Agreed, an open discussion here on GDPR implementation would be great.

Any "open" discussion tends to get unfocused and hence of limited value. So, perhaps we should intentionally limit the discussion somewhat to certain aspects of the GDPR, or implementation for certain types of organisations? 

Dear Heinrich,

That would be welcome and are very glad for your support! 

Kind regards,

Lea

Okay, so to kick things off: the GDPR is probably a "hot" topic for most bigger companies / organisations. They will mostly have resources to implement the GDPR. But how about the smaller organisations? How can we, the (ISC)2 community, help them to adhere to the new rules?

Some challenges I can imagine that those small(er) companies have w/regard to the GDPR:

• limited knowledge and not much funds to hire specialists
• they are probably hampered in finding specialists anyway. Firstly, we have a huge shortage on the market. So, if smaller companies actually consider hiring a specialist - well, most of them will be employed by the larger companies. Let's be brutally honest here: if I had to choose between being the (ad interim?) DPO / (C)SO for a top-500 company that pays, let's say, 200 credits per hour, or the DPO for a smaller company that just can afford to pay me 100 credits per hour, I would probably pick the top-500 company, as it pays better, comes with more responsibilities and offers a better perspective for interesting work.
• limited knowledge also may imply they can not really judge the quality of the specialists they hire - and properly certified specialists may be too costly for them, so chances are they'll end up with a lesser god;
• the illusion that it does not matter to them.  "We're a small company. So, okay, we deal with a lot of privacy related information, but we don't make much money, they'll go for the big fish first." 
• some may not even be aware of the GDPR! We, information security specialists may find that hard to believe, but I've seen some examples..

If you think there are more risks to consider, list them here. Also, I'd like to hear your opions and perhaps we might discuss some solutions.

I agree with Heinrich and would also add that there is a lit of fearmongering started by "privacy experts" with little or no experience in privacy or information security. I lost count of the number of such "experts" selling their "expertise", yet when you check their background profile, they do not have any experience in privacy or information security: too many of such "experts" were actually, not even 3 months ago, business development managers or salespersons...

I have been working at a small NGO managing a website where personal information of individuals giving money online and thirdparty google analytics software is installed. With a team of less than five individuals in the IT/communications department, implementing the GDPR was a constant pain that we still had not figured out on how to become and remain compliant. The discussions here might help.  

A good paper, which takes a complex regulation and presents it simply.

I would like to comment on a couple of points:  It is stated that:

“It will become mandatory (Article 33 of the GDPR) for an organisation to report any data breach to its

DPA within 72 hours of becoming aware of it”.

It should be noted that the Data Controllers should conduct an assessment of the impact on the data subjects, and if there is no IMPACT, they do not need to report the data breach. For example, if, say, a laptop is lost that contains personal data, that is a data breach. If however the laptop has appropriate encryption, GDPR deems that there will be no impact to the data subjects, and as such the breach does not need to be reported.

The section on the data register quotes the regulation as saying the register must include:

“The name and contact details of the controller and, where applicable, the joint controller, the

controller's representative and the data protection officer”.

The phrase “where applicable” should be emphasised, as not all organisations are required to have a Data Protection Officer (DPO). Without getting bogged down in details, there are many liabilities to having a Data Protection Officer, and if an organisation wanted to have one man in charge, then my suggestion would be now, with GDPR, to give him any title you wish, except calling him the Data Protection Officer.

This rather brings me to agreeing with planois and Heinrich, that quality of resource is an issue, but in some ways “Privacy Professionals” may not offer the complete skillset necessary to implement GDPR.

Consider the reality that in 1984 when the Data Protection Act (DPA) was written into UK law, there was not a lot of computer data about. Organisations by and large regarded the DPA as the digital equivalent to Health&Safety, and I remember, when I first conducted such a project, the absence of executive support. Consequently DPOs were appointed with no real authority to engage their businesses. Even when the EU directive in 95 caused the UK to roll the 84 Act and the 87 Access to Files Act into, what was to become the so-called 98 Act, little really changed.

In my opinion, to implement GDPR compliance, requires a knowledge of GDPR, a knowledge of information security, a knowledge of business continuity, and a knowledge of data architecture, and Privacy Enhanced Technologies (PETS). As this is not likely to be found in one person, the real requirement is excellence in Project and/or Programme management in general, and transformation project management in particular, and only after Executive support is gained.

Best regards,

John McGill