GDPR

Our commitment to GDPR for your safety

The right path to GDPR compliance

The new regulation, known as the General Data Protection Regulation (GDPR), comes into effect from 25 May 20

Sensitive data

QUIDGEST has developed the best solution for adapting your business to the requirements of the GDPR. In this way, we believe that we must guarantee four layers for analysis and response of applications: Logs, Authorization, Encryption and Search.

Main goals

We intend that each of the enumerated layers is perceivable for applicability in the context of each organisation and in the context of each software. Thus, we proceed to describe them.

Logs

The Logs layer aims to record all activities of creating, reading, updating and deleting (CRUD) data that have a delicate or private character. We guarantee that this will be done through automated Database (DB) side events so that whether the CRUD operation is done directly in the DB or in the solution, the information will be recorded. This data will only be read by the administrator, who has the possibility to export it, in order to ensure the historical storage of the operations carried out.

It is possible to register current and previous data, the person who carried out the operation, as well as the date when it was carried out, all in order to allow traceability and identification of problems in case of need.

Why is this important for GDPR?

GDPR Chapter IV, Section 1, Article 30.

  1. Each data controller and, where applicable, its representative shall keep a record of all processing activities under its responsibility. This record shall contain all the following information:
    • The name and contact details of the data controller and, where applicable, any joint data controller, the data controller's representative and the data protection officer;
    • The purposes of the processing of the data;
    • A description of the categories of data subjects and the categories of personal data;

Authorisation

At the Authorisation level, the system administrator will have a fundamental and facilitated role in this issue, being able to use a developed tool that will be fully integrated with any system provided by QUIDGEST. This allows for changing privileges, system maintenance and user maintenance at any time and in any location. It is important to note that some of the allowed functionalities, in addition to those mentioned, are: changing the encryption type of passwords to Argon2, minimum number of characters and complexity of user passwords, changing access privileges individually for each user and for each module. QUIDGEST may also be requested to integrate with citizen card authentication, making it more convenient and ensuring greater security of access to the application through a digital certificate. It is worth remembering that it is possible to track and identify all access made through the authentication mechanism in the logs.

Why is this important for GDPR?

GDPR Chapter IV, Section 2, Article 32.

  1. The data controller and the processor shall take measures to ensure that any natural person acting under the authority of the data controller or the processor and having access to personal data only processes such data on instructions from the data controller, unless required to do so by Union or Member State law.

Encryption

All communications can be encrypted. We give priority to the use of SSL certificates, both at the front-end level and in communication with the DBs. Authentication cookies are encrypted based on SHA256. At the DB level, transparent encryption technology can also be used to prevent data leakage through backups and unauthorized data access.

Why is this important for GDPR?

GDPR Chapter IV, Section 2, Article 32.

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of natural persons, the data controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:
    • The pseudonymisation and encryption of personal data;
    • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  2. In assessing the appropriate level of security, account shall be taken, in particular, of the risks posed by the processing, in particular as a result of accidental or unlawful destruction, loss and alteration, and unauthorised disclosure or access, to personal data transmitted, stored or otherwise processed.

The Search factor assumes extreme importance, and for this reason, it is worthy of the development of an autonomous system. The Data Protection Management (DPM) system allows the organisation to structure its data, have a control platform and report to the regulator. This solution has three possible interfaces: Data Protection Management, Data Holder Portal and Supplier Portal (this system can be purchased as a complement to the solution). QUIDGEST relies on the development of systems with a model-based programming methodology (MDD) using software developed by us, Genio. In this way, it is possible to guarantee increased productivity and compatibility between the various products provided. With this software, we create all the definitions and standards that make up a final system, and it is already allowing the classification of sensitive data and all the technical documentation, generated by Genio itself, will contain the identification of these fields.

Why is this important for GDPR?

GDPR Chapter III, Section 1, Article 12.

  1. The data controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 concerning the processing, in a concise, transparent, intelligible and easily accessible form, using clear and simple language, in particular when the information is specifically addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proven by other means.
  2. The data controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the data controller may not refuse to comply with the data subject's request to exercise his or her rights under Articles 15 to 22, unless the data controller demonstrates that it is not in a position to identify the data subject.
  3. The data controller shall provide the data subject with information on the measures taken, upon request made under Articles 15 to 20, without undue delay and within one month of receipt of the request. This period may be extended by up to two months where necessary, taking into account the complexity of the request and the number of requests. The data controller shall inform the data subject of any such extension and the reasons for the delay within one month of receipt of the request. Where the data subject submits the request by electronic means, the information shall, wherever possible, be provided by electronic means, unless the data subject requests otherwise.

GDPR Chapter III, Section 2, Article 15.

  1. The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her is being processed and, where that is the case, the right to access his or her data."