GDPR: Data Privacy
and Security
Controls in
Information Systems
John Kyriazoglou
September 23, 2018CONTENTS
- Introduction
. The coming of the GDPR
. Transitioning to the new GDPR regime
. What’s required
. Appendix 1: Data Security Management Plan
. Appendix 2: Data Protection and Privacy Program
. Further Resources
NDARWNE
1, Introduction
One of the most critical issues in protecting personal data is the
enablement of the rights of individuals (data subjects in GDPR
terms) to know what personal data are processed by an
organization, maintained on them, challenge their accuracy, limit
their use, and be assured that confidentiality and integrity are
maintained at all times.
In all computerised information systems that collect, maintain and
process valuable personal data and other corporate information, or
provide services to multiple users concurrently, it is necessary to
provide security safeguards against unauthorized access, use, or
modifications of any data or files or ICT (Information and
Communications Technology) infrastructure components.
This is a very difficult and complex problem to resolve for all
organizations in all environments.
Computerised information systems and ICT infrastructure
components must also be protected against improper or
unauthorized use or access od computer-related assets and
resources, disruption of operations due to a variety of reasons
(weather, employee unrest, terrorism, etc.), and physical damage.
The growing number of computerised applications involving
valuable information and personal data or assets plus the growing
{2}number of criminal actions directed against computerised
information systems and ICT infrastructure components or
perpetrated by using computers underscore the need for finding
effective solutions to the computer security problem.
Also, concerns for personal data privacy and security and
complying with requirements of new frameworks and regulations
(GDPR, e-Privacy, etc.) must become integral in the planning and
design of computer systems and their applications for all
organizations and corporations across the globe
2. The coming of the GDPR
One of the newest data protection regimes is, as of May 2018, the
GDPR.
The EU General Data Protection Regulation (GDPR) represents a
significant change in the data protection compliance regime for
data controllers and data processors for personal data processed for
EU citizens.
Personal data and other information are important and valuable
asset to any organisation.
Personal data, in particular, may be used for many different
reasons, for example staff administration, the provision of goods or
services to customers, marketing strategies, developing a new
product or service, providing better health care to patients,
prevention of money laundering, ete.
All these data need protection and actions to avoid fines and other
business losses, such as customer mistrust, turnover reduction,
brand-name disappointment, lawsuits, ete.
{2}3. Transitioning to the new GDPR regime
The exercise of proper control and management of personal data is
fundamental to ensure, and be able to demonstrate, compliance
with the GDPR. Transitioning to the new regime will be
challenging and require both personnel and financial resources.
The level of existing compliance will affect the resources that are
required
However, taking a positive approach, and embracing the changes,
will improve customer trust, records management and business
opportunities, such as those associated with the digital economy.
4, What’s required
Data protection and compliance with the GDPR requirements for
the information systems and ICT infrastructure may be achieved
by the crafting and implementing of several plans, such as:
Data Security Management Plan (see Appendix 1)
Social Media Governance Plan
IT Security Management Plan
System Development Security Plan
Personal Data Breach Incident Response Plan.
Also, data protection at the corporate level, requires the effective
implementation of a Data Protection and Privacy Management
System.
This system is made up of the following program and plans that
need to be executed effectively and efficiently
e Data Protection and Privacy Program (see Appendix 2)
Privacy Awareness, Communication and Training Plan
Data Subjects Requests, Complaints and Rectification Plan
Third-Party Risks Management Plan
Data Protection Integration Activities Plan
Data Quality Improvement Plan
{+}5. Appendix 1: Data Security Management Plan
Objective
The objective of this plan is to maintain effective data security for
protecting the personal data of individuals collected, processed,
used and held by the enterprise
Contents
The contents of this plan are:
Action #1: Include Data Privacy into the Corporate Security
Policy;
Action #2: Include Data Privacy into the Information Security
Policy;
Action #3: Include Data Privacy into the Acceptable Use Policy;
Action #4: Include Data Privacy into Security Risk Assessments;
Action #5: Implement IT Technical Security Controls;
Action #6: Implement Human Resources Security Controls;
Action #7: Include data privacy into business continuity planning;
Action #8: Develop and Implement a data-loss prevention strategy;
Action #9: Conduct regular testing of data security; and
Action #10: Maintain security certification
{=}6. Appendix 2: Data Protection and Privacy Program
A data protection and privacy program refers to an enterprise’s
management plan for conducting all of its data protection and
privacy activities within the frameworks of law, rules, regulations
and standards. The contents of an effective data protection and
privacy program are:
Section 1-Executive summary: The ethics and data protection and
privacy goals, mission, vision, and values statements, and critical
success factors for the accomplishment of the plan, and resources
and costs related to the implementation of this plan.
