Parcourir nos certifications
Find training
Open page navigation
Risk ManagementCyber SecurityIT ManagementIT Governance

Compliance with the General Data Protection Regulation (GDPR) begins on the 25th May 2018, giving us almost six months to finalise GDPR preparations. Doing nothing is not an option.

Doing something

The exact number of days left can be found HERE .  The site provides an overview of what GDPR means for people, roles, responsibilities and IT systems, plus a free white paper on Office 365 GDPR compliance aids.

Alongside GDPR is the need for strong data and cyber security.  COBIT® 5 will help you prepare.  ISACA has a useful guide in the public domain that provides all the mappings HERE

Please refer to, and use, relevant aspects of both links even if you do nothing else.  For more context, read on.

True readiness covers understanding, preparing for and testing out the basic concepts, the legal requirements and the contents of the GDPR preparedness plan.  

Basic Concepts

Things that demonstrate basic understanding are:

  • Realising that UK-based businesses must comply regardless of BREXIT as the GDPR comes into force prior to the UK leaving the EU.
  • Even if the firm is not based in the UK, all businesses processing EU nationals’ data will have to comply.
  • Each EU nation will enact their own versions of GDPR, so be aware of and prepare for complying with national variations.

There are two useful sites people can refer to.  This one for the UK and this for parts of the EU

Whilst two of several sources, they are a good place to start understanding the demands and complexities of 28 nations domestically enacting one regulation.

Legal requirements

Another law firm, Norton Rose Fullbright, has a checklist that translates the legal aspects into business language, offering a different perspective to ISACA’s guidance. Download the PDF HERE. Understanding both will aid organisations’ ability to apply GDPR successfully. 

In summary, the key aspects are:

  1. Territorial scope: non-EU firms processing EU citizens’ data (data subjects) must comply with the GDPR and must appoint one or more EU representatives to act on their behalf.
  2. Supervisory authority: one will exist in each EU country to oversee compliance.  The UK has the Information Commissioner’s Office https://ico.org.uk/ (ICO) and their guidance on GDPR is publicly available HERE
  3. Data governance and accountability: this will require board understanding and support to ensure:
    1. privacy impact analyses and privacy by design, including explicit consent from everyone whose data is being held, are carried out.
    2. mandatory roles and responsibilities are fulfilled, including reporting where significant risk might be and demonstrating compliance,
    3. corporate capability through training and enhanced processes that support GDPR and supervisory authority requirements.
  4. Export of personal data: firms must map data flows within and external to the group, checking these are appropriate for GDPR purposes.
  5. Joint controllers: if more than one organisation decides how the personal data will be handled, all will be considered joint controllers of the data.
  6. Processors: the GDPR sets out stringent obligations which, if breached, may lead to financial penalties. 
  7. Lawful grounds to process and consent: the firm must show explicit consent to process data and ability to act when consent is withdrawn.
  8. Fair processing information/notices: demonstrating to data subjects why, and how long for, their personal data is needed.
  9. Data subject rights: the firm’s ability to provide the personal data held and/or erase it when requested.
  10. Big Data, research and wholly autonomous decision making: ensure that the GDPR is not breached when using secondary data.  
  11. Personal data breach: understanding the scope of, and being able to comply with the new timeframes for, notifying breaches.

Project plan

Assuming a December publication, there is almost six months to complete preparations.  To ensure the programme remains on track, use COBIT® 5 to assess both the process and the output.  See HERE

If your organisation has not begun preparations, here is an outline GDPR programme plan to help you get started.  DOWNLOAD HERE

 

 

 

GDPR Countdown Chart

Final words

GDPR breaches are expensive.  Keep compliant. 

PRODUITS APPARENTÉS

IT Security

ISACA Certifications

ISACA is an independent, non-profit, global association engaging in the development, adoption and adaption of industry-leading knowledge and practices for information systems.

View more
Artificial Intelligence Product page header image

Artificial Intelligence – AI Certification

Take the next step in developing your knowledge and understanding of artificial intelligence with the Artificial Intelligence Essentials and Foundation Certifications

View more
A winding column of data. The effect makes it appear underwater

ISACA COBIT 2019 – IT Governance Certification

Command the contemporary IT Governance framework

View more
Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Sélectionnez n'importe quel filtre et cliquez sur Appliquer pour voir les résultats