IT Security

GDPR guide

by Mark Rowe

Ahead of the European Union’s (EU) General Data Protection Regulation (GDPR), too many projects are falling at the first hurdle, with implementation teams unclear on or unable to secure business support or the budgets needed for compliance, says Yves Le Roux, co-chair and public policy workgroup lead, at the IT body (ISC)2 EMEA Advisory Council. He writes:

Specialist knowledge is going into auditing and determining what is required, but it is being met with a lack of will or acceptance at a business unit level to move forward with projects that have been outlined. Progress that is being made tends to be linked to the roll out of new initiatives, leaving gaps in addressing existing systems and processes.

If business leaders are not appreciating the requirements placed on them, the effort now must shift to helping them be more clear about their role in the process and the resources (both people and financial) required. This involves us all taking a step back from the expert knowledge we may have about what is required and thinking about how to communicate the scope of the task ahead and why it is so important.

A first measure is to ensure GDPR gains a priority ranking on the corporate and board-level risk register. This is justified by both the impact of failing to comply and the likelihood of a breach in the current threat landscape. The impact goes beyond the now well-cited maximum fine of four percent of worldwide turnover. Individuals have gained new rights to demand action and compensation for damages linked to a breach of their rights, while the definition of what is considered “personal data” includes many new forms of electronic data, IP addresses and the like, that can lead back to them. Data Protection Day will certainly serve to help more understand this.

The second measure is to emphasize the scope of what is required. This is not a simple “audit and adjust” exercise. The GDPR places greater emphasis on the documentation and existence of processes in place for the governance of personal data, and demands companies define how they will deal with user requests related to many new individual rights; the most cited of which is perhaps the right to remove their data from their systems. The (ISC)² EAC GDPR Task Force has published an overview of the basics that can be used as a tool to help everyone understand and communicate the scope of what is required.

The full guidance document tool can be found here: http://blog.isc2.org/files/getting-started-on-the-basics-the-eu-general-data-protection-regulation-gdpr.pdf.

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing