plnou verzí přijaté rezoluce: 
"Resolution on Data Protection in Automated and Connected Vehicles"
najdete na adrese:
The Guidance sets forth the following recommendations, among others:
List of 12 Recommendation
Cituji závěr článku:
"While non-binding, the Guidance is being interpreted by many as a set of global standards to guide data protection enforcement efforts, and may signal a wave of enforcement actions to come. The Federal Trade Commission did not participate in issuing the Guidance."

pátek 13. října 2017

GDPR and cloud

GDPR and cloud - Markets Media October 13, 2017
A looming data-privacy regulation holds significant implications for financial-services firms that store data in the cloud.
Plné znění článku najdete na  portálu, na adrese:
This article was for Markets Media and was licensed by Bloomberg.
Cituji vybrané části textu:
"As a data storer, practitioners and experts generally say cloud is more secure than a traditional, on-premises IT environment, so cloud reduces the risk of the data breaches that are in GDPR’s crosshairs."
"Accountability for data protection cascades down through the data supply chain. Web-based companies will have to clearly define responsibilities and liabilities among solution partners.”
"Companies will need to know the attributes of their data and demonstrate consumer consent as baseline GDPR capabilities. They also need to ensure portability and erasure..." 
Regulators are becoming cloud friendly,” Accenture said in a report highlighting cloud adoption as a key trend for investment banks in 2017." 

čtvrtek 12. října 2017

GDPR - ochrana osobních údajů - program konference

GDPR - ochrana osobních údajů - nové nařízení EK - program konference
Konferenci uspořádala společnost SEMINARIA a konala se dne 20. 9. 2017
Tuto zprávu zařazuji především proto, že program konference ukázal přehled dobře vybraných aktuálních témat, kterým se na konferenci věnovali profesionálové.
Pozvánku s programem si lze prohlédnout na adrese: konkrétně
na adrese
Příprava zabere firmám a  organizacím nejméně rok. Celostátní konference účastníky seznámila s obsahem nařízení a nabídla jim  jízdní řád, jaká opatření a v jakých oblastech začít realizovat.
Stručné zhodnocení konference najdete na adrese:
Cituji z textu hodnocení:
- Důležité informace plynoucí z nového nařízení sdělila účastníkům konference Eva Škorničková, členka Pracovní skupiny Úřadu vlády ČR k legislativě GDPR.
- Jan Tomíšek z advokátní kanceláře ROWAN LEGAL se věnoval nově vznikající roli pověřence pro ochranu osobních údajů, tzv. Data Protection Officer (DPO). 
- Vojtěch Chloupek z advokátní kanceláře Bird & Bird uvedl, že zejména v online businessu si společnosti musí prozatím počkat na pokyny od pracovní skupiny WP29, 
- Konferenci zakončil Igor Prosecký s praktickými tipy, jakým způsobem se připravit na GDPR, jak zpracovat vstupní analýzu, jakých údajů se to týká a kdo s danými daty je ve styku. Závěrem zdůraznil: „Podcenění vstupní analýzy se negativně promítne do všech procesů souvisejících s GDPR.“

středa 11. října 2017

Why GDPR will revolutionise marketing

"Not all doom and gloom: Why GDPR will revolutionise marketing"
October 10, 201
Článek najdete na portálu:
na adrese:
Author: Julian Saunders, founder of data management and GDPR compliance solution, discusses how GDPR is great news for marketers
Cituji z textu:

- "For talented marketers GDPR will create an environment in which they will flourish."
-- "Organisations will have to priorities the security of the data they hold, clearly communicate privacy terms and inform customers if there are any breaches. People will be empowered to make clear decisions on the messages they receive and what happens with their data. This will provide knowledge and control to customers. Companies that have a cavalier attitude to data privacy and security will find themselves having to self-certify their GDPR compliance and agree to accept onerous financial liabilities when they want to provide services to other enterprises."
-- "Finally, the scales will fully tilt to innovative marketers, as businesses who continue to send simplistic, high volume and non-personalised content to their entire marketing database will soon find their customer base shrinking."
Cituji závěr článku:
"This quick run through of the probably implications of GDPR is likely to be just the start. Higher standards, improved marketing effectiveness, the necessity of innovation, and the imperative of implementing data management solutions will undoubtedly have many more unforeseen positive consequences. The responsibility is now on good marketers to go beyond the negative noise surrounding GDPR fines and ‘onerous’ regulations, and focus on how their approach to marketing should change to take advantage of this opportunity. Intelligent marketing professionals will revamp their strategy far in advance of May 2018 and begin up-skilling themselves on innovative marketing techniques."

