June 21, 2017 at 10:30
Is your organization overwhelmed with completing GDPR project activities? Nixu meets many organizations where all focus is on the project and how to reach the project goals. But what happens after 25 May 2018? How will the business benefits of GDPR be secured over time?
It is early in the project that maintenance should be considered and planned for. That is because compliance with GDPR takes ongoing work and if the project does not plan for this the risk is that the organization is not sufficiently compliant in a long-term perspective.
Start by answering these 9 questions:
- Which are the long-term business benefits of implementing a data protection program or project?
- How will you measure it and who will realize the business benefits and maintain them?
- How will activities and investments related to data protection be planned and decided when the project is closed?
- How can you ensure that the data protection area gets ongoing attention from the top management of your organization?
- What kind of monitoring, assessments and reviews will be performed in a systematic manner?
- How will awareness and communication be managed?
- How will the data protection area integrate or interact with other areas such as information classification, risk management, business continuity management, etc. which also protects information? How will data protection over time be managed inside processes such as procurement, enterprise architecture management, project steering, system development, system maintenance?
- What is the yearly cost for being sufficiently compliant?
- How can you ensure continuous improvements for the data protection area?
Do you have an ISMS?
Maybe your organization already has an information security management system (ISMS) that is properly maintained and where there are already working processes for many of the areas mentioned above? My experience, as an ISMS specialist, is that the data protection area could live happily ever after inside the same structure as the information security area (ISO27001) or the business continuity area (ISO22301) if the management systems are properly maintained.
I think it would be fair to assume that the data protection area needs the same governance and systematic approach as information security and business continuity. Or any other management system that might be in place. In most cases, the systematic approach consists of simple processes that are documented, decided and communicated by the top management of the organization. Just as other areas, also data protection needs a yearly (maintenance) plan with goals and activities and enough people to perform the activities. The plan could for example contain how many data protection risk assessments that needs to be performed during a year, how many data protection impact assessments and so on.
Fast-track to control data protection risk
A well-maintained ISMS (or even certified?!) could be a fast track to take control over the “long-term data protection risks” as well as the “long-term compliance risks” for the organization.
Below, is a high-level view of some common ISMS processes. To understand the idea of using ISMS for long-term GDPR compliance by ensuring a systematic approach, you can use the information security processes as templates:
- Replace “information security” with “data protection” in some of the processes
- Add some privacy area specific processes (such as Manage Privacy Consent), so that these processes also are maintained and improved in the management system
- Take it from there and develop processes that are suited for your business while considering that many decisions within the ISMS are legal risk decisions that require legal policy and risk level decision making
To summarize:
GDPR is in many cases an information security and cybersecurity regulation with explicit references to classic information security principles such as confidentiality, availability, integrity.
- If you have a management system such as ISMS, use it! (If not, use another systematic approach).
- Start planning for life after 25 May 2018 now. That is when the maintenance phase starts, preparations should be done much earlier.
- Help your organization to become transparent and verifiable when it comes to managing the privacy area!