A lot of organisations are working on assessing their GDPR compliance. Understanding your operational readiness for GDPR is a very important part of this work. Being able to handle GDPR in an efficient and sustainable way requires quite a lot on the operational support side when it comes to IT Service Management and Information Security Management.
Below are some short and incomplete illustrations of how well established IT Service Management and Information Security Management functions are a pre-requisite for a successful implementation of GDPR compliance.
First step in reaching GDPR compliance is getting a grip on the current personal data processing situation:
- An inventory of all processes/systems that process personal data is needed as a starting point.
- In order for someone to be able to answer pertinent questions about why and how personal data is being processed an information owner must be appointed for all information assets.
- In order for someone to be able to answer technical questions about how a service is "delivered" a technical system owner must be appointed for all systems.
When the current GDPR compliance situation is known all changes to the processing of personal data must be handled:
- In order to capture GDPR requirements when procuring or developing a new service in the future there must exist a well-established process for procurement/development where evaluation of GDPR requirements is a mandatory step in the decision process.
- In order to capture GDPR requirements when changing an existing system there must exist a well-established change management process where evaluation of GDPR impact is a mandatory step in the decision process.
Also the correct level of security measures must be in place to protect the personal data:
- In order to ensure the correct level of security, that correct contracts are in place and that annual reviews are performed for all suppliers that assist in the processing of personal data in any way there must exist a well-established process for supplier management.
- In order to be able to make risk assessments regarding the processing of personal data there must exist competence, methods and tools for security risk management.
- In order to be able to create clear instructions on how different types of personal data shall be handled a model for information classification needs to be in place.
All processes/systems will need functional support for the GDPR requirements:
- In order to be able to support the rights of the registered person there must exist functional support in the system for blocking, erasing, correcting, extracting and exporting all personal data regarding an individual.
- In order to be able to track who has done what with someone's personal data a competent SIEM solution must be implemented.
- In order to be able to restrict access to personal data to a "need-to-know-only-basis" privacy by design must be implemented and complemented by a competent IAM solution together with robust change management of access rights.
If (when) an incident impacting personal data does occur it needs to be handled correctly:
- In order to be able to handle incidents regarding personal data there must exist a security incident management process where reporting to the relevant authorities and affected individuals is included.
- There must also be an Information Security Response and IT-forensics capability in place in order to minimise damage and then assess the total extent of the damage in order to be able to fulfill the reporting responsibility above.
Finally everyone needs to know what to do and how to do it (and what not to do) when it comes to processing of personal data:
- In order to make all employees aware of policies, guidelines and instructions a good platform for continuous employee awareness and education is needed.
The new legislation is just around the corner. If the legislation and the penalties for not following the legislation are applied strictly then not being GDPR compliant will be a significant business risk. Doing a one-time effort is not enough. An efficient way of working aimed at ensuring continued GDPR compliance not only for the period around 25/5 2018 but also forward after this date must be established. The operational capabilities within the areas of IT Service Management and Information Security Management are needed in order to achieve this type of sustainable GDPR compliance. Implementing these operational capabilities is not trivial. That is why I would suggest looking at the operational readiness right now.