Ah, yes, of course I mentioned the origin. Oddly enough we don't seem to have an upload facility here, or I would have uploaded the document here for further review. I will see if we can get the document posted on our chapter's website, and we may mail it to our chapter members. Thanks!
Any "open" discussion tends to get unfocused and hence of limited value. So, perhaps we should intentionally limit the discussion somewhat to certain aspects of the GDPR, or implementation for certain types of organisations?
That would be welcome and are very glad for your support!
Okay, so to kick things off: the GDPR is probably a "hot" topic for most bigger companies / organisations. They will mostly have resources to implement the GDPR. But how about the smaller organisations? How can we, the (ISC)2 community, help them to adhere to the new rules?
Some challenges I can imagine that those small(er) companies have w/regard to the GDPR:
If you think there are more risks to consider, list them here. Also, I'd like to hear your opions and perhaps we might discuss some solutions.
I agree with Heinrich and would also add that there is a lit of fearmongering started by "privacy experts" with little or no experience in privacy or information security. I lost count of the number of such "experts" selling their "expertise", yet when you check their background profile, they do not have any experience in privacy or information security: too many of such "experts" were actually, not even 3 months ago, business development managers or salespersons...
I have been working at a small NGO managing a website where personal information of individuals giving money online and thirdparty google analytics software is installed. With a team of less than five individuals in the IT/communications department, implementing the GDPR was a constant pain that we still had not figured out on how to become and remain compliant. The discussions here might help.
A good paper, which takes a complex regulation and presents it simply.
I would like to comment on a couple of points: It is stated that:
“It will become mandatory (Article 33 of the GDPR) for an organisation to report any data breach to its
DPA within 72 hours of becoming aware of it”.
It should be noted that the Data Controllers should conduct an assessment of the impact on the data subjects, and if there is no IMPACT, they do not need to report the data breach. For example, if, say, a laptop is lost that contains personal data, that is a data breach. If however the laptop has appropriate encryption, GDPR deems that there will be no impact to the data subjects, and as such the breach does not need to be reported.
The section on the data register quotes the regulation as saying the register must include:
“The name and contact details of the controller and, where applicable, the joint controller, the
controller's representative and the data protection officer”.
The phrase “where applicable” should be emphasised, as not all organisations are required to have a Data Protection Officer (DPO). Without getting bogged down in details, there are many liabilities to having a Data Protection Officer, and if an organisation wanted to have one man in charge, then my suggestion would be now, with GDPR, to give him any title you wish, except calling him the Data Protection Officer.
This rather brings me to agreeing with planois and Heinrich, that quality of resource is an issue, but in some ways “Privacy Professionals” may not offer the complete skillset necessary to implement GDPR.
Consider the reality that in 1984 when the Data Protection Act (DPA) was written into UK law, there was not a lot of computer data about. Organisations by and large regarded the DPA as the digital equivalent to Health&Safety, and I remember, when I first conducted such a project, the absence of executive support. Consequently DPOs were appointed with no real authority to engage their businesses. Even when the EU directive in 95 caused the UK to roll the 84 Act and the 87 Access to Files Act into, what was to become the so-called 98 Act, little really changed.
In my opinion, to implement GDPR compliance, requires a knowledge of GDPR, a knowledge of information security, a knowledge of business continuity, and a knowledge of data architecture, and Privacy Enhanced Technologies (PETS). As this is not likely to be found in one person, the real requirement is excellence in Project and/or Programme management in general, and transformation project management in particular, and only after Executive support is gained.
I have read so much about The EU General Data Protection Regulation (GDPR) and the coming into effect in may 2018...its appeared, this is specifically for European ( i stand to be corrected) my question is what role does this play for Africa if at all its might affect it
The General Data Protection Regulation (GDPR) is focused on the rights to privacy of any living person in the European Union.
Simplistically, if any organisation, worldwide, wants to do business with the EU, it must comply with GDPR.
Additionally, any organisation which processes personal data pertaining to a living individual in the EU, must comply with GDPR. The term “processes” can just mean that it stores that data.