Book Demo
Lone Forland
About author
30 May 2018

GDPR: What will happen after 25 May 2018?

  • After 25 May, businesses may suffer from a mental information security hangover
  • What does the future hold now that the preparations are complete, and the rules have come into force?
  • A security expert from Neupart offers advice and recommend - among other things - that future information security work be organised and compiled into an annual cycle

Relief? Panic? Confusion?

 

There may have been a lot of feelings on the date that GDPR took effect, namely 25 May 2018. After the intensive work of getting ready for GDPR, the preparations are now finally complete, and the rules have taken effect.

So, what now? What happens once the external consultants have gone home, and the business is left to itself? Should we just pat ourselves on the back and be happy that the work is finally over, or has the work only begun?

 

“GDPR is not a project. It is a programme, and it will continue. Well beyond May 25th," says Lone Forland, product specialist at Neupart. Over the recent months and years, enterprises have invested large amounts in strengthening a long series of security processes in their organisations. “All that good security work having been done must not go to waste. It must be maintained so that GDPR becomes integrated into the company's general information security procedures. That is the task going forward."

 

Use the annual cycle to ensure compliance and documentation

 

An annual cycle is the best, easiest and most manageable approach.

 

“An annual cycle works a little bit like a good old-fashioned calendar. With a calendar, you note the agreements and tasks you have each month, so you always have an overview. The same principle applies in a security annual cycle. There are some recurring tasks associated with GDPR, and you place them in an annual cycle so you can always keep track of your security work. The good thing about an annual cycle is that it indicates in a purely visual manner that the work goes on and on - month after month, year after year," says Lone Forland.

 

From construction to update


The work that demanded so much attention up to 25 May entailed a construction phase. The policies were set out, gap analyses were undertaken, procedures were described, etc. Future work under GDPR will primarily entail updating procedures.

“All companies go through a process of change.

 

There is staff turnover, products develop, business models are modified, companies merge, departments are split up, etc. All of these changes are significant to why and how personal information is handled within the company. And that is why the annual cycle continually needs to be updated, so that compliance and documentation of the compliance with GDPR always correspond to the real situation," says Lone Forland.

Put together a good team


To avoid having a DPO or other primary GDPR manager get swamped with updating work, she recommends that the company assemble a team to carry out the required tasks at set times of the year.

“The DPO or the person in charge remains responsible for ensuring that the tasks get done. However, that person does not need to solve them all on his own.

The tasks can certainly be delegated to a team of colleagues. The team should consist of IT managers and managers from those departments that handle personal information. In addition, it is a good idea to have a colleague from communications join the team because they are good at putting together awareness campaigns, which are also required by GDPR.”

Three typical pitfalls


Lone Forland concludes by advising against some of the pitfalls of ongoing work with GDPR. First of all, one should be careful not to schedule all updating tasks in the same month, as that would cause the organisation to shut down. The tasks should be spread out over the year, and the schedules of the affected employees must be taken into account to avoid unnecessary stress.

 

Secondly, it is important to remember that work colleagues primarily become HR managers, customer managers, financial managers, etc., because they like their respective disciplines. They did not choose GDPR assignments. That is why it would be wise to explain the background of GDPR well in advance and to remind people of the importance of properly handling personal information. For the sake of their colleagues, the company, and their own, they must not be the cause of a personal data breach.

“Finally, one should avoid any duplication of work, for example, operating with two different contingency plans for information security work. One for GDPR and one for traditional information security. As of today, GDPR is an integrated part of the company's information security structure, and therefore all tasks, policies and processes are integrated into an overall annual cycle," concludes Lone Forland.