Why buy a point-tool for GDPR? In fact, there is no reason why not to manage the data next to the data-driven portfolio information of processes and business applications that typically reside in EA. The unification between information security, information management and enterprise architecture leads to our unified approach to handle the GDPR regulation in line of EA. Our advisory services and fast-track implementations help you to be in control of your corporate information security to lower risk and confirm compliance.
We offer a unique solution to GDPR that guides you to get the right data being managed fast-track. It helps you to focus on the right data-gathering, simply by using an “outside-in” perspective to the most important business questions, assessment data, and portfolio data. By relying or avoiding too many point tools like small ISMS solution or GDPR offerings, we can provide the flexibility to connect your data to a data-driven digital platform that helps you manage your audit results, controls and risk assessments by connecting to the relevant responsible people in the organization. Try to minimize the risk of the annual auditor assessment, make it pass faster, and be in pro-active in planning.
GDPR? What is it? How do we tackle it?
How to tackle the GDPR from a CIO perspective?
There is today a lot of articles about GDPR and the importance of ensuring future compliance to the new rule set in order to be ‘better’ at handling and protecting sensitive personal data. What is new is not as such the procedure to do so; the new is the regulatory framework that makes the consequences of failing compliance to something that in case of non-compliance will be a board issue… What to do as a CIO, if you want to prepare in advance and simultaneously want to get a sustainable governance around the framework. This post will give you key 5 things to consider.
A little bit of background
By 2015 the European Parliament, the Council and the EU Commission finally completed and the parties agreed on a new regulatory framework for the protection of personal data, the so-called GDPR. The GDPR is a huge document of over 100 PDF pages of legal text. However, for IT and security folks who must implement relevant sections of the text, the key parts are in just a few of the Regulation’s articles.
In the GDPR, companies must document much better compliance to the presence and usage of personal data across the IT landscape. This means that every organisation needs to have a much better overview to classification and awareness to where personal data is stored and processed.
Personal data in this context means any information that is “an identified natural person or a natural person who can be identified, directly or indirectly”. That is names, security numbers, phone numbers, addresses, etc. The GDPR is not restricted only to the obvious identifiers such as emails and addresses, but anything that relates to a person including logs and geo data! The overall intention is clear, as a company you need to act professionally and know what and where you have personal data, and this data you have protect! Data that has been anonymized is not covered by the GPDR.
What is the new with Personal Data Protection?
What is new is not as such the procedure to do so; the new is the regulatory framework that makes the consequences of failing compliance to something that in case of non-compliance will be a board issue… However, incentive or not, the GDPR operates with a new tiered fine structure. The general conditions for imposing administrative fines can go up to 2% of a company’s global revenue for not having their records in order, and by not notifying the regulatory authority and data subject about a breach, or by not conducting impact assessments. Even more serious infringements merit up to a 4% fine. This includes violation of basic principles related to data security as violations of the core Privacy by Design concepts of the law. These fines will be valid from May 2018, so companies do have an incentive to provide mitigative actions to comply with the GDPR deadline.
Data protection and impact assessments
The GDPR includes also an article for data protection impact assessments (PIA, DPIAs). The Impact Assessments must be provided before new services or products are launched. So, it is acceptable to work with agile approaches and fail-fast approaches, but before the validated product goes live, there must be an impact assessment to secure personal data. This will force many project managers and IT departments to proactively consider what security measures that will be put in place to secure path for compliance assessments.
How to prepare for the GDPR?
May 2018 is soon, so for many companies the GDPR may come as something of a shock. An immediate action is to appoint a data protection officer who would will be accountable for advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority. Very often, this will have a call to the CIO or his/her delegate. However, this is a mandatory step to have an accountable person, but far from enough. The organisation must work with the responsibilities of the new GDPR, and this is where the EA and governance frameworks may be the hidden fuel.
Here is a list of focus areas to consider aligning best practice of governance frameworks:
- Business Model Canvas – With the focus of dash-boarding and integrated reporting to the business, it is important to lay out a Business Model . This business model will serve to understand what functions and overall processing that takes place ‘where’ in the business. With the Business Model, it is possible to pin-point what types of classified data that is expected in each business area. The outcome of such assessment is a recommendation for what types of personal data each business area should have access to. The GDPR will require a gap analysis to be part of the ongoing processes to minimize the access to classified personal data. Without the Business Model (process model or capability model), it will be difficult to provide a meaningful reporting of the gap analysis. It should be easy to demonstrate compliance and perspectives of where there is a high risk of personal data is accessed in much larger areas of the organisation. This is where information modelling, capability modelling and our business solutions can be helpful.
- Business Applications Management – With the updated perspective of the Business Model, it is recommended to provide a Business Application Catalogue. Such a Catalogue should have strong relationships to the Business Model, hence, this is not an ITSM services catalogue. The Business Application Catalogue should be governed – so the federated solution needs to be agreed, which involves organisational change. If such an APM catalogue or Business Application Catalogue is not available and managed, this is highly recommended to get in place alongside the Business Model. This will serve as the foundation for the Data Classification and Data Retentions. This might be a simple cloud offering from us, or be a more integrated portfolio solution from us.
- Data Classification– With knowledge to what business capabilities and what business applications, it is a simpler and more straight-forward task to assess where your personal data is stored. This includes structured electronic data as well as unstructured formats of documents, presentations, and spreadsheets. This is critical for both protecting the data and also to follow the impact of change of personal data. To solve this puzzle, we would advise you to get the overall Business Model and Business Applications Catalogue in place first, then extend to master the presence of personal data with categorization. The categorized personal data is classified and mapped to the landscape of business applications and infrastructure information, and also against the intended usage – to pin-point irresponsible presence of personal data through-out the organisation.
- Governance– With data comes also the operational processes to maintain this GDPR information daily. This will lead to establishing the processes to secure ‘data security by design’ and ‘data security by default’, alongside the roles and responsibilities of keeping the Business Applications Catalogue up to date and to understand ‘who has access to what’. We advise that companies first get the foundation in place, then the Data Classification, then to tailor and adapt this to the existing processes of the organisation. Some relevant frameworks would be IT4IT, TOGAF and COBIT to ensure there is a focus on controls, follow-up and management accountability.
- Data Retention Policies– With its requirements for limiting data retention, there is no firm metrics to follow. This means you’ll need basic information on what data is collected, why it is collected, for how long it is supposed to be collected, and how the processes are for ‘releasing’ information again – tailored to metrics that are justifiable. This must be an integral part of the processes for managing data. Personal data residing in business applications should be periodically reviewed to see whether it needs to be kept or removed. It is important that the Data Retention is supported and supporting the Governance. Reports and alerts to non-compliance should be an integrated part of the Governance. This is where toolsets like MooD can be very helpful to operationalise the reporting and democratize the data updates.
So how to get started?
What is new is not as such the procedure to do so; the new is the regulatory framework that makes the consequences of failing compliance to something that in case of non-compliance will be a board issue…
To implement a framework is something that requires adaption and experience to lead the change. Very often, the need for a senior advisor coming-in externally to help the change agenda is crucial. However, if this the change-agent is very process-oriented, there is a risk of poor tool-implementation, and if he is very tool-centric, he will favour data and there is a risk of poor process-implementation. The right senior advisor is a hybrid executive with deep knowledge into tooling, processes and people management. Very often, just a minor catalyst from senior executives can get icebergs to flip. Please don’t hesitate to call for advice.