pondělí 9. října 2017

Preparing for GDPR compliance: Where you need to be now and how to get there

Preparing for GDPR compliance:
"Where you need to be now and how to get there"

Autor článku: Doug Drinkwater - an experienced technology and security journalist. Článek najdete na portálu: na adrese:
Cituji vybrané části textu. Pro stručnost prezentuji samotné myšlenky, aniž bych uváděl bližší souvislosti jejich vzniku. Autory textů hledejte ve zmiňovaných zdrojích.
-" Failure to comply with the EU General Data Protection Regulation (GDPR) leaves firms vulnerable to penalties, but many U.S. companies doing business in Europe are in danger of missing the deadline. Here’s how to catch up.
- "Behind the noise, hype, and misunderstanding is a substantial piece of legislation that will change how organizations operating in Europe approach data protection.
"It also harmonizes data protection across 28 EU member states, replacing the need for national legislation. The headlines are ... as well as mandatory security notifications, new rules around user consent, a clearer definition around what could be personal data (such as IP addresses, for example), and greater rights for people to access — or request deletion of — the information companies hold on them.
- "As such, GDPR transcends IT and spreads into areas like sales and marketing, but this complex legislation carries numerous misconceptions. The ambiguity over data processors and controllers — not aided by the controversial Google Spain court case of 2015 — has also caused headaches, especially around data stored in the cloud.
- "A lot of businesses are now holding back full implementation for compliance because it's hard to determine what compliance looks like, and are putting faith in a clear plan of action will be enough to deter the regulator.”
- "The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation. 
- "Data subjects are given rights to make it easier to access their own data, a right to data portability a clearer "right to be forgotten"  plus a right to be informed if your personal data have been subject to a serious breach.”
- "Rules on accountability and transparency are strengthened, and they will have to embrace concepts such as ‘data protection by design and default.’ 
GDPR readiness: Where business are today
- "The regulation, after all, stipulates companies must provide a “reasonable” level of protection
- "Like many, we've taken a risk-based approach for the implementation of controls; we're identifying where our data is, how it's protected, and ensuring our supply chain has agreed to new terms.”
- "We established a cross-departmental team to understand the scope of the new legislation, assess the processes and controls we have in place, and identify any gaps we had, before then addressing them. We then implemented a mechanism to automate the identification and searching of data stores across our systems and tied it to data classification technology that tags data based on its confidentiality. This is linked to data loss prevention controls that only allow certain data types to travel between networks.”
- "Vocalink jointly developed the firm’s strategy for GDPR among the legal, operations, and security teams, analyzing their environment against the EU regulations and drawing up a roadmap to quickly address any gaps.
- "The Drum, revealed how GDPR had enabled it to look at digital marketing in a new way — putting the customer at the center. 
- "The CIO of telco O2 spoke of how GDPR was an “opportunity to get our customers’ trust.” 
- "GDPR can bring some positives to business, such as improved data management and customer loyalty. “Better information management is one clear benefit, but the principle of privacy by design can deliver products and services that, cannily marketed, could be very commercially successful,” says Baines.
- "Most organizations are falling behind, only now appointing DPOs and steering committees, and fighting for boardroom buy-in. Others are progressing slowly with information audits and generally developing company-wide awareness. 
- "There’s the risk of additional penalties if you don’t meet any of these within the timeline given. Such penalties can cause a huge administrative burden and even cost the organization more than the fine,” 
- "Mandatory notification in 72 hours is clearly achievable. This isn't about a full diagnostic and report into what happened. This is the cursory notification to the regulator that something is afoot. Share what you know; your plan for further investigation and triage along with and anticipated timeline.”
- "How do companies accelerate their GDPR initiatives?
- "Organizations work closely with the DPO and their teams. If they don’t have a DPO, CISOs and CIOs should be lobbying their board hard to introduce one on the basis that “data protection isn't and shouldn't be, the sole responsibility of an information security lead.”
- "Organizations get some “validated and authentic” advice, and entrust a person or group of people to manage all aspects of GDPR, from delivering company-wide training to ensuring the supply chain is up-to-date (contract updates are recommended). At the heart of it, he says, is good data management. 
- “Work out what personal data you have. Where it is? How did you get it? Get rid of it if you don’t need it, a DPO could be considered good practice.
- "Organizations must understand the type of data, its location, and how it is being used. This should then be compared versus regulation requirements. “You have to maintain this level of compliance throughout your organization. Embedding privacy-compliant thinking into projects and programs, using tools like a privacy impact assessment, to understand the risk of each activity.”

