Due both to an eagerness to do things correctly and a fear of doing things wrong, many companies prepare far more records of their processing activities than necessary. Our expert explains how you can group together your processing activities and save yourself many hours of (wasted) work.
- Guidance and good advice for carrying out a DPIA
For some organisations, the DPIA is high on the list of GDPR related assignments that need to be sorted. But for many, the DPIA can actually wait – or at least be simplified so that it doesn’t require so many resources. Our Director explains when and how you should carry out a DPIA.
The EU Data Protection Regulation states that you must train your employees in handling - and securing - personal data. However, it doesn't say anything about how you should train your employees in handling personal data.
"That part is open to interpretation, so you have to get creative," says Lone Forland, our product specialist who also works with information security campaigns.
The EU Data Protection Regulation is a good example of just how important it is to define a challenge before you start trying to solve it.
Essentially, GDPR is about organisations protecting their personal data. However, before you can figure out how your organisation protects its personal data, you need to know why the organisation has this data to begin with. Understanding the reason is basically a pre-requisite for taking any action.
- Registering your data processing activities is enough.
Are you busy preparing for the GDPR, but getting stuck carrying out a dataflow analysis? Then you need to read this: When it comes to complying with the GDPR, a comprehensive and detailed dataflow analysis is not necessary or mandatory!
It is uncertain where the speculation started, but at some point, people started talking about the necessity of performing lengthy dataflow analyses to be compliant with the GPDR.
Likely, this resulted from an embellishment of the regulation requirements, and somehow it seems to have stuck around. The fact is - the Data Protection Regulation does not explicitly mention nor require you to carry out a dataflow analysis! It does however state that you need to “maintain a record” of your relevant “processing activities”. One could argue semantics here, but it is easy to see where exaggerations and embellishments can be easily introduced.
The EU data protection regulation is about getting those who process personal data used to the right processes. However, when it comes to compliance, the GDPR is very much about getting used to doing what is necessary. No more, no less.
We have identified three areas in which you can save time, money, and worrying:
Climbing that mountain of compliance, over and over again.
GDPR has been with us since 2018, and some are still panicking. Becoming compliant and staying compliant are two very different things. In this blogpost, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.
For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fear mongers have also told us about the huge fines we will be subject to, and just how far away from being compliant we all are.
So, there has been a lot of talk about what the requirements we will be hit with are, but there has not been as much talk about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and - in many cases - an unfounded over-implementation of the regulation.
Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we actively start to prepare for the implementation of the GDPR, but who really needs them?
Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder, really, given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy, but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.
Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with sudden focus on the legality of data protection, it only makes sense that we start focusing more on the their role. In fact, the International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?
Haven’t we had enough? It feels like there’s been an endless stream of GDPR offers lately. Courses and certificates, as well as attorneys and consultancies which offer an array of services. Services which are then presented as absolute necessities in order not to be hit by enormous fines as soon as May 2018 hits us.
Of course proper protection of our personal data is vital, and it’s important for companies to comply with the law, so perhaps this barrage of offers is justifiable. But then again, just how difficult can it be to comply with the EU’s new general data protection regulation?
The EU GDPR is one of the most substantial security initiatives in many years. This is on the one hand due to the scope of the regulatory work in the EU has been comprehensive and a long time coming. On the other hand, this is also due to the consequences of the EU GDPR having important implications for both the private and public sectors in Europe.