Three organic laws have followed one another in 30 years (Lortad of 1992, LOPD of 1999 and the transposition of the European RGPD of 2016) on the protection of personal data entrusted to third parties and circulating on networks. There is a massive but insufficient awareness of the problem, in part fueled by the theft of sensitive data and information.
"In practice, users have recently begun to value the transparency with which they are obliged to inform them of attacks and infractions that may affect them, whether as a result of criminal attacks or malpractice in the custody of their data," he maintains. Antonio Quevedo, CEO of GlobalSuite Solutions.
For the first time since the GDPR, companies must not only comply with the law, but must prove what they have done to comply with it and for their staff to do so. Consequently, there is a requirement for traceability and registration.
Failure to comply can be sanctioned with a maximum of 3% of the turnover of the company that does not comply. Despite this, "it is known that certain companies, I cannot say whether few or many, when they consider that their incidents will not be discovered, are tempted not to report them for fear of damaging their reputation."
GlobalSuite belongs to a segment of the technology market known as GRC, an acronym that combines the G for governance, the R for risk and the C for compliance. But, “no matter how many layers of onion are put on the software, I am afraid that there will always be the risk that someone appropriates my data or that someone does not properly guard it,” he says. This reinforces the need to be able to certify that the appropriate measures have been taken.
This company, founded by Quevedo in 2007, has more than 2,000 clients, among which its website highlights names such as Renfe, Bankinter, Telefónica, Repsol, Inditex and Naturgy. Also smaller companies, which are served with collaborating partners. Depending on the size, sector and internal capacity, customers can exploit the software themselves or hire it as a service. "Our mission - he says in a talk with Dinero - is the implementation of an orderly process by which we are able to have all the preventive information on risks and that is necessary to ensure continuity even after having suffered an incident".
Like any other business software, GlobalSuite's is based on the intake of a volume of data that is dumped into a risk analysis: what potential threats exist, what safeguards to establish so that they do not materialize. "The automatisms of the application leave a trace that is valid as accreditation and to serve as evidence of what the company has done to comply with the legislation."
A frequent source of problems is cybercrime, but there are other problems to watch out for, such as the coexistence of outdated software with modern software. “Except in very new companies, historical data abounds; they are kept, and the law stipulates how they must be kept and, where appropriate, deleted based on the declared treatment […] it even defines deadlines for deleting those that are no longer operationally necessary.”
A related matter, which is not in the RGPD but in a 2019 directive –not yet transposed by Spain–, regulates the protection of people who report infringements of community law. In this perspective, GlobalSuite clients are advancing in the creation of complaint channels, one for employees and another for anonymous third parties. watchful eye