Are you ready for the GDPR? GDPR Assessment

Are you ready for the GDPR? GDPR Assessment
Tyto stránky obsahují systém 26-ti postupně odpovídaných otázek týkajících se aktuální situace, v které se organizace / firma právě nychází. Po zodpovězení poslední otázky, je soubor odpovědí vyhodnocen a vypracován Report, který je zobrazen a nabídnut ke stažení. Výsledkem je i nabídka softwarového řešení problémů - přirozeně - s dílny Microsoftu. Tento gdpr benchmark jsem zařadit do weblogu hlavně proto, že systém kladených otázek může být inspirující pro sestavení vlastní analýzy situace.
Úvod najdete na adrese: a soubor otázek najdete na adrese:
Cituji z úvodu k auto-testu:
"GDPR Assessment is a quick, online self-evaluation tool available at no cost to help your organization review its overall level of readiness to comply with the GDPR."
"Preparing for a new era in privacy regulation"
"Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations. We are committed to GDPR compliance across our cloud services when enforcement begins May 25, 2018, and provide GDPR related assurances in our contractual commitments."
Vedle úvodu je na výchozí stránce i přehled dílčích témat, vztahujících se ke GDPR, rozdělených do 4 částí
- Personal privaci - Controls anad notifications - Transparem policies - IT and training.
Uvedu jako příklad témata ze skupiny "IT and training":
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts
What GDPR means for your data:
- Stricter control on where personal data is stored and how it is used
- Better data governance tools for better transparency, record keeping, and reporting
- Improved data policies to provide control to data subjects and ensure lawful processing
The following questions are meant to assist organizations by identifying technologies and steps that can be implemented to simplify their GDPR compliance efforts.
System otázek je rozdělen do skupin podle aktivit: 
Segmentation - Discover - Manage - Protect - Report
Před "zpovědí" jsou uvedeny 4 definice pojmů:
Personal Data - Controller - Processor - Processing
Příklad otázky ( č. 8 ):
Classify personal data. The GDPR has many requirements to enable the rights of data subjects. This makes it necessary to classify personal data.
How confident are you in the tools your organization currently has to classify personal data? ( označit volbu )
- Very confident
- Mostly confident
- Somewhat confident
- Not very confident
- Don't know/Not Sure
Hodnocení je souhrnné za Skupiny aktivit: discover ...
Následují 2 skupiny variant sw řešení:
"A critical first step to addressing GDPR requirements is to identify all personal data managed by the controller, so that they can adequately protect it and respond to data subject requests, such as erasure, rectification, and data portability. Microsoft business products and services offer a number of ways to identify personal information:" sw.
" Controllers must have in place a mature data classification process and effective supporting technology that will enable them to comply with data subject requests, and meet other GDPR requirements. Microsoft business products and services offer a number of ways to classify personal information": sw.

