The GDPR is effective now! Now what?
Blog post by Ruud Kerssens, Manager Service Line Advisory & Audit at Secura, 25 May 2018
25th May 2018 00:00: The General Data Protection Regulation (GDPR, or AVG for Belgium and The Netherlands) is effective now! After two years of preparation, we will now get to experience how it works in practice. With the regulation, there is a framework that describes how to addres the ‘Right to respect for private and family life’ (EVRM) regarding data processing balancing with another article of the EVRM for common interests. Organizations have described their policies and processes. Technical controls have now been implemented and employees are made aware and clients have been informed. Ready for dealing with the data protection issue? Maybe you even have a Data Protection Officer to help you be in control over your compliance. However, there still are a lot of practical questions to be answered; now what? This is just the beginning: privacy governance still needs your attention.
Take control of your information security, manage privacy issues and take care of compliance in an efficient and sufficient manor. Prove to your clients, that you are in control and that you take care of their privacy! Make it your unique selling point.
Before you continue reading; if you are looking for some information about critical aspects of the GDPR it might be useful to read previous article in the SecurAware for further clarification about the impact of the GDPR. We must not forget that the original intent of the GDPR was to set rules on how to process personal data, instead of just restricting the use of personal data. The GDPR sets an EU-wide standard in addition to separate laws and regulation per EU country (that are harmonized to a certain extent). Therefore, this is the perfect time to raise the level of control regarding the processing of personal data and this is certainly a positive effect of the GDPR. However, management should be attentive to their GDPR compliance status, whether the impact is positive or negative.
GDPR compliance: are you in control and accountable?
The implementation of the controls and processes required to comply with the GDPR appear to have a lot of impact. Most effort is invested in projects to actually become compliant. At this point the challenge is to get continuous control over the risks involved. Do you already have a Plan Do Check Act (PDCA) process implemented and even integrated in an information security management system? Yes: Great! Keep monitoring the developments around the GDPR clarification, especially the work of the Article 29 Working Party who publishes guidelines, opinions etc. and the implementation of the GDPR in local regulation with some specific additions. Please note that for The Netherlands the “Uitvoeringswet AVG” has been made final since the end of April 2018 and addresses some specific Dutch additions as, a.o., qualification of using the BSN as data that need specific security measures.
Concerning the deadline of today (May 25th 2018), we assume you have checked your status and level of control with (gap) assessments or even had audits executed to identify the most important and relevant actions necessary to comply. We assume that you have a Data protection Impact Assessment (DPIA) process implemented and work with privacy by default as well as privacy by design. Although we learned that there is still a way to go to get that practical. To have everything in order, the accountability requirement of the GDPR needs your attention. Beside the first line of defence, internal audit departments can be involved or external experts can be engaged to perform privacy compliance audits.
Secura uses several specific frameworks when conducting privacy audits for our customers. Recently we have added the Privacy Control Framework from the NOREA (see the image), the professional association of accredited IT auditors in the Netherlands. This framework consists of at a total of 104 controls, divided over 32 subjects in 9 Lifecycle Management phases and is the official starting point for assurance audits regarding privacy compliance. Read our previous post about PCF 'Privacy Control Framework: Control objectives and controls for privacy audits and privacy assurance engagements.
25 May 2018 is just the beginning
Stay up to date with the latest insights to guarantee privacy compliance in your process. Sign up for the ‘Privacy by Design and Accountability’ track during the Black Hat Sessions on 14 June 2018. During this interactive session, the experts in the field of privacy and security will cover all important aspects that appear to be question marks for organizations eager to stay in control.
Wolter Karssenberg (member of the Knowledge Group Privacy Audits of the NOREA and Senior Privacy Officer for ABN AMRO) will guide you through the process and implementation of Privacy Governance. As Privacy by Design is an important principle of the GDPR, Ruud Kerssens (Manager Service Line Advisory & Audit at Secura) will inform you about the Data Protection Impact Assessment (DPIA), the starting point for defining privacy by design. Fabian van den Broek (Open University and Radboud University) will continue this topic and will discuss the essentials of privacy by design in greater detail as well as describing a more practical approach. In addition, Ruud Kerssens will cover the audit contribution to GDPR accountability and will give a short review of relevant frameworks that can be used for audit and compliance. We will finish this session with an interactive debate.
Please note! There is a maximum number of participants per session. We will create an informal setting for asking questions and exchanging experiences with colleagues. You will return home with new insights and practical advice to put into practice. Register here for the interactive session GDPR – Privacy by Design and Accountability on 14 June, 2018. In addition to the Privacy track, all other sessions and keynotes including the keynote by Michel van Leeuwen (Ministry of Security and Justice in the Netherlands) are worthwhile! More information and registration: www.blackhatsessions.com.