Section 2-Rules and Regulations: Reference to all rules,
regulations and standards applicable to your company and to be
complied with by the organization.
Section 3-Action Plans: Action plans with goals, strategies,
objectives, plans, policies, responsibilities and time elements for
accomplishing all actions as related to the various rules, standards
and regulations to be complied with by the organization.
Section 4-Control Points: Control points for data protection and
privacy issues. These are reinforced by establishing behavioral and
procedural controls. Procedural mechanisms address and mitigate
high risk areas in a business’ operating environment, while the
behavioral mechanisms emphasize the company’s policies for
those risks.
Section 5-Codes
5.1. A general code of business conduct for all employees in
several languages (where the organization operates and sell
products and services);
5.2. A supplemental code of conduct for IT, Customer Support,
Sales, Finance and accounting staff;
{>}5.3. A supplemental code of conduct for industrial and research
staff;
5.4. A specific code of conduct for board members and senior
executives.
Section 6-Governance Committee: Procedural, organizational
and responsibility details of the various corporate committees on
Governance, Risk, Ethics and Data protection and privacy. These
committees should me made up of senior executives representing
all areas of the company’s business.
Section 7-Ethics Office and Certification
7.1. Procedural and organizational details of an Ethics Office to
address questions and details;
7.2. Address and communications details of a dedicated ethics
hotline accessible from all over the world; and
7.3. An annual ethics certification process for all senior staff,
managers and officers
Section 8-Communication and Training
8.1. Procedural and organizational details of a communication,
education, training and coaching plan on data protection and
privacy to all employees, including senior executives.
8.2. A change management plan to effect making all organization
participants on data protection and privacy issues; and
8.3. A quarterly publication of data protection and privacy such as
a newsletter to all staff on issues related to ethics and data
protection and privacy problems, laws and actions.
Section 9-Documentation: Procedures for adequate
documentation, to ensure that all items and actions are fully be
substantiated in the event of a data privacy breach.
Section 10-[mprovement: Procedure for monitoring, auditing,
evaluation and improvement of Plan.
{7}7. Further Resources
More details may be found in my books
1. DATA PROTECTION AND PRIVACY MANAGEMENT SYSTEM.
DATA PROTECTION AND PRIVACY GUIDE — VOL I
http://bookboon.com/en/data-protection-and-privacy-management-
system-
3. DP&P STRATEGIES, POLICIES AND PLANS DATA.
PROTECTION AND PRIVACY GUIDE — VOL II
http://bookboon.com/en/dpp-strategies-policies-and-plans-ebook
4. DATA PROTECTION IMPACT ASSESSMENT DATA
PROTECTION AND PRIVACY GUIDE — VOL IIT
http://bookboon.com/en/data-protection-impact-assessment-ebook
5. DATA PROTECTION SPECIALIZED CONTROLS DATA
PROTECTION AND PRIVACY GUIDE — VOL IV
http://bookboon.com/en/data-protection-specialized-controls-ebook
6. SECURITY AND DATA PRIVACY AUDIT QUESTIONNAIRES
DATA PROTECTION AND PRIVACY GUIDE — VOL V
http://bookboon.com/en/security-and-data-privacy-audit-questionnaires-
ebook
6. ‘IT Strategic & Operational Controls’, 2010, IT Governance
https://www.itgovernance.co.uk/shop/product/it-strategic-and-
operational-controls
7. ‘Business Management Controls: A Guide’, 2012
http://www.acfe.com/products.aspx?id=4294984471
https://www. itgovernance.co.uk/shop/product/business-management-
controls