neděle 8. října 2017

GDPR and Azure, a new era for data privacy

GDPR and Azure, a new era for data privacy
7 Oct 2017 3:50 PM
GDPR Questions? Azure has answers
Roberto Stefanetti
Text najdete na portálu na adrese:
Stránka je velmi stručná, slouží vv podstatě jako rozcestník na detailní textové dokumenty. 
První odkaz je na whitepaper informující o tom, jaký je vztah produktu Microsoftu AZURE a GDPR.
"White paper about Microsoft Azure and GDPR Compliance on Technet"
Microsoft cloud services such as Azure (as well as other cloud services and on-premises solutions that are out of scope for this paper) help organizations identify and catalog personal data in systems, build more secure environments, and simplify management of GDPR compliance. This white paper is written for decision makers, privacy officers, security and compliance personnel, and other stakeholders who like to learn more about useful actions to prepare for GDPR compliance by using Microsoft Azure. It is divided into the following sections
- Section 1 discusses the GDPR in general, its importance, and what approach Microsoft suggests for addressing GDPR requirements.- Section 2 discusses how you can use Azure today to prepare for GDPR compliance.- Section 3 discusses related topics such as Azure Cloud Germany.Section 4 provides additional recommendations that may be useful for your organization’s journey toward GDPR compliance.
Cituji z textu na stránce: 
"Microsoft is here to help
- Please have a look at our white paper showing "How Microsoft Azure Can Help Organizations Become Compliant with the EU General Data Protection Regulation to gain an understanding of how your organization can use currently available features in Azure to optimize your preparation for GDPR compliance. "
- May 25, 2018: a new era begins for data privacy
On this date in a little less than a year, the new European Union (EU) data protection law will be implemented, replacing the old Data Protection Directive, which has been in effect since 1995. 
"Preparing for a new era in privacy regulation
"We are committed to GDPR compliance across our cloud services when enforcement begins May 25, 2018, and provide GDPR related assurances in our contractual commitments.
Learn more about how Microsoft products help you comply with the GDPR, and let us help you get started. You can also find resources like webinars, videos, white papers, and FAQs about the regulation."
"This is what we do
"Azure has developed a tradition of compliance which gives our customers the tools they need to comply with complex regulations. Our attention to, and preparation for the impact of GDPR continues to show how we equally prioritize the best cloud technology with the best compliance offerings.
Additional information about how Microsoft helps you to fulfill specific GDPR requirements are available at the GDPR section of our Microsoft Trust Center."

The Essential GDPR IT Checklist

The Essential GDPR IT Checklist - 6 October 2017
Článek najdete na portálu na adrese:
Cituji vybrané části textu:
"The GDPR does two things. It protects the data rights of EU citizens, and it protects their privacy i.e. their personal data. Anyone who does business within the single market will have to comply with it. That includes non-EU businesses who deal with EU customers.
A robust defence requires a multi-faceted approach encompassing networks, devices and people. Security by design means products are created with a view of how they’ll securely integrate to our customer’s networks.
"And the way we collect, store and use data needs to change. This requires a comprehensive data map covering what data is stored, where, and who has access. 
With that in mind, here are the 10 essential actions you need to take before the May 2018 deadline.
1. Stage One: Audit Your Situation
The first stage is to assess your situation. By getting a realistic view of your current status, you’ll know how much you need to change in order to comply. 
- Audit your data
Make sure you know where all your data lives, who has access and on what devices
- Audit your service partners
Make sure every service partner – cloud storage, SaaS etc. – that has access to your data is also compliant with GDPR, or under an officially sanctioned data jurisdiction
- Audit all authorised and unauthorised devices with
access to personal data
- Make sure you know every single device that has access to personal data – officially sanctioned or not
2. Stage Two: Access Control
The second stage is controlling access to company data, to keep track of who has access, and to prevent a single breach granting access to everything.
- Ensure administrative privilege control
- Make sure administrative actions can only be taken by a select few, to minimise the risk of others gaining control of the network
- Ensure tiered access to personal data
- Control access to data on a need to know basis. This should be based on the user, device and the network the request is coming from
- Ensure remote access and erasure rights for company data
- Make sure you can retrieve and erase data from all devices with access to personal data, especially in instances of loss or theft
3. Stage Three: Multi-Layered Security
The final stage is to implement robust security to detect and respond to breaches. Remember that there are no quick fixes in cyber security. HP recommends a multi-layer defence policy, which gives a cohesive and well-rounded approach to a frequently changing cyber security landscape.
- Invest in new, more secure devices, if necessary
- Multi-factor biometric authentication, Bluetooth lock, privacy screens and a self-healing BIOS all help to protect data at device level.
- Implement a regular scan and security software update policy
- Traditional network defences – antivirus, antimalware and firewall – may not be foolproof but they’re still important. Regular updates are essential
- Implement real-time detect and response software
- Secure your endpoints with practical real-time breach responses.Include a Security Information and Event Management (SIEM) tool
- Conduct employee training in cyber security
Aside from building security, these actions help to achieve compliance with the following key provisions of the GDPR:
- Report data breaches within 72 hours; and prove due diligence in preventing them
The right to be forgotten: erase all of an EU citizen’s personal data upon their request
- Data portability: provide all personal data of an EU citizen in a format accessible to them
- International transfers: ensure data is only transferred to other GDPR compliant organisations, or those within jurisdictions deemed ‘adequate’
To find out more about the new GDPR changes, and the role of IT in making their organisation compliant, download our eGuideThe Essential Guide to GDPR Compliance.’ It includes a set of controls.
Uvedený eGuide najdete na adrese:

sobota 7. října 2017


OCT 7, 2017 - Shahzad Ahmad, Vice President, Genesys
Najdete na portálu na adrese:
V krátkém článku je pozoruhodný odstavec - cituji:
"GDPR will also bring many opportunities to your business.If implemented correctly, GDPR can lead to a paradigm shift in the way that companies organise themselves and approach aspects of the business. By re-focusing on gaining customer consent overly volume metrics like the number of email addresses in their database, brands will be challenged to communicate with their customers in new ways, building deeper, longer-term connections with a more engaged customer base. These connections will lead to higher satisfaction and more referrals, benefiting the brand through revenue generation."
Nejlepším řešením GDPR pro malé firmy bude přechod na cloud
Článek s tímto názvem byl publikován 17.5.2017 na portálu na adrese:
Cituji vybrané části textu:
- "Aplikace GDPR nebude vůbec snadná ani laciná. Komplexní řešení, které by se dalo pořídit jako třeba pro EET, totiž neexistuje. Firmám ale určitě pomůže cloud."
- "... i ty nejmenšíbudou muset nejprve provést analýzu současného stavu, aby následně zjistily, co bude potřeba změnit, a objednat náležité školení, služby nebo IT produkty."
- "Nevýhodou je to, že problematika ochrany osobních údajů je velmi široká a prakticky není možné GDPR vyřešit jednorázovou investicí".
- "Implementace pravidel bude vyžadovat nejen změny v IT, ale především ve vnitřních procesech. Bude nutné přijmout nové koncepce, provést procesní změny a zavést opatření, která dodržují zejména zásady záměrné a standardní ochrany osobních údajů. Jak ale na to, aby to procesně a finančně zvládla i malá firma?"
- "Co se týká právě technologického řešení a zabezpečení, tím nejsnazším a relativně laciným bude pro malé firmy přechod na cloud. Poskytovatelé cloudových služeb si totiž bezpečnost pečlivě hlídají. V praxi budou data v naprosté většině případů více v bezpečí v cloudu než ve firmě, ať už má podnik bezpečnost na svých serverech řešenou jakkoliv. Výhodou cloudových služeb je navíc to, že servery, úložiště, služby a aplikace, které tyto služby nabízí, jsou uživatelům dostupné vzdáleně přes síť nebo internet. "
Cloud je jedním, ne jediným řešením GDPR
Základem budou smluvní podmínky cloudové služby
- "Povinnost ochrany osobních údajů se podle GDPR vztahuje jak na správce, tak na zpracovatele a za jejich ochranu jsou zodpovědní společně. "
- "Bude tedy nutné toto náležitě ošetřit ve smlouvách mezi správcem a zpracovatelem. 
- "Poskytovatelé cloudových infrastruktur se už nachystali a loni členové CISPE, což je koalice více než 20 poskytovatelů cloudových infrastruktur působících v Evropě, vydali Kodex chování pro ochranu dat."

