From ethical hacking to the GDPR

Experts of 4iG identified the weaknesses of Ryowa Hungary’s IT system. Seeing their professionalism, the Japanese automotive supplier gave a more complex project to the IT company. 4iG prepared the company of the Mitsubishi Group for the appropriate application of the uniform European data-protection regulation. The two companies have been cooperating ever since, and the continuous services of 4iG ensure Ryowa Hungary’s GDPR compliance.

The story started with the excellent performance of 4iG’s ethical hackers who could proceed to the next level as a reward. The experts of the IT company looked for weaknesses, i.e. they performed the cyber security testing (in multiple rounds) of the IT system of Ryowa Hungary. This company belongs to the Japanese Mitsubishi Group and has been manufacturing a wide range of electronics from generators to fuel pumps and to reversing cameras for almost 100 years. The company has been present in Hungary for nearly 20 years, meaning that all Suzuki cars manufactured in Esztergom contain a Ryowa product as well.

As it is usually the case, the first successful project brought the next one. That is how 4iG’s experts were given a chance to elaborate and then manage the complex process of making Ryowa’s operations comply with the general data protection regulation of the European Union, the often-mentioned GDPR, which took effect in May 2018. “After multiple consultations in person, we mapped the IT security needs and gave a quotation. The Japanese partner accepted that and ordered our data asset assessment, GAP analysis, consultation, implementation, documentation and the data protection officer services.”, said Ms. Dóra Julianna LAKITS, 4iG’s primary account manager for Ryowa. The parties could easily understand each other because one of 4iG’s employees, Mr. Gyula DABRÓNAKI, has native language skills in Japanese. This proved to be useful for the team of Mr. Balázs BUCSAI and Mr. János KLINCSOK, engineers, and Mr. Krisztián GILA, services manager, in understanding the IT tasks and explaining the elaborated solutions.

IT inventory

Ryowa Hungary operates two servers, its offices have thirteen workstations and another two in the plant area. “Although our IT fleet is not large, we must fully comply with the Mitsubishi Group’s strict security requirements.”, pointed out Zuzana Yoshio, the manager assistant of the company. GDPR compliance started with a data security, data protection and data asset assessment which 4iG’s experts closed with the complete data asset inventory. “It was essential for our GDPR compliance.”, added Zuzana. The manager assistant still appreciates that 4iG’s experts explained the entire process credibly and clearly to all Ryowa employees from warehousemen to informaticians in person, and also motivated the employees to effectively implement the tasks.

“It is general that companies keep vast amounts of data until the end of times. In contrast, the GDPR policy requires that data storage be specific and limited in time. Staff-related data, for example, should be kept for another five years after the relevant employee has reached retirement age.”, said Mr. Balázs BUCSAI, 4iG’s project manager. The Ryowa project started, therefore, by the experts’ goal-setting for each type of data stored, which were then adjusted to the legal and business requirements. After that came the data clean up with archiving, deleting and encrypting. “The law does not allow the keeping of certificates of good conduct, some companies still find it hard to get rid of them.”, mentioned 4iG’s project manager.

A cost-effective solution

The inventory revealed that Ryowa saved duplicates or triplicates of a vast amount of data. Cleaning up these duplicates and triplicates saved the company a considerable amount of money, because it did not have to buy extra IT solutions. This approach was in line with “4iG’s declaration that the point of GDPR compliance is not that it proposes the implementation of expensive systems.”, said Zuzana Yoshio.

If the purpose of data processing is not defined by the law or a contract, then the interests should be considered. If this is the case, the necessity of processing the relevant data at the company and non-violation of individuals’ rights must be credibly demonstrated to the data protection authority. “This is a half legal, half IT service, and Ryowa managed to cut data storage costs thanks to the data asset inventory and the data clean-up.”, said Balázs BUCSAI.

4iG’s experts provided training on GDPR compliance, and Ryowa’s employees asked questions, which means that they found the topic interesting. Their interest did not fade in live situations either and they came up with ideas and proposals after the implementation of the GDPR policy. The two companies could develop a fine cooperation, and nowadays 4iG’s continuous services ensures Ryowa Hungary’s GDPR compliance, including the exercising of data protection officer functions. The experts of the IT company automatically adapt internal policies and documents to changes in the law. Currently, they are adapting changes in requirements concerning the retention of security camera recordings.