Skip Ribbon Commands
Skip to main content
< BACK

NNIT's GDPR Agile Delivery Model

​While the May 25 GDPR compliance deadline has passed, there are still companies who are not fully GDPR compliant. Currently, we are meeting customers that fall into one of these three categories:

1.     DATA PRIVACY IMPACT ASSESSMENT (DPIA) COMPLETE/SOLUTION PROJECTS ONGOING:

    1. DPIA completed and a good understanding of pain points. Initiated one or several solution projects.
    2. These types of customers are typically asking NNIT for sparring and advice on solutions and approaches and help in facilitating vendor discussions.
    3. This category of customers can be further divided into 2 categories of companies that either want to implement a minimum level of policies, procedures, technology, and governance or companies that are using GDPR as a chance to redo all of their control areas.

 

Fig 1: GDPR Controls Spider Web

2.    DPIA COMPLETE/NOT SURE WHICH SOLUTION PROJECTS THEY NEED TO INITIATE:

    1. These customers have completed a DPIA and have an idea of their key pain points, but they are struggling to find their way forward into the solution phase.
    2. NNIT is helping them with advice, vendor/solution selection, and advice across the entire technology stack as well as ensuring that decisions made in the business (process optimization, for example) are accounted for within the technology and solutions areas.
       

3.    DPIA UNKNOWN/SOLUTION PROJECTS UNKNOWN:

    1. These customers cannot see a clear overview of the pain points, are not sure what technical controls they have in place, and are not sure what to do next.

 

NNIT's DPIA methodology and tool includes stakeholders from business, IT, and Legal, and NNIT's GDPR Agile Delivery Model is no different. The right hand (business), the left hand (technology), and the middle (governance) have to work together and the only way to come within striking distance is to go Agile with very few days remaining until May 25.

Usually we start customers up in Step 2 and 3 simultaneously, running short sprints (1 week), and ensuring that decisions or outcomes from these steps are continuously checked against any new findings/risks from Step 1.

                                 
           Fig 2: GDPR Agile Delivery Model

STEP 1: REVIEW OF DATA PRIVACY IMPACT ASSESSMENT

  • Review of data mapping – processes/systems/PII data/data processors
  • Conduct new data/additional data mapping, if required
  • Ensure IT and Legal validation included in data mapping
  • Identification of the pain points and candidate solutions (new and existing)

 

STEP 2: SOLUTION DESIGN AND PLANNING

  • High-level plan for actions for in scope control areas: business cases (Scope/Cost/Schedule/Benefits)
  • Solution design workshops: Impact analysis on the potential consequences of the identified risks and minimum security requirements
  • "Tough Prioritization" – isolate or kill systems and processes that can't be saved – plan their retirement
  • Create a work breakdown schedule as well as the estimation and planning for the Implementation phase – aligned with risk appetite
  • Each solution track must have SMART goals – (specific, measurable, assignable, realistic, and time-related)
  • Organizational change management: Communication, awareness, training, etc. Ensure your employees know how to respond to customers and find relevant GDPR resources and information.
  • Feedback into Step 1 – ensure that actions will mitigate gaps/pain points – feed forward into Step 3.

 

STEP 3: SOLUTION IMPLEMENTATION

  • Looking to implement platform solutions over application solutions – closing several gaps all at once
  • Compliance governance – how are you going to handle requests from data subjects and authorities pre and post May 25
  • Review of processes for compliance: legal basis, data proportionality, etc.
  • Data processor agreements in place and updated
  • Rights of the data subjects: data discovery, retention, portability, and deletion
  • Ensure detection and breach processes are ready to be used and tested
  • Feedback into Step 1 and 2 – ensure that implemented solutions mitigate gaps and, if not, decide on what else needs to be done.

NNIT is ready to help you through these 3 steps. As a full service provider, we have management consultants, technology consultants, and a wide range of vendors and suppliers that can help kick-start your GDPR program. Below are some key takeaways that we would like to leave you with.

 

KEY TAKEAWAYS

  1. This process must be Iterative and Risk Driven and involve business, IT, and Legal
  2. Only you can define "state of the art" and "appropriate solutions" (article 32)
  3. Each track must have SMART goals
  4. Data Subject Rights: before you act – authenticate the data subject – if you deliver data or delete data of the wrong data subject, you are no better off
  5. Engage with your current technology vendors – can they help?
  6. Manual processes are as valid as automated ones – just ensure that there is a clear audit trail

 

If you would like to learn more, please reach our to Steve Peacock, Consulting Director & GDPR Offering Lead at sepc@nnit.com or +45 30778428.

 

 

Steve Peacock+45 30778428sepc@nnit.comGDPR Consulting Directorhttps://www.linkedin.com/in/steve-peacock-8102631/Steve Peacock

 

 

Risky Business?https://www.nnit.com/OfferingsAndArticles/Pages/Risky-Business.aspxRisky Business?
The Fine Art of Aligning Business Strategy and Information Security Strategyhttps://www.nnit.com/OfferingsAndArticles/Pages/The-Fine-Art-of-Aligning-Business-Strategy-and-Information-Security-Strategy.aspxThe Fine Art of Aligning Business Strategy and Information Security Strategy
​The C.I.A. of application security!https://www.nnit.com/OfferingsAndArticles/Pages/ApplicationSecurity.aspx​The C.I.A. of application security!
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​https://www.nnit.com/OfferingsAndArticles/Pages/BuildingSustainableDefence.aspx​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
On Cyber Warfarehttps://www.nnit.com/OfferingsAndArticles/Pages/On-Cyber-Warfare.aspxOn Cyber Warfare
Control Your Security & Privacy in the Cloudhttps://www.nnit.com/OfferingsAndArticles/Pages/Control-Your-Security-Privacy-in-the-Cloud.aspxControl Your Security & Privacy in the Cloud
Identity and Access Management becomes a top priority due to the EU GDPRhttps://www.nnit.com/OfferingsAndArticles/Pages/Identity-and-Access-Management-and-EUGDPR.aspxIdentity and Access Management becomes a top priority due to the EU GDPR
Secure web applications: 3 common mistakes that are easy to fixhttps://www.nnit.com/OfferingsAndArticles/Pages/Secure web applications - 3 common mistakes that are easy to fix.aspxSecure web applications: 3 common mistakes that are easy to fix
​Privacy – why it is worth fighting forhttps://www.nnit.com/OfferingsAndArticles/Pages/Privacy.aspx​Privacy – why it is worth fighting for
IT provides patients with a better overviewhttps://www.nnit.com/Pages/IT-provides-patients-with-a-better-overview.aspxIT provides patients with a better overview