- After 25 May, businesses may suffer from a mental information security hangover
- What does the future hold now that the preparations are complete, and the rules have come into force?
- A security expert from Neupart offers advice and recommend - among other things - that future information security work be organised and compiled into an annual cycle
Relief? Panic? Confusion?
There may have been a lot of feelings on the date that GDPR took effect, namely 25 May 2018. After the intensive work of getting ready for GDPR, the preparations are now finally complete, and the rules have taken effect.
So, what now? What happens once the external consultants have gone home, and the business is left to itself? Should we just pat ourselves on the back and be happy that the work is finally over, or has the work only begun?
“GDPR is not a project. It is a programme, and it will continue. Well beyond May 25th," says Lone Forland, product specialist at Neupart. Over the recent months and years, enterprises have invested large amounts in strengthening a long series of security processes in their organisations. “All that good security work having been done must not go to waste. It must be maintained so that GDPR becomes integrated into the company's general information security procedures. That is the task going forward."
Use the annual cycle to ensure compliance and documentation
An annual cycle is the best, easiest and most manageable approach.
“An annual cycle works a little bit like a good old-fashioned calendar. With a calendar, you make a note of what agreements and tasks you have during the months of the year, so you always have an overview. The same principle applies in a security annual cycle. There are some recurring tasks associated with GDPR, and you place these into an annual cycle, so you always can keep track of your security work. The good thing about an annual cycle is that it indicates in a purely visual manner that the work goes on and on - month after month, year after year," says Lone Forland.
From construction to update
The work that demanded so much attention up to 25 May entailed a construction phase. The policies were set out, gap analyses were undertaken, procedures were described etc. The future work with GDPR will primarily entail updating procedures.
“All companies go through a process of change. There is staff turnover, products develop, business models are modified, companies merge, departments are split up etc. All of these changes are significant to why and how personal information is handled within the company. And that is why the annual cycle continually needs to be updated, so that compliance and documentation of the compliance with GDPR always correspond to the real situation," says Lone Forland.
Put together a good team
In order to avoid having a DPO or other primary GDPR manager get swamped in updating work, she recommends that the company put together a team that can carry out the required tasks at set times of the year.
“The DPO or the person in charge remains responsible for ensuring that the tasks get done. However, that person does not need to solve them all on his own. The tasks can certainly be delegated to a team of colleagues. The team should consist of IT managers and managers from those departments that handle personal information. In addition, it is a good idea to have a colleague from communications join the team because they are good at putting together awareness campaigns, which are also required by GDPR.”
Three typical pitfalls
Lone Forland concludes by advising against some of the pitfalls entailed in continual work with GDPR. First of all, one should be careful not to schedule all updating tasks in the same month, as that would cause the organisation to shut down. The tasks should be spread out over the year, and the schedules of the employees concerned must be taken into account so that the employees are not unnecessarily stressed.
Secondly, it is important to remember that work colleagues primarily become HR managers, customer managers, financial managers etc. because they like their respective disciplines. They did not choose GDPR assignments. That is why it would be wise to explain the background behind GDRP well in advance and to remind people of the importance of the proper handling of personal information. For the sake of their colleagues, the company and for their own sake, they must not be the cause of a personal data breach.
“Finally, one should avoid any duplication of work, for example, operating with two different contingency plans for information security work. One for GDPR and one for the traditional information security. As of today, GDPR is an integrated part of the company's information security structure, and therefore all tasks, policies and processes are integrated into an overall annual cycle," concludes Lone Forland.
The Information security assignment after 25 May 2018