Topvision seminář: Ochrana osobních údajů podle GDPR

Topvision seminář: Ochrana osobních údajů podle GDPR
"Připravte se na revoluci v zákoně včas"
Seminář se bude konat dne: 2. 11. 2017, 09:00 - 17:00 hod. , Praha
Podrobnosti o semináři najdete na adrese portálu Topvision:, na adrese:
Kurz se koná pod heslem: Reagujte na změny a předcházejte finančním sankcím
Cituji z nabídky: "Tento seminář reaguje na velkou revoluci v oblasti osobních údajů, kterou přinese zásadní změna daná novým Nařízením Evropského parlamentu a Rady (EU) 2016/679m jež vejde v účinnost 1. 4. 2018. Poznejte všechny změny, které nás čekají, a vyvarujte se tak obrovským pokutám, které vás v případě porušení postihnou."
Co získáte absolvováním semináře:
- získáte přehled všech změn, které zákon přinese
- seznámíte se s novými prvky týkajícími se ochrany osobních údajů a volného pohybu těchto údajů
- pochopíte nově vzniklé povinnosti tak, abyste se vyhnuli sankcím za jejich nedodržení
- díky dlouholeté zkušenosti lektorky v oblasti práva získáte spoustu praktických rad a doporučení
Seminář je určený pro:
- HR manažery a personalisty
- zaměstnance obchodního oddělení
- zaměstnance ve veřejné správě
Program semináře - témata:
- regulatorní rámec nové úpravy ochrany osobních údajů
- ochrana práv subjektů údajů v praxi
- povinnosti správců a zpracovatelů osobních údajů
- standardizace nástrojů správců a zpracovatelů
- mezinárodní transfery dat
- institut pověřence pro ochranu osobních údajů
- praktické zkušenosti s přípravou implementace GDPR a vhodná doporučení
- dotazy a diskuse
Lektorkou semináře je Magda Janotová, právnička se specializací na pracovní a obchodní právo, mediátorka a rozhodce Rozhodčího soudu při HK a AK ČR. Informace o vzdělání a praxi najdete na stránce semináře.

GDPR a kamerové systémy

GDPR a kamerové systémy
4.10.2017 - Obsah článku byl připraven ve spolupráci HRnews s TaylorWessing
Článek najdete na portálu na adrese:
Cituji vybrané části textu:
- "Současný zákon o ochraně osobních údajů stanovuje povinnost informovat osoby pohybující se v monitorovaném prostoru o tom, že jsou monitorovány. Objevují se ale názory, že podle Obecného nařízení o ochraně osobních údajů (GDPR) by tyto osoby měly udělit písemný souhlas."
- "Další nejasnosti se objevují v souvislosti s tím, jak vyvážit zájem zaměstnavatele na ostrahu budovy a majetku a právo zaměstnanců na soukromí."
Článek uvádí na pravou míru současné dohady a vysvětluje povinnosti, které vyplývají ze zavedení zásad ochrany osobních údajů podle GDPR od května 2018.
- "V praxi se také zaměňuje povinnost informovat jednotlivce o zpracování osobních údajů se souhlasem ke zpracování osobních údajů. Tedy je nutno rozlišovat mezi souhlasem a informací. Informaci musí jednotlivec obdržet vždy."
- "Pro použití kamerových systémů ke sledování osob a záznamům těchto osob platí, že musí být nezbytné pro naplnění konkrétního účelu a musí být přiměřené vzhledem k okolnostem a k ochraně soukromí těchto osob."
Cituji závěr článu:
- "Poslední komentář Pomaizlové se vztahuje k upřesnění role správce. „Ten, pokud zpracovává osobní údaje se souhlasem jednotlivce, sice musí být schopen doložit, že jednotlivec udělil svůj souhlas, ale to neznamená, že souhlas musí být vždy písemný,” dodává. Čl. 4 GDPR definuje souhlas jako „jakýkoli svobodný, konkrétní, informovaný a jednoznačný projev vůle, kterým jednotlivec dává prohlášením či jiným zjevným potvrzením své svolení ke zpracování svých osobních údajů. Aby byl souhlas skutečně svobodný, to znamená, že jej může jednotlivec kdykoliv odvolat, a navíc poskytnutím souhlasu nelze podmiňovat plnění ze smlouvy. To ale nevylučuje, aby nad rámec plnění smluvních povinností, např. při dodání objednaného zboží z e-shopu, správce osobních údajů nabídl jednotlivci, že mu např. za souhlas se zpracováním jeho osobních údajů k marketingovým účelům poskytne slevu na zboží.”

