GDPR Countdown and COBIT5

GDPR Countdown and COBIT5

Compliance with the General Data Protection Regulation (GDPR) begins on the 25th May 2018, giving us almost six months to finalize GDPR preparations. Doing nothing is not an option.

Doing something

The exact number of days left can be found HERE . We provide an overview of what GDPR means for people, roles, responsibilities and IT systems, read the blog: An approach to GDPR

In conjunction with GDPR is the need for strong data and cybersecurity.  COBIT® 5 will help you prepare.  ISACA has a useful guide in the public domain that provides all the mappings HERE.

True readiness covers understanding, preparing for and testing out the basic concepts, the legal requirements and the contents of the GDPR preparedness plan.

Basic Concepts

Things that validate basic understanding are:

  • Understanding that UK-based businesses must comply regardless of BREXIT as the GDPR comes into force prior to the UK leaving the EU.
  • Even if the firm is not based in the UK, all businesses processing EU nationals’ data will have to obey.
  • Each EU nation will enact their own versions of GDPR, so be aware of and prepare for complying with national variations.

There are two useful sites people can refer to. This one for the UK and this for parts of the EU

Whilst two of several sources, they are a good place to start understanding the demands and complexities of 28 nations domestically enacting one regulation.

Legal requirements

Another law firm, Norton Rose Fullbright, has a checklist that decodes the legal aspects into business language, offering a different perspective to ISACA’s guidance. Download the PDF HERE. Understanding both will aid organizations’ ability to apply GDPR successfully.

In summary, the key aspects are:

  1. Regional scope: non-EU firms processing EU citizens’ data (data subjects) must obey with the GDPR and must appoint one or more EU representatives to act on their behalf.
  2. Supervisory authority: one will exist in each EU country to oversee compliance.  The UK has the Information Commissioner’s Office https://ico.org.uk/ (ICO) and their guidance on GDPR is publicly available HERE.
  3. Data governance and accountability: this will require board understanding and support to ensure:
    1. privacy impact examines and privacy by design, including explicit consent from everyone whose data is being held, are carried out.
    2. obligatory roles and responsibilities are fulfilled, including reporting where significant risk might be and demonstrating compliance,
    3. corporate capability through training and enhanced processes that support GDPR and supervisory authority requirements.
  4. Export of personal data: firms must map data flows within and outside to the group, checking these are appropriate for GDPR purposes.
  5. Joint controllers: if more than one organization decides how the personal data will be touched, all will be considered joint controllers of the data.
  6. Processors: the GDPR sets out severe obligations which, if breached, may lead to financial penalties.
  7. Legalized grounds to process and consent: the firm must show clear agreement to process data and ability to act when the agreement is withdrawn.
  8. Fair processing information/notices: demonstrating to data subjects why, and how long for, their personal data is needed.
  9. Data subject rights: the firm’s ability to deliver the personal data held and/or erase it when requested.
  10. Big Data, research and wholly autonomous decision making: ensure that the GDPR is not breached when using secondary data.
  11. Personal data breach: understanding the scope of, and being able to comply with the new timeframes for, notifying breaches.

COBIT 5 Foundation

Book Course

IT Governance: How to align your IT Strategy with the Business' Strategy

View Webinar

Contact

Contact

Kate Hamblin

Senior ITSM Consultant +44 0118 324 0620