GDPR: Data Privacy and Security Controls in Information Systems John Kyriazoglou September 23, 2018CONTENTS - Introduction . The coming of the GDPR . Transitioning to the new GDPR regime . What’s required . Appendix 1: Data Security Management Plan . Appendix 2: Data Protection and Privacy Program . Further Resources NDARWNE 1, Introduction One of the most critical issues in protecting personal data is the enablement of the rights of individuals (data subjects in GDPR terms) to know what personal data are processed by an organization, maintained on them, challenge their accuracy, limit their use, and be assured that confidentiality and integrity are maintained at all times. In all computerised information systems that collect, maintain and process valuable personal data and other corporate information, or provide services to multiple users concurrently, it is necessary to provide security safeguards against unauthorized access, use, or modifications of any data or files or ICT (Information and Communications Technology) infrastructure components. This is a very difficult and complex problem to resolve for all organizations in all environments. Computerised information systems and ICT infrastructure components must also be protected against improper or unauthorized use or access od computer-related assets and resources, disruption of operations due to a variety of reasons (weather, employee unrest, terrorism, etc.), and physical damage. The growing number of computerised applications involving valuable information and personal data or assets plus the growing {2}number of criminal actions directed against computerised information systems and ICT infrastructure components or perpetrated by using computers underscore the need for finding effective solutions to the computer security problem. Also, concerns for personal data privacy and security and complying with requirements of new frameworks and regulations (GDPR, e-Privacy, etc.) must become integral in the planning and design of computer systems and their applications for all organizations and corporations across the globe 2. The coming of the GDPR One of the newest data protection regimes is, as of May 2018, the GDPR. The EU General Data Protection Regulation (GDPR) represents a significant change in the data protection compliance regime for data controllers and data processors for personal data processed for EU citizens. Personal data and other information are important and valuable asset to any organisation. Personal data, in particular, may be used for many different reasons, for example staff administration, the provision of goods or services to customers, marketing strategies, developing a new product or service, providing better health care to patients, prevention of money laundering, ete. All these data need protection and actions to avoid fines and other business losses, such as customer mistrust, turnover reduction, brand-name disappointment, lawsuits, ete. {2}3. Transitioning to the new GDPR regime The exercise of proper control and management of personal data is fundamental to ensure, and be able to demonstrate, compliance with the GDPR. Transitioning to the new regime will be challenging and require both personnel and financial resources. The level of existing compliance will affect the resources that are required However, taking a positive approach, and embracing the changes, will improve customer trust, records management and business opportunities, such as those associated with the digital economy. 4, What’s required Data protection and compliance with the GDPR requirements for the information systems and ICT infrastructure may be achieved by the crafting and implementing of several plans, such as: Data Security Management Plan (see Appendix 1) Social Media Governance Plan IT Security Management Plan System Development Security Plan Personal Data Breach Incident Response Plan. Also, data protection at the corporate level, requires the effective implementation of a Data Protection and Privacy Management System. This system is made up of the following program and plans that need to be executed effectively and efficiently e Data Protection and Privacy Program (see Appendix 2) Privacy Awareness, Communication and Training Plan Data Subjects Requests, Complaints and Rectification Plan Third-Party Risks Management Plan Data Protection Integration Activities Plan Data Quality Improvement Plan {+}5. Appendix 1: Data Security Management Plan Objective The objective of this plan is to maintain effective data security for protecting the personal data of individuals collected, processed, used and held by the enterprise Contents The contents of this plan are: Action #1: Include Data Privacy into the Corporate Security Policy; Action #2: Include Data Privacy into the Information Security Policy; Action #3: Include Data Privacy into the Acceptable Use Policy; Action #4: Include Data Privacy into Security Risk Assessments; Action #5: Implement IT Technical Security Controls; Action #6: Implement Human Resources Security Controls; Action #7: Include data privacy into business continuity planning; Action #8: Develop and Implement a data-loss prevention strategy; Action #9: Conduct regular testing of data security; and Action #10: Maintain security certification {=}6. Appendix 2: Data Protection and Privacy Program A data protection and privacy program refers to an enterprise’s management plan for conducting all of its data protection and privacy activities within the frameworks of law, rules, regulations and standards. The contents of an effective data protection and privacy program are: Section 1-Executive summary: The ethics and data protection and privacy goals, mission, vision, and values statements, and critical success factors for the accomplishment of the plan, and resources and costs related to the implementation of this plan. Section 2-Rules and Regulations: Reference to all rules, regulations and standards applicable to your company and to be complied with by the organization. Section 3-Action Plans: Action plans with goals, strategies, objectives, plans, policies, responsibilities and time elements for accomplishing all actions as related to the various rules, standards and regulations to be complied with by the organization. Section 4-Control Points: Control points for data protection and privacy issues. These are reinforced by establishing behavioral and procedural controls. Procedural mechanisms address and mitigate high risk areas in a business’ operating environment, while the behavioral mechanisms emphasize the company’s policies for those risks. Section 5-Codes 5.1. A general code of business conduct for all employees in several languages (where the organization operates and sell products and services); 5.2. A supplemental code of conduct for IT, Customer Support, Sales, Finance and accounting staff; {>}5.3. A supplemental code of conduct for industrial and research staff; 5.4. A specific code of conduct for board members and senior executives. Section 6-Governance Committee: Procedural, organizational and responsibility details of the various corporate committees on Governance, Risk, Ethics and Data protection and privacy. These committees should me made up of senior executives representing all areas of the company’s business. Section 7-Ethics Office and Certification 7.1. Procedural and organizational details of an Ethics Office to address questions and details; 7.2. Address and communications details of a dedicated ethics hotline accessible from all over the world; and 7.3. An annual ethics certification process for all senior staff, managers and officers Section 8-Communication and Training 8.1. Procedural and organizational details of a communication, education, training and coaching plan on data protection and privacy to all employees, including senior executives. 8.2. A change management plan to effect making all organization participants on data protection and privacy issues; and 8.3. A quarterly publication of data protection and privacy such as a newsletter to all staff on issues related to ethics and data protection and privacy problems, laws and actions. Section 9-Documentation: Procedures for adequate documentation, to ensure that all items and actions are fully be substantiated in the event of a data privacy breach. Section 10-[mprovement: Procedure for monitoring, auditing, evaluation and improvement of Plan. {7}7. Further Resources More details may be found in my books 1. DATA PROTECTION AND PRIVACY MANAGEMENT SYSTEM. DATA PROTECTION AND PRIVACY GUIDE — VOL I http://bookboon.com/en/data-protection-and-privacy-management- system- 3. DP&P STRATEGIES, POLICIES AND PLANS DATA. PROTECTION AND PRIVACY GUIDE — VOL II http://bookboon.com/en/dpp-strategies-policies-and-plans-ebook 4. DATA PROTECTION IMPACT ASSESSMENT DATA PROTECTION AND PRIVACY GUIDE — VOL IIT http://bookboon.com/en/data-protection-impact-assessment-ebook 5. DATA PROTECTION SPECIALIZED CONTROLS DATA PROTECTION AND PRIVACY GUIDE — VOL IV http://bookboon.com/en/data-protection-specialized-controls-ebook 6. SECURITY AND DATA PRIVACY AUDIT QUESTIONNAIRES DATA PROTECTION AND PRIVACY GUIDE — VOL V http://bookboon.com/en/security-and-data-privacy-audit-questionnaires- ebook 6. ‘IT Strategic & Operational Controls’, 2010, IT Governance https://www.itgovernance.co.uk/shop/product/it-strategic-and- operational-controls 7. ‘Business Management Controls: A Guide’, 2012 http://www.acfe.com/products.aspx?id=4294984471 https://www. itgovernance.co.uk/shop/product/business-management- controls