GDPR certification: What is it, and do you need it?

GDPR certification: What is it, and do you need it?
Článek najdete na portálu "" na adrese:
Cituji vybrané myšlenky z článku
How the ICO will measure GDPR compliance, and whether a certificate means anything
-"Companies are promoting all sorts of GDPR training courses that come complete with exams and certificates. Almost all of them, though, are meaningless.
- "Organisations simply need to comply with the GDPR (or at least try to). ...You don't need to prove compliance ... you simply have to be compliant."
How can you demonstrate GDPR compliance?
"There are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
a) Internal policies and procedures that comply with the GDPR's requirements
b) The implementation of the policies and processes into the organisation's activities
c) Effective internal compliance measures
d) External controls
- "All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance.
- "Data controllers ... must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
- "Controllers, ... they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
- "The GDPR is holistic: you have to comply with all aspects of the GDPR."
Are any GDPR certification schemes worth the money?
- "Certainly not if you enter them for the purpose of gaining a certificate demonstrating compliance. 
- "Organisations who undertake their courses may still be found non-compliant by the ICO.
- "Existing schemes, if using the GDPR legislation as their basis, may have some value - the more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant."

pátek 6. října 2017

IP Expo: GDPR - "All of us will carry a quantum of illegality

IP Expo: GDPR - "All of us will carry a quantum of illegality
by Tony Morbin - October 05, 2017
Článek najdete na portálu na adrese:
Cituji vybrané myšlenky článku:
- "GDPR is built on the assumption that people are better prepared than they are, so we will fail to comply, therefore take a risk-based approach and focus on the things that matter."
- "GDPR  has been built on a series of false assumptions which means we will fail, regardless of the amount of time or resources we deploy thanks to these false assumptions."
- "The biggest risk if starting a GDPR program now, is that if you require the services of third parties – all the good ones are now gone, thus there is a delivery risk to the programme.  Plus, legislative compliance risk is wholly different from regulator risk, which is part of your spectrum of risk."
Cituji ze závěrečného odstavce:

- "Finally, organisations need to understand the wider context – legal, regulatory, and false assumptions. This will enable them to make purposeful choices and properly define their risks using root cause analysis."

How the EU GDPR Will Affect SAP

How the EU GDPR Will Affect SAP
Feature Article | October 5, 2017 by Andreas Schmitz
Článek najdete na portálu SAPu na adrese:
Cituji vybrané myšlenky z textu:
"What Measures is SAP Taking
Let’s take a look at how SAP is dealing with the GDPR.
a) - What Exactly Will Change?
For companies, the GDPR introduces an obligation to establish a “structure conducive to data protection.” 
This includes the following requirements, among others:
- Data protection impact assessments when using new technologies
- Data portability, which ensures that data can easily be transported from one network to another
- The obligation to delete private data when requested by the respective user
- The use of technologies that were developed based on the principles of privacy by design and privacy by default, which means that technical data-protection requirements were met during the design of a given product and are easy for users to modify
- Observance of the lex loci solutionis principle, which means that the GDPR applies to all companies operating within the EU, regardless of where they are headquartered
- The obligation to maintain proof that all of the necessary data protection measures are being taken at a given company. The GDPR provides for much higher penalties (up to four percent of a company’s revenues) if this requirement is not met.
Dále se autor článku věnuje otázkám:
b) - What Can Companies Expect?
c) - What Measures is SAP Taking?
d) - What Internal Actions Does SAP Still Need to Take?
Cituji závěr článku:
"“Anyone who creates a new process now puts it straight into the central record,” Wiedemann adds. By the end of the year, SAP wants to have all of its processes listed – that’s more than a thousand in total."