General Data Protection Regulation (GDPR) is the Regulation of the EU Parliament and the Council on
the protection of individuals with regard to the processing of personal data and on the free movement
of such data. The Regulation is in line with the Czech legislation and comes to effect by May 25, 2018.
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy
laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way
organizations across the region approach data privacy.
The rights of individuals (data subjects) to protect their personal data are significantly strengthened by
the Regulation. You will need to be able to answer and meet the following requirements:
- Information about the processing of
personal data, its reason and its scope
- Access to collected personal data
- Correction/rectification of personal data
- Mandatory notification when personal
data are repaired or deleted, or
- Transferring data to another data
- Information provided when personal data
have not been obtained from the data
- Right to be erased (“the right to be
- Objection against processing, against
automated processing, profiling, etc.
Data processing restrictions
- Revocation of consent to the processing
of personal data
- GDPR sets heavy fines – 2 % (4 %) of annual worldwide turnover or 10,000,000 EUR (20,000,000
EUR) for non-compliance with the Regulation (brackets indicate subsequent penalties for non-
compliancy with corrective measures). Other penalties for data leakage are determined by the
What can happen if you don’t comply with GDPR regulations?
- Legal actions by individuals that you do not care well about their personal data or that you do
not respect their data privacy rights.
- Loss of existing ISO certifications due to non-compliancy with the law.
- Inspection by the local authority to check meeting the requirements of the Regulation.
- Penalties imposed by the local authority.
Time is flying – an example of a GDPR implementation schedule
The key date is May 25, 2018. From that date on, any company must be able to demonstrate its ability to
comply with the rules required by the Regulation. Therefore, it is necessary to start as soon as possible.
How to become GDPR ready?
Ness recommends to take the following steps
The GDPR Governor supports GDPR processes with a view to providing information to individuals and
reducing the workload of meeting these obligations.
It is single tool for GDPR requirements
- Single view of the stored customer data
- Reporting personal data of your customers
- Managing their consents
- Anonymizing their personal data
- Personal data access audit
GDPR Governor holds configuration which data is stored in which system and how are data sets identified within the system (e.g. birth number). Data are categorised and configuration is aware interconnections with data in other systems. Holds binding among consents and data sets in multiple systems. It also holds data retention policy and configuration how the extracted data is visualised to user.
Your existing systems are required to implement GDPR data connector. A unified API for all legacy systems to gather personal data from the existing system.
Extract –> Categorize –> Analyse
Based on the entered search criteria (e.g. birth number, ID card), GDPR Governor identifies all systems which could contain customer data identified by the criteria. GDPR Governor queries those systems, categorizes and analyses the results to find other systems containing interconnected data. GDPR Governor queries those systems until all the data are extracted.
View and search audit logs with a powerful Elasticsearch tool. Automated detection of suspicious access to sensitive data.
The access to GDPR Governor itself is audited.
GDPR Governor gathers data from various systems in a single configurable structured UI. Export in the machine readable format (XML/JSON) is supported.
Stores and manages all customer GDPR consents including a complete history. Automated notification when a consent is about to expire. Triggers automated anonymization of data as soon as consent is expired or invalidated.
Anonymise extracted data, anonymise whole entities in systems together with consents, automated anonymization when consent is expired or invalidated. Automated anonymization is driven by business rules (e.g. customers can anonymize only certain data, data are automatically anonymized when there is no valid consent connected to data, etc.).
- 30% implementation cost & time reduction
- Predefined templates for easier GDPR related data analysis
- Proven, centralized, audited solution
- Unified view on customer’s sensitive data as additional business value