Tillbaka till Aktuellt

GDPR - What happens after May 25th 2018?

Annika Biberg

June 21, 2017 at 10:30

Is your organization overwhelmed with completing GDPR project activities? Nixu meets many organizations where all focus is on the project and how to reach the project goals. But what happens after 25 May 2018? How will the business benefits of GDPR be secured over time?

It is early in the project that maintenance should be considered and planned for. That is because compliance with GDPR takes ongoing work and if the project does not plan for this the risk is that the organization is not sufficiently compliant in a long-term perspective.

Start by answering these 9 questions:

  • Which are the long-term business benefits of implementing a data protection program or project?
  • How will you measure it and who will realize the business benefits and maintain them?
  • How will activities and investments related to data protection be planned and decided when the project is closed?
  • How can you ensure that the data protection area gets ongoing attention from the top management of your organization?
  • What kind of monitoring, assessments and reviews will be performed in a systematic manner?
  • How will awareness and communication be managed?
  • How will the data protection area integrate or interact with other areas such as information classification, risk management, business continuity management, etc. which also protects information? How will data protection over time be managed inside processes such as procurement, enterprise architecture management, project steering, system development, system maintenance?
  • What is the yearly cost for being sufficiently compliant?
  • How can you ensure continuous improvements for the data protection area?

Do you have an ISMS?

Maybe your organization already has an information security management system (ISMS) that is properly maintained and where there are already working processes for many of the areas mentioned above?  My experience, as an ISMS specialist, is that the data protection area could live happily ever after inside the same structure as the information security area (ISO27001) or the business continuity area (ISO22301) if the management systems are properly maintained.

I think it would be fair to assume that the data protection area needs the same governance and systematic approach as information security and business continuity. Or any other management system that might be in place. In most cases, the systematic approach consists of simple processes that are documented, decided and communicated by the top management of the organization. Just as other areas, also data protection needs a yearly (maintenance) plan with goals and activities and enough people to perform the activities.  The plan could for example contain how many data protection risk assessments that needs to be performed during a year, how many data protection impact assessments and so on.

Fast-track to control data protection risk

A well-maintained ISMS (or even certified?!) could be a fast track to take control over the “long-term data protection risks” as well as the “long-term compliance risks” for the organization.
Below, is a high-level view of some common ISMS processes. To understand the idea of using ISMS for long-term GDPR compliance by ensuring a systematic approach, you can use the information security processes as templates:

  1. Replace “information security” with “data protection” in some of the processes
  2. Add some privacy area specific processes (such as Manage Privacy Consent), so that these processes also are maintained and improved in the management system
  3. Take it from there and develop processes that are suited for your business while considering that many decisions within the ISMS are legal risk decisions that require legal policy and risk level decision making 
ISMS for Legal Compliance

To summarize:

GDPR is in many cases an information security and cybersecurity regulation with explicit references to classic information security principles such as confidentiality, availability, integrity.

  • If you have a management system such as ISMS, use it! (If not, use another systematic approach).
  • Start planning for life after 25 May 2018 now. That is when the maintenance phase starts, preparations should be done much earlier.
  • Help your organization to become transparent and verifiable when it comes to managing the privacy area!

Related blogs

A checklist for successful identity management

Identity and access management is mostly about processes However, when looking at the results of a project, the most visible part is often the identity management system.

When developing and identity management system, it is important to understand that the project involves developing a process. Identity management processes penetrate the entire organisation from HR to the helpdesk. The IT department cannot be expected to handle the project alone.

by Nixu Blog
June 3, 2015 at 10:30

Things that security auditors will nag about, Part 1: #NoLogs

This the first part of our blog series "Things that security auditors will nag about and why you shouldn't ignore them". In these articles, Nixu's security consultants explain issues that often come up when assessing the security of web applications, platforms and other computer systems.

September 4, 2017 at 10:01

When user management gets in the way of spending

Cart abandonment has been exhaustively studied. Several studies conducted over the last ten years shows that the average cart abandonment rate is as high as 69 percent. To see how many euros never leave your customers' pocket, multiply this number with the average value of your cart. Customer identity management provides ways of removing friction from customer journeys and the purchase process while substantially boosting the growth of customer knowledge.
by Nixu Blog
November 9, 2016 at 10:30