GDPR 679/2016
LOPD-GDD 3/2018
prior audit
This analysis is indicated for companies that do not have a previous adaptation or the adaptation to the LOPD-GDD 3/2018 had been initially carried out without regular monitoring or continuity. It is the preliminary study before being able to estimate the necessary effort to adapt it, including Company Policies, Security Policies, Contract Clauses, Legends and all those legal texts whose usual practice is to "cut and paste "of others incorrectly applying those texts to the real needs of the company.
Advice on Technology Contracts
Technology Contracts
The current need for a very high degree of dependence on Information Technology and its service providers, not only for companies, but also for individuals, is known. A poorly written or poorly oriented contract undoubtedly causes undesirable damages. At ASTRYA we are used to this type of advice for contracts for:
Custom development, User licenses, Maintenance, Hosting, Outsourcing, Service Level Agreement (SLA) Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), Software as a Service (SaaS), Services On demand Service Agreement (OSA) Cloud Computing, etc.
Risk Analysis and Impact Assessment
Risk Analysis
Regulation (EU) 2016/679, of April 27, 2016 (GDPR), provides in article 35 that the data controller must carry out, before processing, an assessment of the impact of processing operations on data protection when it is likely that a type of treatment entails a high risk for the rights and freedoms of natural persons.
The AEPD has published different Guides to deal with Impact Assessments. At ASTRYA we follow the Privacy Driver method that combines the specifications of the Spanish Agency with the experience of multiple clients.
ISO 27001 and ENS
ISO 27001 ENS Implementation
An ISMS plan (Information System Management system), consists of designing, implementing, and maintaining the entire set of susceptible processes and belonging to the Information System, in such a way that it allows efficient management of information and its relationships with devices. , and thus ensure its integrity, confidentiality and availability on an ongoing basis.
On the other hand, the National Security Scheme is a requirement established by Law 11/2007 of June 22, on electronic access of citizens to Public Services, and regulated by Royal Decree 3/2018, of January 8. The ENS must be implemented by Public Administrations, as well as external companies that provide services to Public Administrations that involve access to information.
IT security
cybersecurity
El Real Decreto 43/2021 , desarrolla numerosos aspectos del Real Decreto-ley 12/2018 _cc781905-5cde-3194-bb3b- 136bad5cf58d_security of networks and information systems. It deals with the main rule referring to cybersecurity issues, ensuring the alignment of Spanish law with the European harmonized framework in accordance with the Directive 2016/1148 (better known as NIS Directive, acronym corresponding to networks and information systems in English). This recent regulatory development enriches the regulatory framework specifically developed for the field of cybersecurity for those sectors and operators of critical infrastructures.
DPO
Data Protection Delegate
Articles 37, 38 and 39 of the RGPD determine the casuistry, functions and responsibilities of the Data Protection Delegate, but especially in our LOPD-GDD art. 34, determines without any doubt who are the ones obliged to have this figure, whose main objective and responsibility is to inform, advise, supervise and cooperate with those responsible so that the processing of personal data is carried out within the framework of legality and with special attention to the Rights of individuals in the field of Data Protection.
The figure of the DPO is decisive for security and regulatory compliance in public and private companies. A fundamental role that in ASTRYA we have extensive experience and satisfied customers.