cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
leroux
Community Champion

Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

 

This document was prepared by members of the (ISC)2 EMEA Advisory Council GDPR Task Force. Lead Contributors: Yves Le Roux, CISSP, CISM; Paul Lanois, CCSK, CIPM, CIPT, CIPP (A, E, US and C), FIP, CISMP and LLM.
Reviewed by Dr. Adrian Davis, MBA, FBCS CITP, CISSP; Sam Berger, CISSP; Michael Christensen, CISSP, CSSLP, CISM, CRISC, CIS LI, EU-GDPR-P; CCM, CCSK, CPSA, ISTQB, PRINCE2, ITIL, COBIT5; Ramon Codina, CISSP; Santosh Krishna Putchala, CISSP

37 Replies
fortean
Contributor III

Ah, yes, of course I mentioned the origin.  Oddly enough we don't seem to have an upload facility here, or I would have uploaded the document here for further review. I will see if we can get the document posted on our chapter's website, and we may mail it to our chapter members. Thanks!

--
Heinrich W. Klöpping, MSc CISSP CCSP CIPP/E CTT+
planois
Newcomer III

Agreed, an open discussion here on GDPR implementation would be great.

fortean
Contributor III

Any "open" discussion tends to get unfocused and hence of limited value. So, perhaps we should intentionally limit the discussion somewhat to certain aspects of the GDPR, or implementation for certain types of organisations? 

--
Heinrich W. Klöpping, MSc CISSP CCSP CIPP/E CTT+
Lea_Friend
ISC2 Former Staff

Dear Heinrich,

 

That would be welcome and are very glad for your support! 

 

Kind regards,

 

Lea

fortean
Contributor III

Okay, so to kick things off: the GDPR is probably a "hot" topic for most bigger companies / organisations. They will mostly have resources to implement the GDPR. But how about the smaller organisations? How can we, the (ISC)2 community, help them to adhere to the new rules?

 

Some challenges I can imagine that those small(er) companies have w/regard to the GDPR:

 

  • limited knowledge and not much funds to hire specialists
  • they are probably hampered in finding specialists anyway. Firstly, we have a huge shortage on the market. So, if smaller companies actually consider hiring a specialist - well, most of them will be employed by the larger companies. Let's be brutally honest here: if I had to choose between being the (ad interim?) DPO / (C)SO for a top-500 company that pays, let's say, 200 credits per hour, or the DPO for a smaller company that just can afford to pay me 100 credits per hour, I would probably pick the top-500 company, as it pays better, comes with more responsibilities and offers a better perspective for interesting work.
  • limited knowledge also may imply they can not really judge the quality of the specialists they hire - and properly certified specialists may be too costly for them, so chances are they'll end up with a lesser god;
  • the illusion that it does not matter to them.  "We're a small company. So, okay, we deal with a lot of privacy related information, but we don't make much money, they'll go for the big fish first." 
  • some may not even be aware of the GDPR! We, information security specialists may find that hard to believe, but I've seen some examples..

If you think there are more risks to consider, list them here. Also, I'd like to hear your opions and perhaps we might discuss some solutions.

--
Heinrich W. Klöpping, MSc CISSP CCSP CIPP/E CTT+
planois
Newcomer III

I agree with Heinrich and would also add that there is a lit of fearmongering started by "privacy experts" with little or no experience in privacy or information security. I lost count of the number of such "experts" selling their "expertise", yet when you check their background profile, they do not have any experience in privacy or information security: too many of such "experts" were actually, not even 3 months ago, business development managers or salespersons...

mganga2k
Newcomer I

I have been working at a small NGO managing a website where personal information of individuals giving money online and thirdparty google analytics software is installed. With a team of less than five individuals in the IT/communications department, implementing the GDPR was a constant pain that we still had not figured out on how to become and remain compliant. The discussions here might help.  

EUGDPR
Newcomer I

A good paper, which takes a complex regulation and presents it simply.

 

I would like to comment on a couple of points:  It is stated that:

 

“It will become mandatory (Article 33 of the GDPR) for an organisation to report any data breach to its

DPA within 72 hours of becoming aware of it”.

 

It should be noted that the Data Controllers should conduct an assessment of the impact on the data subjects, and if there is no IMPACT, they do not need to report the data breach. For example, if, say, a laptop is lost that contains personal data, that is a data breach. If however the laptop has appropriate encryption, GDPR deems that there will be no impact to the data subjects, and as such the breach does not need to be reported.

 

The section on the data register quotes the regulation as saying the register must include:

 

“The name and contact details of the controller and, where applicable, the joint controller, the

controller's representative and the data protection officer”.

 

The phrase “where applicable” should be emphasised, as not all organisations are required to have a Data Protection Officer (DPO). Without getting bogged down in details, there are many liabilities to having a Data Protection Officer, and if an organisation wanted to have one man in charge, then my suggestion would be now, with GDPR, to give him any title you wish, except calling him the Data Protection Officer.

 

This rather brings me to agreeing with planois and Heinrich, that quality of resource is an issue, but in some ways “Privacy Professionals” may not offer the complete skillset necessary to implement GDPR.

 

Consider the reality that in 1984 when the Data Protection Act (DPA) was written into UK law, there was not a lot of computer data about. Organisations by and large regarded the DPA as the digital equivalent to Health&Safety, and I remember, when I first conducted such a project, the absence of executive support. Consequently DPOs were appointed with no real authority to engage their businesses. Even when the EU directive in 95 caused the UK to roll the 84 Act and the 87 Access to Files Act into, what was to become the so-called 98 Act, little really changed.

 

In my opinion, to implement GDPR compliance, requires a knowledge of GDPR, a knowledge of information security, a knowledge of business continuity, and a knowledge of data architecture, and Privacy Enhanced Technologies (PETS). As this is not likely to be found in one person, the real requirement is excellence in Project and/or Programme management in general, and transformation project management in particular, and only after Executive support is gained.

 

Best regards,

 

John McGill

Sholaremu
Newcomer I

I have read so much about The EU General Data Protection Regulation (GDPR) and the coming into effect in may 2018...its appeared, this is specifically for European ( i stand to be corrected) my question is what role does this play for Africa if at all its might affect it

EUGDPR
Newcomer I

Sholaremu,

 

The General Data Protection Regulation (GDPR) is focused on the rights to privacy of any living person in the European Union.

 

Simplistically, if any organisation, worldwide, wants to do business with the EU, it must comply with GDPR.

Additionally, any organisation which processes personal data pertaining to a living individual in the EU, must comply with GDPR. The term “processes” can just mean that it stores that data.

 

Best regards,

 

John McGill