The future path of Governance

The future path of Governance

GDPR Countdown and COBIT® 5

Compliance with the General Data Protection Regulation (GDPR) begins on the 25th May 2018, giving us almost six months to finalize GDPR preparations. Doing nothing is not an option.

Doing something

The exact number of days left can be found HERE .  We provide an overview of what GDPR means for people, roles, responsibilities and IT systems, read the blog: An approach to GDPR

Alongside GDPR is the need for strong data and cybersecurity.  COBIT® 5 will help you prepare.  ISACA has a useful guide in the public domain that provides all the mappings HERE.

Please refer to, and use, relevant aspects of both links even if you do nothing else.  For more context, read on.

True readiness covers understanding, preparing for and testing out the basic concepts, the legal requirements and the contents of the GDPR preparedness plan.

Basic Concepts

Things that demonstrate basic understanding are:

  • Realising that UK-based businesses must comply regardless of BREXIT as the GDPR comes into force prior to the UK leaving the EU.
  • Even if the firm is not based in the UK, all businesses processing EU nationals’ data will have to comply.
  • Each EU nation will enact their own versions of GDPR, so be aware of and prepare for complying with national variations.

There are two useful sites people can refer to.  This one for the UK and this for parts of the EU

Whilst two of several sources, they are a good place to start understanding the demands and complexities of 28 nations domestically enacting one regulation.

Legal requirements

Another law firm, Norton Rose Fullbright, has a checklist that translates the legal aspects into business language, offering a different perspective to ISACA’s guidance. Download the PDF HERE. Understanding both will aid organizations’ ability to apply GDPR successfully.

In summary, the key aspects are:

  1. Territorial scope: non-EU firms processing EU citizens’ data (data subjects) must comply with the GDPR and must appoint one or more EU representatives to act on their behalf.
  2. Supervisory authority: one will exist in each EU country to oversee compliance.  The UK has the Information Commissioner’s Office https://ico.org.uk/ (ICO) and their guidance on GDPR is publicly available HERE.
  3. Data governance and accountability: this will require board understanding and support to ensure:
    1. privacy impact analyses and privacy by design, including explicit consent from everyone whose data is being held, are carried out.
    2. mandatory roles and responsibilities are fulfilled, including reporting where significant risk might be and demonstrating compliance,
    3. corporate capability through training and enhanced processes that support GDPR and supervisory authority requirements.
  4. Export of personal data: firms must map data flows within and external to the group, checking these are appropriate for GDPR purposes.
  5. Joint controllers: if more than one organization decides how the personal data will be handled, all will be considered joint controllers of the data.
  6. Processors: the GDPR sets out stringent obligations which, if breached, may lead to financial penalties.
  7. Lawful grounds to process and consent: the firm must show explicit consent to process data and ability to act when consent is withdrawn.
  8. Fair processing information/notices: demonstrating to data subjects why, and how long for, their personal data is needed.
  9. Data subject rights: the firm’s ability to provide the personal data held and/or erase it when requested.
  10. Big Data, research and wholly autonomous decision making: ensure that the GDPR is not breached when using secondary data.
  11. Personal data breach: understanding the scope of, and being able to comply with the new timeframes for, notifying breaches.

COBIT 5 Foundation

Book Course

IT Governance: How to align your IT Strategy with the Business' Strategy

View Webinar

Contact

Contact

Kate Hamblin

Senior ITSM Consultant +44 0118 324 0620