1

In order to prepare for GDPR, what is required from an IT department to ensure Data protection for the business.

  • 6
    That is a massively broad question I'm afraid! And we know nothing about your organisation. Public? Private? How sensitive is the data it holds? Also, hopefully you realise that Data Protection is **not** an IT issue as such. It is a data governance issue and largely the responsibility of the business. IT's role is to ensure that the technical security capabilities are available and properly used. – Julian Knight Sep 15 '16 at 20:26
  • 1
    There is a slew of requirements. Some companies offer readiness tools like Nymity and OneTrust. Go through a self assessment and then you'll see the scope of your work for the next year and a half. – Zlatty Oct 12 '16 at 20:34
  • You basically want to adopt a IT Security Management System and implement its controls. For example ISO 27002. There are a number of compatible frameworks by national bodies for smaller companies. While GDPR does not mandate a specific management system you would have a hard time to,explain why not use an accepted international standard. – eckes Apr 19 '18 at 01:41

2 Answers2

0

The general Data Protection Regulation doesn't require a massive amount of technical understanding. They would need to know about the technical Infrastructure of the organisations and all the locations personal data is stored, processed and in transit, making it easier to handle Subject Access Requests.

The company would need a reasonable understanding of security, ensuring adequate security controls and procedures are in place. This also goes for personal data stored on paper, ensure they are also secure.

Alex Probert
  • 493
  • 1
  • 3
  • 17
  • The question was not about DPOs. (And, b) DPOs are mostly optional in the GDPR, and c) DPOs are NOT the single person who needs to do anything with the GDPR. It affects everyone). – user155462 Mar 19 '18 at 11:12
  • @user155462 Sorry I miss-read the question but amended accordingly. Yes DPOS are applicable under certain circumstances. But when they are required they are the main person to ensure all employees are aware of what is needed to adhere. – Alex Probert Mar 19 '18 at 11:19
0

From GDPR, article 24 (emphasis added):

  1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
  2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

GDPR says that personal data must be taken seriously, but the amount of time /effort / money you are expected to spend to protect this data doesn't need to be excessive. Everything is expected to be "proportionate" or "appropriate". The problem is nobody is going to tell you what is appropriate. Is installing a body scanner in front of your server room going to be overkill or not? They will tell you it depends on what those servers are used for, or on how much money to waste you have. And since I'm afraid nobody will tell you for sure how much your data is worth (what would be the value of a phone number? Who knows?), I think it all boils down to the resources you have. So if you own a multi-million-dollar company and there is a data breach, you can't make up an excuse like "I'm sorry mister officer, we didn't have the time and the money to pay a knowledgeable person to change the default passwords of the WIFI!" And if you are a freelance that only makes a few $K a year I don't think you will be expected to set up a full body scanner in front of your room to protect the personal data of your clients.

A few examples that probably apply to almost everyone:

  • encrypted hard disks on every device (PCs, smartphones, etc.)
  • encrypted backups
  • up-to-date operating systems and software
  • good passwords for everyone (all different and strong, managed by password manager)
  • enforce some good practices (for example every employee's phone must have the screen lock enabled, no employee can use personal USB keys to bring any data at home, etc.)

If the IT department (and all the company) has been following the usual best practices then there's probably not much more to do.

This is the way I see it, in general, but to me situation isn't clear yet even though the law is supposed to be effective in a few days, because there are still a lot of special cases that need to be clarified (hopefully, sooner or later) by the legislators or the responsible bodies in each EU country. Fro example, in the future the legislator or some authority in your country (in the EU) might decide that for GDPR compliance some specific kinds of businesses must follow some kind of specific guidelines (like some ISO standard, like eckes suggested in a comment).

reed
  • 15,398
  • 6
  • 43
  • 64