Governance, Risk Management, and Compliance blog

The EU GDPR: Three tips that will save you time, money, and worrying.

[fa icon="calendar"] Thursday, 08 June 2017 / by Jakob Holm Hansen

The EU data protection regulation is about getting those who process personal data used to the right processes. However, when it comes to compliance, the GDPR is very much about getting used to doing what is necessary. No more, no less.

We have identified three areas in which you can save time, money, and worrying:

1. Skip the Data Flow Analysis

The EU Data Protection Regulation actually contains no demand of a data flow analysis. Yet many organisations are hard at work carrying out this time-consuming analysis, spending time and resources that could be put to work on other, more efficient, GDPR preparations.

What the GDPR actually requires, is that you create a register of all your data processing activities, a much more achievable assignment.

2. Scale Down Your Project

Use the overview gained from registering your data processing activities to scale down your GDPR project.

You might be storing personal data that you really do not need to store. There are for example organisations that make their users use their date of births as access keys to their documents. If they simply assigned their users unique, random numbers instead, they would automatically rid themselves of a massive workload, as they wouldn’t have to spend time or resources on securing that data.

We also see examples of the same personal data being shared between two or more people in several departments, during different processes in various systems. For example a note of sick leave that circulates amongst colleagues until it finally finds its way to the right person in HR. If instead, you make a practice of having just one employee collecting all personal data in a single process in one system, you’ve significantly scaled down your GDPR project.

3. Re-Use Safety Standards

If it ain’t broke, don’t fix it. That saying also goes for your data protection measurements.

We don't mean to undermine the importance of the upcoming Data Protection Regulation, but if you've already been following the ISO 27001 standard to manage your information security, you’ll find it quite manageable to build a GDPR compliance project. There’s no reason to start from scratch.

There are many other information security standards that, with a fairly small investment, can be adjusted so that you comply with the GDPR. After all, adjustments are always quicker, easier, and cheaper than complete overhauls or implementations of new systems with new policies and processes.

Emner: compliance, eu general data protection regulation, GDPR

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts