Implementation

Once your company has completed the various phases of planning, GAP analysis and evaluation, the time has come to implement the various actions that are required for your business to comply with the requirements of the General Data Protection Regulation.

At GlobalSequr we have set ourselves up to ISO27000 and have the complete framework for implementing the General Data Protection Regulation easily, quickly, cheaper, and with a higher quality than your business can.

The following model shows the areas to be implemented in relation to the GDPR.

 

Policies, procedures and processes

These three areas are connected, as they define the optimal workflow:

 

A policy may be that in case of a security breach where your company has leaked personal data, the board must be informed within 4 hours. At the same time, authorities and affected persons should be informed within 72 hours as required by law.

The procedure may be that a team, consisting of CEO, Press Officer and IT Manager must be assembled and implement the Emergency Response Plan, which also contains the process description.

A process description in this case is intended to describe how your company handles this leak of personal data. The description must have the required scope, detail level and length. A typical mistake is that process descriptions become too long and complex – thus the company risks the process not being followed because it is too difficult.

With the correct process description, it must be easy to identify how to handle a given situation, while at the same time having the full documentation available. The more you can communicate visually the better. This can be in the form of flowcharts, tables, pictures or video.

In this case, this may mean calling an investigation team (Incident Response Team) that aims to find out:

  • What happened?
  • How did it happen?
  • When did it happen?

 

When you have an overview of what has happened, the process description must include how you contact the authorities and the affected persons.

Consent Requirements

As previously was mentioned, there are 2 types of personal data and the requirements for consent are different:

  • Personally identifiable information (e.g. name, address, phone number and email)

Consent

  • Sensitive data (e.g. religion, sexuality, ethnicity and union)

Expression of consent

 

It is up to your company that you can always prove that you have consent, and even if you have consent, the processing of personal data must be in line with the context in which the information was collected.

 

Right to be forgotten:

This point is about the fact that every person has the right to get data deleted when the purpose of retaining data is no longer present. There are the following basic rules:

  • It is not necessary to process personal data to pursue the purpose
  • The registrant withdraws his consent and there is no other home base to base the treatment on
  • The data processing is illegal
  • The deletion is required to comply with a legal requirement
  • Registered person is under 16 years old

 

There are a number of situations, where people can not require data to be deleted. Examples of this are:

  • Backup
  • Public authorities
  • Banks
  • Bookkeeping Act

This point is particularly important because the GDPR requires data deletion to be done without delay and the company must be able to document what type of data the company has on the private person and where this data exists. This also applies to third parties who process data on behalf of your company.

 

 

 

Data Processing Contracts

A data owner may choose to assign it to another party to perform the actual practical processing of personal data on behalf of the data owner.

Those who perform data processing are referred to as data processing. Liability in case of personal data loss is shared between data owner and data processor from May 25, 2018.

When there is a situation where there is a data owner and a data processor, there must be a data-processing agreement in place between the parties. Note that this also applies if your company uses an external hosting or cloududdi provider.

If your company needs to have many data-processing agreements in place, it’s a good idea to work with standards to make it easier to implement and maintain. There is no “one size fits all”, so adjustment for your business is always necessary.

 

Technical measures

There are no definite requirements for technical measures to comply with the General Data Protection Regulation, but there must be an appropriate level of security. The areas mentioned in the General Data Protection Regulation are:

  • Access
  • Deletion of personal data across the systems
  • Encryption
  • Logging

The point about logging is vague compared to legislation, because there is no requirement for central logging, SIEM functionality and alarm analysis. At the same time, there is a reporting requirement of 72 hours in case of loss of personal data. These two things are contradictory to each other, so our recommendation is that you get affiliated with a Security Analytics Center with Logmanagement / SIEM, as part of a single package.

Contingency plans

Any breach of data security that involves personal data must be documented and reported to the Data Inspectorate and the affected persons within 72 hours.

This can be a difficult task as there may be many aspects of a security breach. Often research can be a long-lasting and expensive affair. If you start targeting the whole process of “incident management” from the threats, potential damage, reaction time, mitigating action, escalation to management, and the call of a specialist company, your business has reached a long way.

 

 

 

Employee Handbook and IT Security Policy

An employee manual is intended to describe what rules and guidelines your business has. This includes IT security, which may either be a separate folder or part of the employee manual itself.

Examples of what IT security policy can include are:

  • What should employees use the PC, smartphones and tablets for?
  • Use of social media
  • How should the employee access data?
  • How should the employee process data?
  • What is the procedure when the employee receives a suspicious email?
  • What is the password procedure?
  • When is data sensitive and should these types of data be handled in a special way?
  • What types of programs must the employee install?

 

You can build your IT security policy based on personal data, but GlobalSequr recommends that you also consider general IT security in relation to other types of critical data.

Privacy by Design and Privacy by Default

If your company develops software or has Internet systems that contain personal data, it is important that Privacy by Design and Privacy per Default are thought from the start, as it is otherwise an expensive affair to implement it later.

GlobalSequr can compile a manual for your company, help implement the handling of these situations and make the best of these systems.

 

Education and awareness

Once the company has determined how personal data should be processed and an IT policy has been established, employees must be trained in this. As both the type of personal data, the threat picture and the employees develop, it is important that this is a regular exercise a few times a year. Typically, it does not take more than 10-20 minutes and can be handled in conjunction with other events. The most important thing is that there is a fixed procedure around it so that the guidelines and rules are met by the employees.

Awareness is a common term that can consist of the following elements:

  • Video or physical meetings
  • E-learning
  • Phishing Campaigns

Education and awareness is a continuous process, so we recommend that it becomes part of the year wheel that will be implemented when your business is transitioned to the operational phase.