//
you're reading...
Information Security, IT & TECHNOLOGY

Introducing ISACA’s GDPR Implementation Guide


Scott RosenmeierThe purpose of the General Data Privacy Regulation (GDPR) is to harmonize the data privacy regulations that each European Union member state implemented to comply with GDPR’s predecessor. GDPR provides a single, comprehensive regulation that is compulsory for all organizations processing the personal data of individuals living within the European Union.

The regulation becomes enforceable on 25 May 2018, after a two-year grace period to allow organizations to implement GDPR. GDPR substantially increases data subjects’ rights – and with penalties of up to 4% of gross turnover, the regulation has the potential to fundamentally change the way organizations view and process personal data. That said, the purpose of this blog post is not to tell you what GDPR is, who it will impact, nor to pour more oil on the fear-mongering flames. Over the past two years, most of us have seen more than enough of these types of articles from privacy experts. I am writing today to introduce ISACA’s new GDPR guide.

Six months ago, ISACA brought together a team of information technology, information security, audit and data privacy professionals from around the world to help develop a guide that provides a pragmatic approach to implementing GDPR in organizations large and small. This guide provides a comprehensive introduction to GDPR, along with a plan to help organizations implement a data privacy program that complies with GDPR requirements.

The guide also includes the available information from the Article 29 Data Protection Working Party (WP 29), which provides clarification on various topics covered in the regulation. WP 29 guidance, where available, has been included within ISACA’s GDPR guide. At 100 pages, the guide can be easily read in a weekend. It will serve as a handy guide both during the implementation of your data privacy program, as well as a solid reference during your day-to day-activities.

The guide provides advice on topics such as identifying and classifying personal data, data governance, information security, managing compliance in your supply chain, data breaches, employee awareness and more. The guide also includes several annexes that provide specific recommendations to help practitioners implement an effective and efficient data privacy program. Annex 1 is divided into nine domains that cover 46 processes organizations should implement as part of their GDPR programs. Annex 2 provides guidance on how to set up and manage the Data Privacy Impact Assessment (DPIA) process. Annex 3 provides a sample personal data register that must be created, maintained and readily available in the event of an audit. Throughout the document, we have defined common data privacy terminology and included a glossary of terms that we suggest you ensure are correctly used within your organization to avoid confusion.

The ultimate purpose of the guide is not simply to help organizations become GDPR compliant, but also to ensure the privacy of real people. To this end, we stress that the comprehensiveness of your data privacy program should be based on the risk to the subjects’ data that you hold and not solely on the risk to your organization.

ISACA’s GDPR Working Group believes that implementing GDPR will not only reduce the risks to your organization, partners and customers, but also has the potential to improve the effectiveness of your organization through the implementation of sound policies and processes. Many of us on the working group are privacy practitioners who will use the guide to help implement GDPR in our organizations. This will allow us to see first-hand what worked well and what could be improved. Stay tuned to this space, as we will provide regular updates as we count down to 25 May. Once we’ve received sufficient feedback, we will review and update the guide. In the meantime, we hope this guide is beneficial to you and your organization.

Scott Rosenmeier, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP, TUEV SUED certified DPO (Germany), Senior Manager, Information Security

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 17 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Web Stats

  • 132,525 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 17 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,799 other followers

Twitter Updates

Archives

January 2018
M T W T F S S
« Dec   Feb »
1234567
891011121314
15161718192021
22232425262728
293031  
%d bloggers like this: