- IT Security
- About Us
Once your business has gained an overview of what kind of personal data you have, if necessary, you have this data, if you have a treatment, what systems data is (physical and digital), how the user management of this data is and what policies, procedures and processes you already have in place, it is time for the next phase, which is evaluation of the different areas.
An assessment of the risk of the individual systems must be made. The Ministry of Justice has written that old systems should not undergo an impact assessment, but that there are only new systems. One can rightly ask the question how this should be done because a risk analysis is based on an impact assessment.
Therefore, the following sections are interesting to read anyway, as it is the same methodology used to define defined risks.
GlobalSequr’s assessment at this time is that each system writes a section about what your company considers to be at risk of the system, what mitigation measures have been taken and what the contingency plan contains of points.
Impact Assessment (DPIA)
DPIA stands for Data Protection Impact Assessment and means that you must impact new systems (non-existent systems) that meet the following characteristics:
By using DPIA as a tool, you get the following benefits:
Example of a DPIA in a company
The company is a renowned e-shop that sells clothes. Associated with the internet shop there is a customer database which contains personal data. The company has identified that the worst possible could be that the entire customer database is deleted or leaked on the Internet. This can happen either by a hacker attack or by an employee who either makes an error or intentionally wants to cause injury.
The following model graphically shows what elements constitute the overall risk:
Once the impact assessment has been prepared, your business has an overview of the risks the different systems have and you have the opportunity to implement the IT security measures.
Data Flow Analysis
If your business has many systems, data flow analysis can be the biggest task – especially if you have not tried it before.
You have to map your data effectively, understand the data flow, describe it and identify its key elements; for example, find out how data enters, changes, deletes and moves across physical and digital systems.
It is important that this analysis phase is properly structured, and you do not do more than the law prescribes, it would be enough to make an overall description.
Understand the data flow
A data stream is a transfer of personal data from one place to another, for example:
Describe the data flow
Review the data life cycle to identify unforeseen or unintentional use of data. Thus, it will be easier to identify and minimize which data is being collected.
In addition, it is important to ensure that the persons using the information are informed of the practical consequences.
Identify the main elements
One of the big issues in the GDPR is how data comes in. Here are two options:
There is a huge difference in these areas, and the legislation will stifle the group that collects, links, and uses personal data as part of their business model.
The questions you want to answer when we look at your systems are:
Personally identifiable information (e.g. name, address, phone number and email)
Sensitive data (e.g. religion, sexuality, ethnicity and union)
Digital systems (describe which ones)
Physical systems (describe which ones)
Is it static or does it change organizationally?
How is data accessed and which management tools are there to access data?
Personal data can be disposed in different locations in the organization. This can be on paper on desks, in locked cabinets, in digital systems. Thus, the first challenge is to determine which information is to be registered and in what format.
Based on the Impact Assessment (PDIA), it must be identified whether there is sufficient security about the type of personal data in question.
Security of personal data embraces 3 main areas:
Once you have completed these areas, you have to come a long way and have come a long way in terms of being compliant with the laws. At GlobalSequr we have experienced and competent employees who can complete the entire process or be project manager and quality assurance.