The EU Data Protection Regulation is a good example of just how important it is to define a challenge before you start trying to solve it.
Essentially, GDPR is about organisations protecting their personal data. However, before you can figure out how your organisation protects its personal data, you need to know why the organisation has this data to begin with. Understanding the reason is basically a pre-requisite for taking any action.
Right now, GDPR compliance is a task that tends to land on the IT Managers’ desk, with understandable frustration: it’s not reasonable to expect an IT manager to know why an organisation collects, processes, and even shares all their data. An IT Manager can only be expected to know how to systematically support the processing of certain data, and whether it’s soundly secured.
Management Needs to Have the Answers
So how do you define the responsibility and work that is GDPR compliance? The security experts at Neupart can help you figure that out.
“GDPR is the management’s responsibility. Simple as that. The management needs to know why the organisation processes personal data; which personal data it is; and which legal basis you have to process it,” explains Jakob Joensen, Head of Information Security Advisory at Neupart.
Know Your Processing Activities
Even though GDPR compliance is not solely the IT department’s responsibility, an IT manager might still be asked to implement GDPR compliance in an organisation.
“We live in the real world, so if your boss asks you to implement GDPR in your organisation, you are going to say yes. However, once you’ve agreed to it, you should follow up by asking for the relevant information as a condition for carrying out the assignment.”
This information should be used for what is, in GDPR jargon, called registering your processing activities. This register then explains how, and in which processes, an organisation handles its personal data. Partly, it should also answer how the organisation handles classic IT security measures such as user management, encryption, logging, and more. Combined with the understanding of consent, contracts, legal basis or reasons for data processing, this exercise helps to identify what needs to be looked at, in order to define your information security requirements.
Carry Out a Gap Analysis
When carrying out a gap analysis, you need to make it in collaboration with management from every department in the organisation, i.e. HR, sales, marketing, etc. They will know which processes involve personal data, and how sensitive it is.
The difference between what an organisation does today, and what it should be doing according to the GDPR, is the result of a gap analysis, explains Jakob Joensen.
“If the IT Manager cannot get the necessary information, then that’s a gap. If the information he receives conflicts with the demands in the GDPR, then that’s a gap. If there are data processing activities involving personal data that are not adequately protected, then that’s a gap.”
Five Crucial Questions
In an attempt to help IT Managers help themselves, and the rest of the organisation, Neupart has created a set of questions that can help when mapping the organisation’s data. Here are the five most important questions:
- What kind of personal data do we process?
- How should this data be classified, i.e. how sensitive is it?
- Which regulation is this personal data subject to?
- What is our authority to store and process this data?
- Which data processing activities does our IT system carry out in relation to personal data?
For the complete set of questions, contact us here.