Even though GDPR is right around the corner, it makes a lot of sense - practically and financially - to maintain your traditional information security measures, because compliance with the Data Protection Regulation both can and should build upon your existing security measures.
Most organisations know that performing a risk assessment is good practice. However, not all organisation actually do risk assessments, and those who do, often approach them in the wrong way. All too often, risk assessments are treated as a project that can be finished and that will be that, whereas the reality is that risk assessment and risk treatment are an ongoing process.
Risk Assessment And Risk Treatment Are a Process
Risk assessment is a process, not a one-off project. The reasons for this can be boiled down to these three points:
- Registering your data processing activities is enough.
Are you busy preparing for the GDPR, but getting stuck carrying out a dataflow analysis? Then you need to read this: When it comes to complying with the GDPR, a comprehensive and detailed dataflow analysis is not necessary or mandatory!
It is uncertain where the speculation started, but at some point, people started talking about the necessity of performing lengthy dataflow analyses to be compliant with the GPDR.
Likely, this resulted from an embellishment of the regulation requirements, and somehow it seems to have stuck around. The fact is - the Data Protection Regulation does not explicitly mention nor require you to carry out a dataflow analysis! It does however state that you need to “maintain a record” of your relevant “processing activities”. One could argue semantics here, but it is easy to see where exaggerations and embellishments can be easily introduced.
In less than a year, the EU Data Protection Regulation comes into force. That’s ample time – if you manage it wisely, that is. Here are three useful tips that will help you prioritise your tasks and effectively make sure your organisation is prepared come 25th of May, 2018.
The EU data protection regulation is about getting those who process personal data used to the right processes. However, when it comes to compliance, the GDPR is very much about getting used to doing what is necessary. No more, no less.
At Neupart we have identified three areas in which you can save time, money, and worrying:
Climbing that mountain of compliance, over and over again.
The GDPR has been with us for a year, and everyone is (still) panicking. Becoming compliant and staying compliant are two very different things. In this blogpost, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.
For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fear mongers have also told us about the huge fines we will be subject to, and just how far away from being compliant we all are.
So, there has been a lot of talk about what the requirements we will be hit with are, but there has not been as much talk about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and - in many cases - an unfounded over-implementation of the regulation.
Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we actively start to prepare for the implementation of the GDPR, but who really needs them?
Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder, really, given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy, but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.
Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with sudden focus on the legality of data protection, it only makes sense that we start focusing more on the their role. In fact, the International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?
Haven’t we had enough? It feels like there’s been an endless stream of GDPR offers lately. Courses and certificates, as well as attorneys and consultancies which offer an array of services. Services which are then presented as absolute necessities in order not to be hit by enormous fines as soon as May 2018 hits us.
Of course proper protection of our personal data is vital, and it’s important for companies to comply with the law, so perhaps this barrage of offers is justifiable. But then again, just how difficult can it be to comply with the EU’s new general data protection regulation?
The new EU GDPR is one of the most substantial security initiatives in many years. This is on the one hand due to the scope of the regulatory work in the EU has been comprehensive and a long time coming. On the other hand, this is also due to the consequences of the EU GDPR having important implications for both the private and public sectors in Europe.
It is now considered good practice to perform risk assessments - or at very least to acknowledge that they should be done.
Unfortunately, far too often we see that businesses only conduct risk assessments in order to satisfy some sort of compliance requirement or other types of requirements (audit, contract, statute etc.). If you are lucky, you might have the resources to conduct them once per year.
Typically, you will conduct your risk assessment, speak with your organisation and then finally you submit a fancy report. And then your "project" is done. However, it would be wrong to consider the risk assessment as a project. Risk assessments should be a process. It is a process that involves feedback and continual adjustments.
Granted, the wording of the new Data Protection Regulation we have just received
is complex. The new act entails many requirements as to how companies must process and protect personal data, and not least which processes must function within the companies. The Neupart team is experienced in finding practical solutions in simplifying compliance with information security requirements. We would like to present Neupart’s approach employed in the development of this application.
The EU regulation requirements are incorporated into the SecureAware ISMS application. Using our latest addition you can conduct your first gap analysis of the EU directive.
In the below SecureAware window, the regulations are shown on the left-hand side, while on the right-hand side you will see a series of links to your information security manual.
If your information security manual is in SecureAware ISMS, a large part of your
manual is already mapped to the new personal data requirements.
The reason why you can do the gap analysis so easily is that we have placed the EU regulations into the requirements library in SecureAware along with the other requirements already within.
The EU Data Protection Regulation is located in the SecureAware ISMS requirement library.
However, there is even more good news. Once you know where the "holes" are in relation to the new regulations, we have made it possible to connect an efficient task management to your gap analysis. The task management allows you automatically to monitor and easily to report on your compliance status.
Efficient task management: Tasks are connected to the particular requirements. A task
can be anything from a simple "execute" task to a recurring process.
You can also use the task management to control ongoing, recurring tasks. Tasks related to your ongoing compliance with the new regulations.
Large companies supervise by means of periodically conducting an internal audit; this is also an area that is supported by the task management function within the application.
It is easy to verify, inspect and conduct an internal audit.
There is a history of who-what-when on the red-yellow-green progress.
This way, the processes that will run in each company that handles personal data can be facilitated.
PS! We have an added benefit for those companies having their IT manuals in SecureAware: We have mapped a large part of your manual onto the new personal data requirements in advance.
At the present moment, the most recent revision of the regulation is placed in SecureAware ISMS. Now the final text is complete, SecureAware will soon be updated with that.
Take part in our webinar and receive a number of shortcuts to how your company can more easily follow the new rules for personal data protection.