Due both to an eagerness to do things correctly and a fear of doing things wrong, many companies prepare far more records of their processing activities than necessary. Our expert explains how you can group together your processing activities and save yourself many hours of (wasted) work.
Seneste indlæg
Picture this: it’s the end of May and you’ve managed to fulfil the criteria of the EU Data Protection Regulation - you’ve achieved GDPR compliance. But how do you make sure you stay compliant in the future?
No doubt the GDPR implementation project was big and required a team effort. There might even have been extra resources allocated, as everyone realised the importance of getting this right. But now that the deadline has passed, and the goal has been met, your co-workers need to get back to their day-to-day assignments. So how do you successfully maintain continuous GDPR compliance with half the people, and maybe even half the resources?
- Guidance and good advice for carrying out a DPIA
For some organisations, the DPIA is high on the list of GDPR related assignments that need to be sorted. But for many, the DPIA can actually wait – or at least be simplified so that it doesn’t require so many resources. Our Director explains when and how you should carry out a DPIA.
The EU Data Protection Regulation states that you must train your employees in handling - and securing - personal data. However, it doesn't say anything about how you should train your employees in handling personal data.
"That part is open to interpretation, so you have to get creative," says Lone Forland, our product specialist who also works with information security campaigns.
The EU Data Protection Regulation is a good example of just how important it is to define a challenge before you start trying to solve it.
Essentially, GDPR is about organisations protecting their personal data. However, before you can figure out how your organisation protects its personal data, you need to know why the organisation has this data to begin with. Understanding the reason is basically a pre-requisite for taking any action.
Most organisations know that performing a risk assessment is good practice. However, not all organisation actually do risk assessments, and those who do, often approach them in the wrong way. All too often, risk assessments are treated as a project that can be finished and that will be that, whereas the reality is that risk assessment and risk treatment are an ongoing process.
Risk Assessment And Risk Treatment Are a Process
Risk assessment is a process, not a one-off project. The reasons for this can be boiled down to these three points:
- Registering your data processing activities is enough.
Are you busy preparing for the GDPR, but getting stuck carrying out a dataflow analysis? Then you need to read this: When it comes to complying with the GDPR, a comprehensive and detailed dataflow analysis is not necessary or mandatory!
It is uncertain where the speculation started, but at some point, people started talking about the necessity of performing lengthy dataflow analyses to be compliant with the GPDR.
Likely, this resulted from an embellishment of the regulation requirements, and somehow it seems to have stuck around. The fact is - the Data Protection Regulation does not explicitly mention nor require you to carry out a dataflow analysis! It does however state that you need to “maintain a record” of your relevant “processing activities”. One could argue semantics here, but it is easy to see where exaggerations and embellishments can be easily introduced.
The EU data protection regulation is about getting those who process personal data used to the right processes. However, when it comes to compliance, the GDPR is very much about getting used to doing what is necessary. No more, no less.
We have identified three areas in which you can save time, money, and worrying:
Climbing that mountain of compliance, over and over again.
GDPR has been with us since 2018, and some are still panicking. Becoming compliant and staying compliant are two very different things. In this blogpost, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.
For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fear mongers have also told us about the huge fines we will be subject to, and just how far away from being compliant we all are.
So, there has been a lot of talk about what the requirements we will be hit with are, but there has not been as much talk about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and - in many cases - an unfounded over-implementation of the regulation.
Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we actively preparing for the implementation of the GDPR, but who needs them?
Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.
Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with the sudden focus on the legality of data protection, it only makes sense that we start focusing more on their role. The International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?
