an opportunity to guarantee the application of best practices for the protection of one of the most critical assets of any organization’s core business success, which is, information, including personal information.
The digitalization of business has brought about a significant increase in the “value” and “sensitivity” of information that is gathered, stored, used, and processed by information systems which support business transactions all over the world. It is this value which sustains the culture that “information is power,” one which enables new services and business to appear through the evolution of digital-based business such as Internet of Things (IoT), big data, machine learning, etc. Although aligned with the information’s potential for “power”, the holding of information also comes with risk. Due to data’s increasing value, any threat to data or the impact of their loss or theft indeed comes hand in hand with data’s growing importance.
Organizations now have less than one year to get ready for compliance with the regulation, and those responsible for handling the transition, instead of viewing the new regulation as a problem to be resolved, should look upon this as an opportunity to guarantee the application of best practices for the protection of one of the most critical assets of any organization’s core business success, which is, information, including personal information.
The main challenges to data privacy are:
1. How to identify and manage present privacy problems?
Identify and address all privacy issues that affect intrinsic and contextual quality, accessibility, security, and legal compliance of any personal information gathered, used, stored and processed by the organization.
2. How to respond and minimize impact in business when faced with an imminent breach of data?
Guarantee that any risk to privacy is mitigated in a consistent and effective manner. Adequately protect the personal data and associated information that might reveal information about the data holders through controls which mitigate risks to privacy, lowering them to acceptable levels.
3. How to guarantee compliance with the European data protection regulation?
Guarantee compliance with the legal requirements for protecting personal data by assuring that privacy obligations are properly handled, that expectations of the interested parties are managed and that penalties for violating the regulation are avoided.
4. How to maintain customer confidence and brand value?
Guarantee that data privacy represents value and supports the consumer trust and brand value whilst responding to the business requirements.
Organizations should not consider this challenge as one to be resolved in a decoupled manner only through legal services, or only via policies and processes, or only by acquiring new technology. The most effective and efficient approach is to adopt a holistic and integrated vision of three fundamental pillars for the success of a project of this nature, which are: (1) legal; (2) processes, and (3) technology. Mature and already tested models should be used, for example, frameworks, best practices, and international standards, as in the ISO 27000 series (Information Security Management), ISO 29001 (Privacy Principles), and COBIT®, Privacy By Design (Ann Cavoukian, Ph.D.), among others, taking into consideration as well a view to the future, for example, integration with the European NIS Directive (Security of Network and Information Systems) which will soon become national law and thus mandatory for organizations that supply essential services.
How to become GDPReady in four steps:
1. ASSESSMENT – Assess the current state of data privacy management:
This step covers the assessment of current data privacy practices, discover data, its owners, usage, processing activities. Assess the business impact and the privacy risks.
2. DESIGN – Design the operational model for data privacy management:
3. IMPLEMENTATION – Implement the operational model and the privacy controls:
Once the operational model and necessary controls have been designed, you must plan and support the Data Privacy management framework implementation along with the privacy controls. Train and prepare the Data Privacy Team for the Data Privacy framework operation.
4. MANAGEMENT – Operate, monitor, audit, review and improve continuously:
After the data privacy management model Go Live, it must be maintained and improved continuously. Monitor and measure the policy and processes key indicators. Test the privacy controls effectiveness and audit the implemented framework. Through these results, perform the management review and take effective decisions to support the continuous improvement of the data privacy management model.
As results and benefits it is expected through this approach that:
1. Personal data will be effectively protected;
2. Compliance with the General Data Protection Regulation (GDPR);
3. Customer confidence and brand value will be maintained.
Want to learn more about our solutions ?